topic Best practise: Internet connection direct or through a router? in Network Security

Best practise: Internet connection direct or through a router?

edw — Tue, 26 Mar 2019 00:57:59 GMT

Hi,

So to date I have always had my own router between the firewall and the ISP connection. There have been many legacy reasons for this however they have all disappeared. So now I have two internet connection purely for failover. I know I can plugged these directly into the firewall and run them direct from there. So my question is this....

Is it better and more secure to have a router between the firewall and the ISP connection or does it not matter/make any difference?

At present I NAT through the firewall and then NAT between the firewall and the external router depending on the connection running.

Thanks

Hi,

dukenuk96 — Tue, 09 Feb 2016 12:14:25 GMT

Hi,

it seems that you need just one device - router or firewall. What functions do you use? Sure, router is not as powerfull as firewall, but for most SMB installations they are enough. If use only NAT without any VPNs and sophisticated filterings, so you can use router alone. If you need advanced firewalling - use firewall alone. Now you have big maintenance overhead by doing NAT two times on different devices.

Well I would always suggest a

edw — Tue, 09 Feb 2016 12:18:36 GMT

Well I would always suggest a firewall these days. So we will definitly not be getting rid of the firewall. Yes the NAT is a bit of a maintenance headache thou it doesnt get changed that much.

I guess the question is does it add to the security or not? Do people just use firewall with the ISP connection plugged stright in? Is this deemed to be secure.

P.S. Yes we use all the functions of the firewall more or less.

So, just use only firewall.

dukenuk96 — Tue, 09 Feb 2016 12:25:36 GMT

So, just use only firewall. If you will need to segment your internal network later, just add L3 switch.

Yes we have redundant

edw — Tue, 09 Feb 2016 12:28:19 GMT

Yes we have redundant Catalyst routers internally and have multiple VLAN's.

Even better if you already

dukenuk96 — Tue, 09 Feb 2016 12:35:10 GMT

Even better if you already have this.. but how do you connect them to firewall?

The core routers is connected

edw — Tue, 09 Feb 2016 12:42:48 GMT

The core routers is connected via a ethernet cable to one port. The router forwards all network traffic going outside or to DMZ to the firewall's IP. If that's what you mean.

Typically no it doesn't add

Jon Marshall — Tue, 09 Feb 2016 12:45:45 GMT

Typically no it doesn't add to security although some people do basic filtering of IPs you shouldn't see before the traffic gets to the firewall.

Routers were used primarily in the past because of different media types for the internet connection and because they are more flexible in terms of things like PBR, QOS etc.

The ASAs now support PBR (although it does seem to have some bugs) so you don't really gain much by having routers to be honest if you don't need them.

Your firewall is the security so it really doesn't matter too much if the ISP connection is direct or via a router.

Jon

I mean quite another - you

dukenuk96 — Tue, 09 Feb 2016 12:48:57 GMT

I mean quite another - you have two Catalysts as the core of your network and one firewall. How phyisical connection from Catalyst(s) to firewall is implemented? I mean is there some kind of failover link?

No at present there is no

edw — Tue, 09 Feb 2016 15:00:44 GMT

No at present there is no failover but we are looking at that right at this moment as i have been given another firewall by another charity. So will be using it in a failover.

Okay, so I meant that now you

dukenuk96 — Wed, 10 Feb 2016 05:40:36 GMT

Okay, so I meant that now you have one pint of failure and I strongly recommend moving to failover design.

Good luck!