Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1525
Views
0
Helpful
4
Replies

Best practices for firewall external interface addressing

B. BELHADJ
Level 4
Level 4

‎01-27-2014 01:58 PM - edited ‎03-11-2019 08:36 PM

Hi all,

Can anyone explain what is more secure when addressing the outside interface of a firewall in a network diagram?

1st option:  

                          ISP router:

                               interface 1 (connected to the internet).

                               interface 2 to the firewall with public ip address.

                           Firewall:

                               interface 1 (connected to the router): public ip address

                               interface 2 (connected to internal network): private ip address (RFC1918)

2nd option:

                         ISP router:

                              interface 2 (connected to the internet (ISP)).

                              interface 1 to the firewall with private ip address (RFC1918).

                         Firewall:

                             outside interface 2  (connected to the router): private ip address (RFC1918)

                             inside interface 1 (connected to internal network): private ip address (RFC1918)

Any response is welcome.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎01-27-2014 02:49 PM

It's not so much what is more secure as where you want to do the NAT and how may public IPs you have.

So if you only has a small block of public IPs and you wanted to use them for NAT on the firewall then you could use a private link between the ISP router and the firewall.

Usually though an ISP gives you two blocks, a /30 for the point to point link and then a larger subnet for actual use on the firewall.

For a single ISP setup doing the NAT on the firewall is usually the way it is done especially if you are using VPNs as if you NAT on the router it can interfere with the VPN.

If you end up with multiple ISPs then you may need to move some or all of the NAT configuration to the routers although it is not always necessary and you may still do it on the firewall. It depends on a lot of other things such as IP addressing, ISP advertisement of public IPs etc.

Jon

0 Helpful

B. BELHADJ
Level 4
Level 4
In response to Jon Marshall

‎01-27-2014 03:37 PM

Thank you jon.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-27-2014 02:53 PM

Option 2 is more secure because it will break the network for most use cases.

Option 1 is necessary assuming your firewall is the device that performs NAT for outbound traffic. It is also necessary if the firewall also provides either site-site or remote access VPN services as you need a public IP to access it for those functions.

A firewall is by design hardened against public attacks. If you want to further reduce the attack surface you can filter unwanted ports at your upstream router but that incurs administrative overhead and introduces the risk of more errors in configuration thus compromising availability in a different way.

0 Helpful

B. BELHADJ
Level 4
Level 4
In response to Marvin Rhoads

‎01-27-2014 03:37 PM

Thank you Marvin.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card