Solved: Best practise: Internet connection direct or through a router?

edw · ‎02-09-2016

Hi,

So to date I have always had my own router between the firewall and the ISP connection. There have been many legacy reasons for this however they have all disappeared. So now I have two internet connection purely for failover. I know I can plugged these directly into the firewall and run them direct from there. So my question is this....

Is it better and more secure to have a router between the firewall and the ISP connection or does it not matter/make any difference?

At present I NAT through the firewall and then NAT between the firewall and the external router depending on the connection running.

Thanks

Ed

Jon Marshall · ‎02-09-2016

Typically no it doesn't add to security although some people do basic filtering of IPs you shouldn't see before the traffic gets to the firewall.

Routers were used primarily in the past because of different media types for the internet connection and because they are more flexible in terms of things like PBR, QOS etc.

The ASAs now support PBR (although it does seem to have some bugs) so you don't really gain much by having routers to be honest if you don't need them.

Your firewall is the security so it really doesn't matter too much if the ISP connection is direct or via a router.

Jon

View solution in original post

dukenuk96 · ‎02-09-2016

Hi,

it seems that you need just one device - router or firewall. What functions do you use? Sure, router is not as powerfull as firewall, but for most SMB installations they are enough. If use only NAT without any VPNs and sophisticated filterings, so you can use router alone. If you need advanced firewalling - use firewall alone. Now you have big maintenance overhead by doing NAT two times on different devices.

edw · ‎02-09-2016

Well I would always suggest a firewall these days. So we will definitly not be getting rid of the firewall. Yes the NAT is a bit of a maintenance headache thou it doesnt get changed that much.

I guess the question is does it add to the security or not? Do people just use firewall with the ISP connection plugged stright in? Is this deemed to be secure.

P.S. Yes we use all the functions of the firewall more or less.

dukenuk96 · ‎02-09-2016

So, just use only firewall. If you will need to segment your internal network later, just add L3 switch.

edw · ‎02-09-2016

Yes we have redundant Catalyst routers internally and have multiple VLAN's.

dukenuk96 · ‎02-09-2016

Even better if you already have this.. but how do you connect them to firewall?

edw · ‎02-09-2016

The core routers is connected via a ethernet cable to one port. The router forwards all network traffic going outside or to DMZ to the firewall's IP. If that's what you mean.

dukenuk96 · ‎02-09-2016

I mean quite another - you have two Catalysts as the core of your network and one firewall. How phyisical connection from Catalyst(s) to firewall is implemented? I mean is there some kind of failover link?

edw · ‎02-09-2016

No at present there is no failover but we are looking at that right at this moment as i have been given another firewall by another charity. So will be using it in a failover.

dukenuk96 · ‎02-09-2016

Okay, so I meant that now you have one pint of failure and I strongly recommend moving to failover design.

Good luck!

Jon Marshall · ‎02-09-2016

Typically no it doesn't add to security although some people do basic filtering of IPs you shouldn't see before the traffic gets to the firewall.

Routers were used primarily in the past because of different media types for the internet connection and because they are more flexible in terms of things like PBR, QOS etc.

The ASAs now support PBR (although it does seem to have some bugs) so you don't really gain much by having routers to be honest if you don't need them.

Your firewall is the security so it really doesn't matter too much if the ISP connection is direct or via a router.

Jon