06-06-2003 09:00 PM - edited 03-02-2019 07:57 AM
I have a predecessor of mine who has installed for all our customers who have Internet access, ACL for inbound and outboud internet access preventing certain bad foreign ips and dns etc etc . A Firewall is already in place so I am not sure why he had done this and looks weird. I have never come across this when you have a firewall. A router should routing and let the F/W do the filtering.
Just wanted to know is anyone doing this ?
06-07-2003 03:07 AM
I have done this in a few setup. My reasoning is never enough security. I have filtered all unwanted traffic at the router and also analyze the wanted traffic at the firewall. also you need some type of security on your router as well.
hope this helps.
06-07-2003 09:21 PM
I'm generally in agreement with you -- firewalls are meant for packet filtering and routers are not, so I think it's usually wise to leave the filtering to the firewalls. Another issue is logging -- firewalls tend to have much better logging functionality than routers do. I'd much rather have unwanted packets hit a firewall instead of a router because I'm more likely to notice them in the logs this way. Packets dropped by edge routers will also never be seen by your IDS.
There are, of course, exceptions. Traffic to the edge routers themselves (TELNET, SNMP, BGP, etc.) obviously can't be filtered by the firewalls. This also applies to any devices that sit between the routers and firewalls. It may also be desirable to block traffic from bogus IP ranges (i.e., private addresses, unallocated addresses) at the edge so that it never has a chance to get onto your LAN and cause harm.
But for the most part, I agree that the firewalls should do the filtering. That's what they're there for.
07-29-2003 05:46 AM
The best practice (in my humble opinion) is to let the firewall do all the filtering, but with this I'm not saying that no ACL is needed on the router.
I would always create an ACL on the router which blocks malicious IP's or IP subnets (why let them reach the PIX) and also filter all directed broadcasts on the router to prevent your own site from being a so-called "amplifier" for a smurf attack
Also you could IP-spoofing from your network to the Internet on the router (but this can also be done at the PIX)
Although I agree with the fact that main filtering has to take place on the PIX, I would also like to say that having the router in front of it filtering some unwanted traffic is the best way.
Main reason for this is that all traffic which arrives on the PIX does consume procesmemory on the PIX, so, what's the use of routing traffic to the PIX which you do not need there?
Kind Regards,
Leo
07-29-2003 07:21 AM
Well as long as the internet router's CPU utilization is within limits, its better you configure some access-lists on it instead of letting some unwanted traffic towards PIX like
no ip icmp unreachables
no ip proxy-arp
no ip directed-broadcast
There is a gr8 stuff at this website.It might not apply very well to this conversation, but u can have a look.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide