Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
394
Views
0
Helpful
4
Replies

Is ACLs on Internet router common ?

chang-michael
Level 1
Level 1

‎06-06-2003 09:00 PM - edited ‎03-02-2019 07:57 AM

I have a predecessor of mine who has installed for all our customers who have Internet access, ACL for inbound and outboud internet access preventing certain bad foreign ips and dns etc etc . A Firewall is already in place so I am not sure why he had done this and looks weird. I have never come across this when you have a firewall. A router should routing and let the F/W do the filtering.

Just wanted to know is anyone doing this ?

Labels:
0 Helpful
4 Replies 4

jcajuste
Level 1
Level 1

‎06-07-2003 03:07 AM

I have done this in a few setup. My reasoning is never enough security. I have filtered all unwanted traffic at the router and also analyze the wanted traffic at the firewall. also you need some type of security on your router as well.

hope this helps.

0 Helpful

t.baranski
Level 4
Level 4

‎06-07-2003 09:21 PM

I'm generally in agreement with you -- firewalls are meant for packet filtering and routers are not, so I think it's usually wise to leave the filtering to the firewalls. Another issue is logging -- firewalls tend to have much better logging functionality than routers do. I'd much rather have unwanted packets hit a firewall instead of a router because I'm more likely to notice them in the logs this way. Packets dropped by edge routers will also never be seen by your IDS.

There are, of course, exceptions. Traffic to the edge routers themselves (TELNET, SNMP, BGP, etc.) obviously can't be filtered by the firewalls. This also applies to any devices that sit between the routers and firewalls. It may also be desirable to block traffic from bogus IP ranges (i.e., private addresses, unallocated addresses) at the edge so that it never has a chance to get onto your LAN and cause harm.

But for the most part, I agree that the firewalls should do the filtering. That's what they're there for.

0 Helpful

l.mourits
Level 5
Level 5

‎07-29-2003 05:46 AM

The best practice (in my humble opinion) is to let the firewall do all the filtering, but with this I'm not saying that no ACL is needed on the router.

I would always create an ACL on the router which blocks malicious IP's or IP subnets (why let them reach the PIX) and also filter all directed broadcasts on the router to prevent your own site from being a so-called "amplifier" for a smurf attack

Also you could IP-spoofing from your network to the Internet on the router (but this can also be done at the PIX)

Although I agree with the fact that main filtering has to take place on the PIX, I would also like to say that having the router in front of it filtering some unwanted traffic is the best way.

Main reason for this is that all traffic which arrives on the PIX does consume procesmemory on the PIX, so, what's the use of routing traffic to the PIX which you do not need there?

Kind Regards,

Leo

0 Helpful

prafuljaded
Level 3
Level 3
In response to l.mourits

‎07-29-2003 07:21 AM

Well as long as the internet router's CPU utilization is within limits, its better you configure some access-lists on it instead of letting some unwanted traffic towards PIX like

no ip icmp unreachables

no ip proxy-arp

no ip directed-broadcast

There is a gr8 stuff at this website.It might not apply very well to this conversation, but u can have a look.

http://www.sans.org/score/checklists/CiscoChecklist.doc

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card