Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1076
Views
0
Helpful
3
Replies

Using ACL for security control for Internet WAN router?

beiyanlong
Level 1
Level 1

‎02-05-2018 06:15 PM - edited ‎03-03-2019 08:43 AM

Hello Guys,

 

I have a design question. I'm using a Cisco ASR1K as my Internet facing DMVPN Hub router. I know I should place a firewall in front of it. But why not just use built-in ACL to open necessary ports (i.e. UDP 500, 4500 and ESP) on the port? My ACL is also controlling from which public IPs traffic can come in. 

 

Would it be sufficient? If not, what's the justification for placing a more advanced firewall? Any thoughts are welcome! 

 

Labels:
0 Helpful
3 Replies 3

beiyanlong
Level 1
Level 1

‎02-08-2018 05:27 AM

Any comments, thanks in advance! 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎02-08-2018 08:50 AM

The usual argument for using a FW is it's a device built for security, and is "better" for any publicly connected interface. Of course, a FW adds cost and sometimes creates a throughput bottleneck.

Personally, I don't believe a FW is warranted in front of a VPN router, because, as you note, you can lock down the publicly connected interface.

Interestingly, I've seen Enterprises have a FW in front of their VPN hub router but not have a FW in front of each branch VPN router. Since a VPN branch router also provides a path into the Enterprise, I've never heard a good explanation why a FW is a "must" at the hub but not also at the branch.

BTW, the company I'm working for does have VPN hub routers with direct Internet connections.

Also BTW, if you want to further harden a VPN connected router, you can also place its publicly connected interface into its own VRF. This means unless the traffic comes through a VPN tunnel, you can preclude it from routing internally.
0 Helpful

beiyanlong
Level 1
Level 1
In response to Joseph W. Doherty

‎02-08-2018 06:51 PM

I totally agree and on the same page as you, i already used fVRF for Hub and Spoke Internet connections since they are just being used as underlay network. We have policy that all spokes traffic need to be centralized, which means Hub is pushing a default route to all spokes. That's why I feel it's making more sense to add Firewall after VPN Hub router and before they enter my datacenter core layer. 

 

As always, i appreciate your input but i'm open to hear any other opinions! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents