11-14-2001 01:01 PM - edited 03-08-2019 09:09 PM
An in-house client has pressed the question of why is it a good idea to keep the router and firewall as separate devices, even though some firewalls can perform routing functionality.
Other than keeping clear distinctions for troubleshooting failures and concern of processor load in large networks, please list - with descriptions - other pro's for this type of network design.
11-20-2001 02:08 PM
Well I think you addressed the main points. For us, performance was a big issue. The PIX had outstanding performance numbers probably because it doesnt route. Also, we dont own the Internet router so I didnt trust my ISP to configure the firewall features on it to meet my security design. Can anyone else think of any other reasons?
11-20-2001 02:54 PM
I would think that what has been listed is enough but I have never seen a firewall with routing ability that can match the perfomrnce and flexibility of 2 dedicated systems. Hey Horace, can you knock a few bucks off my bill for me?
11-26-2001 05:50 AM
Thanks for the reply and I can't do much for my own bill. Wouldn't that make a nice holiday gift?
11-21-2001 12:48 PM
Maintaining a perimeter router in front of a firewall is a sound practice and one that I learned from Cisco recommendations years back. This creates one more point that an intruder has to breach before he even begins on the Firewall. If correctly configured for security (services turned off, access-lists, etc)then the perimeter router usually deters the novice hackers which make up the majority of perimeter breach attempts.
In addition, if your internal network includes multiple subnets which require traffic handoff, then I always maintain an internal router behind my PIX. This allows for a cleaner handoff to remote subnets on my own network without taxing the PIX. The PIX is a very fast Internet device, but it is not a router.
11-21-2001 12:14 PM
Cisco wrote a paper (URL below) that sort of lists the
differences or when you may consider one box vs
seperate devices... Fred http://www.cisco.com/warp/public/cc/pd/rt/2600/prodlit/flrrr_ov.htm
11-26-2001 05:52 AM
I'll definitely spend a little time with this URL. Thanks for the useful information.
11-21-2001 01:29 PM
I'd recommend using a router with the firewall feature set as the outside device, backed up by a firewall-only device between the router and LAN. That gives another layer of protection.
11-21-2001 02:00 PM
Its a good practice to keep the ISP router and private network firewall seperate because the perimeter router apart from normal duties can be used for limiting outbound ping & inbound tcp SYN, filtering for RFC 1918 & 2267. An enterprise network would typically look like this :
Perimeter router running BGP
Perimeter firewall with more throughput
Internal firewall with more functionality & features for protecting internal segments
Regards....Ketan Chaudhari, CCSA, CCNP, MCSE
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide