Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3897
Views
0
Helpful
8
Replies

pros & cons of keeping the router as a separate device from firewalls

horjones
Level 1
Level 1

‎11-14-2001 01:01 PM - edited ‎03-08-2019 09:09 PM

An in-house client has pressed the question of why is it a good idea to keep the router and firewall as separate devices, even though some firewalls can perform routing functionality.

Other than keeping clear distinctions for troubleshooting failures and concern of processor load in large networks, please list - with descriptions - other pro's for this type of network design.

1 person had this problem
Labels:
0 Helpful
8 Replies 8

wdrootz
Level 4
Level 4

‎11-20-2001 02:08 PM

Well I think you addressed the main points. For us, performance was a big issue. The PIX had outstanding performance numbers probably because it doesn’t route. Also, we don’t own the Internet router so I didn’t trust my ISP to configure the firewall features on it to meet my security design. Can anyone else think of any other reasons?

0 Helpful

travis-dennis_2
Level 7
Level 7
In response to wdrootz

‎11-20-2001 02:54 PM

I would think that what has been listed is enough but I have never seen a firewall with routing ability that can match the perfomrnce and flexibility of 2 dedicated systems. Hey Horace, can you knock a few bucks off my bill for me?

0 Helpful

horjones
Level 1
Level 1
In response to travis-dennis_2

‎11-26-2001 05:50 AM

Thanks for the reply and I can't do much for my own bill. Wouldn't that make a nice holiday gift?

0 Helpful

worf
Level 1
Level 1
In response to wdrootz

‎11-21-2001 12:48 PM

Maintaining a perimeter router in front of a firewall is a sound practice and one that I learned from Cisco recommendations years back. This creates one more point that an intruder has to breach before he even begins on the Firewall. If correctly configured for security (services turned off, access-lists, etc)then the perimeter router usually deters the novice hackers which make up the majority of perimeter breach attempts.

In addition, if your internal network includes multiple subnets which require traffic handoff, then I always maintain an internal router behind my PIX. This allows for a cleaner handoff to remote subnets on my own network without taxing the PIX. The PIX is a very fast Internet device, but it is not a router.

0 Helpful

fjordan
Level 1
Level 1

‎11-21-2001 12:14 PM

Cisco wrote a paper (URL below) that sort of lists the

differences or when you may consider one box vs

seperate devices... Fred http://www.cisco.com/warp/public/cc/pd/rt/2600/prodlit/flrrr_ov.htm

0 Helpful

horjones
Level 1
Level 1
In response to fjordan

‎11-26-2001 05:52 AM

I'll definitely spend a little time with this URL. Thanks for the useful information.

0 Helpful

jiwold
Level 1
Level 1

‎11-21-2001 01:29 PM

I'd recommend using a router with the firewall feature set as the outside device, backed up by a firewall-only device between the router and LAN. That gives another layer of protection.

0 Helpful

cketan
Level 1
Level 1

‎11-21-2001 02:00 PM

Its a good practice to keep the ISP router and private network firewall seperate because the perimeter router apart from normal duties can be used for limiting outbound ping & inbound tcp SYN, filtering for RFC 1918 & 2267. An enterprise network would typically look like this :

Perimeter router running BGP

Perimeter firewall with more throughput

Internal firewall with more functionality & features for protecting internal segments

Regards....Ketan Chaudhari, CCSA, CCNP, MCSE

0 Helpful
Customers Also Viewed These Support Documents