7 Replies Latest reply: Aug 26, 2014 7:15 AM by Richard Burts RSS

    Screening router

    David D

      Should you use a router in front of your firewall ? And why would you in the first place? I've seen it a couple of time but nobody can say why it was done.

        • 1. Re: Screening router
          Conwyn

          Hi David

           

          Traffic from the ISP may not come on a Ethernet Interface. The further you push the attack back from your core the better. So if the router can halt the incoming attack it means the firewall is free for the complex work.

           

          Regards Conwyn

          • 2. Re: Screening router
            AICCOID22122009

            Conwyn wrote:

             

            Traffic from the ISP may not come on a Ethernet Interface. The further you push the attack back from your core the better. So if the router can halt the incoming attack it means the firewall is free for the complex work.

             

            Regards Conwyn

             

             

            ALSO(optional)>>>>to not have your F/W do the NAT too.

            Other off-load reasons>>>>

            • stateless pkt filtering, as Conwyn mentions, just to" choke" some bad traffic
            • Traffic Policing/Shaping and other QoS/CoS actions on in/out traffic

             

            cheers folks

            • 3. Re: Screening router
              David D

              Thanks for the insight.

              • 4. Re: Screening router
                AICCOID22122009

                Hey there David

                 

                you are welcome m8.

                One more that just came up in mind>>>>

                 

                Policy-based Routing(PBR) functionality, especially useful when the NATting point is the outside-zone choke router too. Many vendor Firewalls don't really support this very useful feature for multihoming and general traffic engineering. They instead support policy-based NAT, but there are meaningful use-case differences (eg PBR match by traffic-type or ToS/precedence values and set/change these CoS/QoS values right before the egress forwarding) as you can understand.

                 

                cheers

                • 5. Re: Screening router
                  David D

                  That's a really good reason.

                  • 6. Re: Screening router
                    AICCOID22122009

                    Glad you liked it bro!

                     

                    cheers B-)

                    • 7. Re: Screening router
                      Richard Burts

                      I would agree with points from previous posts that sometimes connection on media other than Ethernet is a reason for a router outside the firewall. Also that being able to discard obviously not legitimate traffic before it gets to the firewall lets the firewall focus its resources on traffic that is likely to matter more. And I like the suggestion that PBR may be a desirable feature and is not supported on many firewalls. Let me also suggest two other reasons why you might choose to put router(s) in front of the firewall:

                      - some people will choose to put a router in front of the firewall so that it can run a routing protocol over the outside connection. Until very recently the ASA did not support BGP and so if you wanted to run BGP with a provider you could not do that on the firewall. And some people prefer to have their firewall focus on filtering traffic and not to try to do much in the way of routing activity.

                      - some firewalls, particularly the ASA, do not support active connection to multiple outside connections. They do fine with a single default route (and maybe a backup default to another next hop) but do not actively use more than one. I worked with a customer recently who was implementing a multi homed connection from his network to two ISPs. They have an ASA firewall and chose to put routers in front of the firewall so that they could maintain active connections to both providers and to actively share traffic on both connections.

                       

                      HTH

                       

                      Rick