Difference between a firewall and a perimeter router
Ju Kong Fui
I am new to firewall and I wonder why we need a firewall behind perimeter
router? As what I know it that we can filter most of the malicious traffic
using perimeter router itself, for example Cisco router with IOS.
Comparing a Cisco router with firewall version IOS and a pure firewall
behind a perimeter router, which of them offers more safety?
Pls help. Thanks.
-
[To unsubscribe, send mail to majo...@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]
Bernd Eckenfels
> I am new to firewall and I wonder why we need a firewall behind perimeter
> router? As what I know it that we can filter most of the malicious traffic
> using perimeter router itself, for example Cisco router with IOS.
Well, strictly speaking the perimeter router is, especially if it is a
filtering one, part of the Firewall System. On the Perimeter Routing you can
do filtering for IP-Spoofing and black-listed addresses (if you have any).
If it is enough to have a CISOC Router with Firewall IOS, doing ACLs on
Packet filtering or if you need a more complicated Firewall greatly depends
on your security policy (which in turn depends on the risk analysis you
should do).
Things you might need:
- Content Filtering (Malware Protection)
- Incoming connection authentication
- Web Proxy+Cache
- Protocol specific Filtering (like SMTP Buffer Oveflows or FTP DELE
Staememnts).
The later is most important if you can't trust your Servers to be hardened.
In any case I would suggest you on't let any incoming connections into your
LAN where you dont have control of the configuration of your hosts. This can
be done by a Firewall or simply by a masquerading Router. In the later case
you need to take special care of some protocols like FTP or simply don't
allow anything which is more complicated.
Greetings
Bernd
--
(OO) -- Bernd_E...@Wendelinusstrasse39.76646Bruchsal.de --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Brian Ford
Using a firewall behind a perimeter router allows you to implement "defense
in depth", or multiple barriers between your protected network and the
public Internet. Using this "defense in depth" strategy you can implement
a portion of your security or access control policy on the router and a
portion on the firewall. For example, you can screen various IP subnets or
protocols using a access control list (ACL) at the router, and then track
the state of allowed connections at the firewall.
Comparing an IOS router with the IOS firewall with a "pure firewall" such
as the PIX behind a perimeter router I'd suggest that same strategy.
One issue that sometimes comes up is the need to be able to run an "ED"
(Engineering Distribution) or "LD" (Limited Distribution as compared to
"GD" or General Distribution) IOS image on the perimeter router to support
the feature requirements of your Internet connection. All versions of IOS
code support standard and extended access control lists (ACLs). There are
versions of code that do not support the IOS firewall.
For example if you needed to install a new version of IOS (that did not
support IOS firewall ) to use a new serial interface feature, you'd be
taking down your only firewall.
I hope this helps.
Regards,
Brian
>Date: Wed, 31 Jan 2001 09:09:14 +0800
>From: Ju Kong Fui <kon...@TP.EDU.SG>
>Subject: Difference between a firewall and a perimeter router
>
>Hi everybody,
>
>I am new to firewall and I wonder why we need a firewall behind perimeter
>router? As what I know it that we can filter most of the malicious traffic
>using perimeter router itself, for example Cisco router with IOS.
>
>Comparing a Cisco router with firewall version IOS and a pure firewall
>behind a perimeter router, which of them offers more safety?
>
>Pls help. Thanks.
>- -
Al Potter
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
brf...@cisco.com said:
> Using a firewall behind a perimeter router allows you to implement
> "defense in depth", or multiple barriers between your protected
> network and the public Internet. Using this "defense in depth"
> strategy you can implement a portion of your security or access
> control policy on the router and a portion on the firewall.
All very true, and very important.
Defense in depth also allows for the possibility of a "best of breed"
approach. If for example, one vendor has a superior SMTP proxy, you can place
his product in front of your mail server and other vendor's product(s) in
front of other servers exploiting their respective strengths.
I realize this may not be practical for all installations, in particular the
smaller ones, and that it adds administrative complexity, which is usually not
a good thing in the security context, but the benefits may outweigh the
detractions for some folks.
The other reason to use a multi-layered approach is rather obvious: The
attacker must penetrate multiple layers. Stacking two or more identical
layers may not offer much improvement, as all are probably penetrable to the
same degree. But if they are different (products, versions, configurations,
etc.), then the attacker has to work at every layer. The defender (security
administrator) has to opportunity to detect and take corrective action at each
and every layer.
AL
- --
+--------------------------------------------------------------------+
| Al Potter Manager, Network Security Labs |
| apotter at-yay icsa ot-day net ICSA Labs |
| (If the spambots learn piglatin...) |
| PGP Key: 0x58C95451 http://www.icsa.net |
| PGP Fingerprint: D3 1D BE 8C B5 DD 12 61 5A 4A 65 32 93 E5 D9 36 |
+--------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Exmh version 2.2 06/23/2000
iQCVAwUBOnma89uN3h5YyVRRAQLOXwP/QmEXUKp8kSjGibvbCYh2cJots/h4yBGA
/KNejZSfmzek9Q8sPJyzcHadXhhourxvecWd0g7/SFfHCjPriGwXKDEZyZ05eqbX
Hhb1ZhP5BoEo6iqNgf73Z883u6wodBVtnVsU+agpAVeH4YctakJFO1Nc0FXVMmhW
7yxe6+4ldcA=
=wA0w
-----END PGP SIGNATURE-----