physical location of firewall

Here is the hypothetical:

I have two routers connecting to my individual wan links.  I connect both of them into 1 switch.  Then I connect the switch into a firewall.  Then I connect the firewall into a switch which connects to my internal network.  My lame attampt at a diagram is below:

Router 1 (DSL router)   ==>Switch 1 ==>Firewall 1 ==>internal network 1
Router 2 (Cable router) ==>Switch 1 ==>Firewall 1==>internal Network 1

Lets say I have the firewall setup to send all requests through to "router1" (my firewall has a setting to define only 1 wan link).  Now, I set up a windows XP client to use "router2" as a gateway.  I have port 21 blocked at the firewall, both ways.

Will the firewall block the internal client's request for port 21 on the internet, even though the firewall is configured to use "router 1"?  Will the firewall block requests for port 21 into my network that hit "router 2"?  
LVL 8
npinfotechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

npinfotechAuthor Commented:
basically what I am asking is if I have a firewall appliance separating multiple Wan routers from an internal network, will the firewall police all traffic that flows through it, regardless of configuration?
0
rsivanandanCommented:
No. It won't. The traffic from the XP Machine will straight away go to Router2 and so the firewall doesn't see it at all.

Cheers,
Rajesh
0
npinfotechAuthor Commented:
so, not all traffic that flows through a firewall is checked by the firewall.  the firewall has to be assigned as the gateway at all times?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

rsivanandanCommented:
No again. For the firewall to inspect the traffic, the traffic has to go through it. In your second case, the traffic doesn't go through the firewall at all. For example I have 2 internet connections like this;

ISP1-------
              Router--------Firewall------------Internal Hosts
ISP2-------

In this case, the internal host uses either one of this ISP link to go out to the internet but at any time the incoming and outgoing traffic passes through the firewall.

Cheers,
Rajesh
0
npinfotechAuthor Commented:
Thanks Rajesh.

Your answers confuses me a bit.  The diagram you drew has both wans connected to 1 router.  All traffic would pass through the firewall regardless of what the internal network PC uses as a gateway.  The scenario I was talking about does the same thing, only with 1 additional router.  

The one I was trying to draw would look like this(with IP addresses assigned):  

               (1.1.1.1)
ISP1-------Router 1
                             --------Switch--------Firewall------------Internal Hosts
ISP2-------Router 2                               (1.1.1.3)              (1.1.1.4)  
                (1.1.1.2)

So, my internal host, with ip address 1.1.1.4, uses router 2 (1.1.1.2) as its gateway.  The traffic still has to go through the firewall to get to router 2.  Will the firewall block traffic anyway?  will the firewall monitor traffic originating from router 2 bound for my internal network??  
0
rsivanandanCommented:
Npinfotech,

  Sorry if I confused you. Okay, let me be clear now; In your case, the problem is that your internal host 1.1.1.4 bypassess the firewall and gets to Router2 eventhough both are plugged to the same switch, like this;

              (1.1.1.1)
ISP1-------Router 1
                             --------Switch--------Firewall                Internal Hosts
ISP2-------Router 2                               (1.1.1.3)              (1.1.1.4)  
                (1.1.1.2)                                                              |
                         |                                                                |
                          ----------------------------------------------------

This is because you have the default gateway configured as Router2 on 1.1.1.4, so the switch will directly deliver the packet to Router2. Firewall doesn't see it at all. If you had the default gateway as 1.1.1.3, then it will go through the firewall. Remember the traffic between 1.1.1.4 and 1.1.1.2 *DOES NOT* go through the firewall.

Cheers,
Rajesh
0
npinfotechAuthor Commented:
Now worries, maybe i'm confusing myself!  

there is no way to get to 1.1.1.2 without passing through 1.1.1.3 physically.  all traffic bound for 1.1.1.1 or 1.1.1.2 has to pass through 1.1.1.3.  The switch between the routers and the firewall is just to connect the routers; it connects to nothign else but the routers and the firewall.  

If any traffic passes through the firewall, regardless or settings, will the firewall ignore it?
0
rsivanandanCommented:
If the traffic passes through the firewall then it will not ignore it. It will work on the traffic. But again, regardless of the connection (Physical connection) you have, if you have the default gateway as 1.1.1.2 on the machine 1.1.1.4 then it is not going to pass through the firewall. It is the basic tcp/ip networking model.

Cheers,
Rajesh
0
npinfotechAuthor Commented:
so, if 1.1.1.4 makes the request, will they just get a timeout or something?
0
rsivanandanCommented:
If 1.1.1.4 makes a request for internet and if it cannot reach 1.1.1.2, it will timeout. Otherwise if it can reach 1.1.1.2, traffic will pass through and you'll have non-firewalled internet.

Why don't you do this. Just do a tracert to a public ip address and see if it crosses your firewall address. It won't.

Cheers,
Rajesh
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rsivanandanCommented:
NpInfotech,

  Did I help you? I mean did you figure it out? Just wanna make sure...

Cheers,
Rajesh
0
npinfotechAuthor Commented:
all i get when i try to tracert is "*.*.*.*" request timed out.  Then it will proceed to get the rest of the information as it normally should.

This happens no matter what i use as a gateway.
0
rsivanandanCommented:
Ok. but what I mentioned above is the standard behavior of a network.

Have a good day.

Cheers,
Rajesh
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.