[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Firewall or router, which comes first

Posted on 2010-09-03
13
Medium Priority
?
4,769 Views
Last Modified: 2012-06-27
I have a very general question. Consider the following network layout examples:

Internet<-->Router<-->Firewall<-->Private Network

and

Internet<-->Firewall<--->Router<--->Private Network

Which of this setups is the best reccommended setup?

I am thinking that the second setup will easily allow you to connect another router and add another subnet onto the network without interefering with the server configurations. You can also comfortably point the gateway of all machines to be the router.

I use the first setup at my organization and becaue of this the router has no private IP address, so cannot use it as a GW on the clients.

Maybe slightly related to an earlier question but just asking. All answers earn points.

Thanks.
0
Comment
Question by:JMarewa
12 Comments
 
LVL 2

Accepted Solution

by:
aaronblum earned 500 total points
ID: 33598539
I would recommend the second configuration since that should provide the most protection for your network.  This configuration will help shield your router from external attacks and decrease the size of your attack surface.
0
 
LVL 6

Expert Comment

by:Joshua_Peters
ID: 33598751
Agreed also turn off external pings so no one even knows you are there.
0
 
LVL 8

Assisted Solution

by:jimmyray7
jimmyray7 earned 500 total points
ID: 33598760
The second setup will allow you to have a Gateway on the private network.  If you have more questions, post what type of devices these are and we can dig a little deeper.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:JMarewa
ID: 33598824
Great. I forgot to add one device, the satellite modem. See below and let me know if it makes a difference in your reccomendations.

Internet<-->Satellite Modem<-->Router<-->Firewall<-->Private Network

and

Internet<-->Satellite Modem<-->Firewall<--->Router<--->Private Network

Thanks.
0
 
LVL 2

Expert Comment

by:aaronblum
ID: 33598836
No major difference here, though I would advise making sure that you keep the firmware on the modem updated if that is within your technical capabilities as it must be outside the firewall.
0
 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 500 total points
ID: 33599148
Our set up at work:

Internet provider <---> edge router <---> firewall  <---> IPS <---> layer 3 switch <---> router <---> internal network

I think the method pretty much is dependent on the abilities (brands) of the equipment and the configurations.
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33600252
The preferred setup may depend on what exactly your router does. Your doubts about whether to put it in front of the firewall or after it makes be think you may not need it at all.
0
 
LVL 2

Assisted Solution

by:fs40490
fs40490 earned 500 total points
ID: 33602146
Well as you know either will work.  As for the best depends on what you are looking for.  So does your firewall have more than just 2 interfaces?  If so you may be able to support a second interface to stand up an additional internal network.  This helps to alleviate the need of a router internal to the network.

I personnally like to have a router in front of the firewall.  This way I can actually support basic layer 3 filtering to help offload some of the unnecessary processing from the firewall.  

Ideally you would have an additional router in this scenario.  With that configuration it would be:

ISP --> router --> FW --> router --> Internal LAN

Of course as pony outlines it would be nice to have additional security gear available also, mainly IPS.  Again the thought being that not only it will help to prevent attacks, these devices also help to alleviate some of the processing other devices need to do.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 33602171
Some common devices just combine the two functions into one box.  
Juniper Networks implements what they call "virtual routers" on each "zone" with the firewall in between the trusted and untrusted zones.

So, you could take a hint from their architecture.

In fact, if there were a reason, you could have routers in front of and behind the firewall with separate roles.  But, I can't think of much of a role between the modem and the firewall actually.
0
 

Author Comment

by:JMarewa
ID: 33602241
Thank you all guys. Much appreciatted.
0
 

Author Comment

by:JMarewa
ID: 33602253
Hey,

I meant to award point equally and then close the question. I am not meant to close the question. Please let me know. I am a bit new at this.

Thanks.
0
 

Expert Comment

by:thermoduric
ID: 33603266
Cancel auto-close.

- thermoduric -
EE Community Support Moderator
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question