Firewall Location

Hi All,

Just a question about our firewall:

Our ISP controls our router.  We bought a firewall and the ISP techs placed the firewall outside the router.
So it looks something like this:

Internet-----Firewall-----Router------Distribution Switch------Switches (3 of them)------Client workstations and printers.

I have always been lead to believe that the Firewall should be to the right (see above) of the router.

Could someone please clarify this for me?

Thanks in advance.
Who is Participating?
Blue Street TechConnect With a Mentor Last KnightsCommented:
Hi Reyesrj,

I respectfully disagree with @epichero22. Why would they [the ISP] provide a router if not to be the Customer-Premises Equipment (CPE) and source of the Internet?

If the ISP owns/manages the router, otherwise known as the CPE, it is typically located at the demark and should be upstream from your firewall. That way you can draw a clear line of separation between your environment and theirs...this helps with where fault lies and also just basic flow & configuration issues to name a few. The way you have it setup now not only doesn't make sense but also leaves you vulnerable to their management/configurations. If some half-bit technician or even seasoned L2 makes honest changes without knowing who they are affecting can result in you being down! ISP's have bad L1 & L2 engineers like any other company. I have seen ISP pumping 30x30 to a client when the client was under contract for 2x2 and not even realizing it. Albeit, that's a great mistake to have but the point is you can't and shouldn't trust an ISP to handle/route your traffic after your muddies the waters and it's begging for trouble and additional liability IMO.

In summary, I have never seen a setup like this. Again, your firewall should be the beginning of *your* network in this instance (having the ISP router upstream from the firewall).

Let me know if you have any questions.
epichero22Connect With a Mentor Commented:
Well, you can look at your firewall as the club bouncer.  Rather than letting anyone in to pay the cashier admission fee, he'll only qualified clients inside.  That way the cashier doesn't have to spend time with people who can't pay.

Same thing holds true in this example: your firewall doesn't want the router to have the burden of handling bogus requests, but rather have the router using its resources on requests that have passed some level of validity based on your firewall policies.
SouljaConnect With a Mentor Commented:
Proper design would have the firewall behind the ISP's router. This would allow the router to filter most traffic allowing the firewall to only have to inspect traffic allowed past the router. Thus not over utilizing the firewall resources when not necessary.
ReyesrjAuthor Commented:
Thanks diverseit and all!

diverseit, I felt it was a bad idea to have the ISP inside of the firewall.  I just needed an expert opinion.  Everything you said makes sense!

Thanks All!
Blue Street TechLast KnightsCommented:
Any was my pleasure!

I'm glad I could help and thanks for the points!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.