Firewall Location

Hi All,

Just a question about our firewall:

Our ISP controls our router.  We bought a firewall and the ISP techs placed the firewall outside the router.
So it looks something like this:

Internet-----Firewall-----Router------Distribution Switch------Switches (3 of them)------Client workstations and printers.

I have always been lead to believe that the Firewall should be to the right (see above) of the router.

Could someone please clarify this for me?

Thanks in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well, you can look at your firewall as the club bouncer.  Rather than letting anyone in to pay the cashier admission fee, he'll only qualified clients inside.  That way the cashier doesn't have to spend time with people who can't pay.

Same thing holds true in this example: your firewall doesn't want the router to have the burden of handling bogus requests, but rather have the router using its resources on requests that have passed some level of validity based on your firewall policies.
Blue Street TechLast KnightCommented:
Hi Reyesrj,

I respectfully disagree with @epichero22. Why would they [the ISP] provide a router if not to be the Customer-Premises Equipment (CPE) and source of the Internet?

If the ISP owns/manages the router, otherwise known as the CPE, it is typically located at the demark and should be upstream from your firewall. That way you can draw a clear line of separation between your environment and theirs...this helps with where fault lies and also just basic flow & configuration issues to name a few. The way you have it setup now not only doesn't make sense but also leaves you vulnerable to their management/configurations. If some half-bit technician or even seasoned L2 makes honest changes without knowing who they are affecting can result in you being down! ISP's have bad L1 & L2 engineers like any other company. I have seen ISP pumping 30x30 to a client when the client was under contract for 2x2 and not even realizing it. Albeit, that's a great mistake to have but the point is you can't and shouldn't trust an ISP to handle/route your traffic after your muddies the waters and it's begging for trouble and additional liability IMO.

In summary, I have never seen a setup like this. Again, your firewall should be the beginning of *your* network in this instance (having the ISP router upstream from the firewall).

Let me know if you have any questions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Soulja53 6F 75 6C 6A 61 Commented:
Proper design would have the firewall behind the ISP's router. This would allow the router to filter most traffic allowing the firewall to only have to inspect traffic allowed past the router. Thus not over utilizing the firewall resources when not necessary.
ReyesrjAuthor Commented:
Thanks diverseit and all!

diverseit, I felt it was a bad idea to have the ISP inside of the firewall.  I just needed an expert opinion.  Everything you said makes sense!

Thanks All!
Blue Street TechLast KnightCommented:
Any was my pleasure!

I'm glad I could help and thanks for the points!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.