Solved

Utilize Firewall on ISR when you have an ASA

Posted on 2014-02-01
5
542 Views
Last Modified: 2014-02-02
Hi, I have a couple of probably quick questions:
1. When enabling CBAC firewalls on an ISR, IE the 2911 how much of a performance impact would you likely see? How Can i ultimately tell if it is affecting my performance or adding latency? My CPU is not high but i don't i believe that should be the only measure.

2. My setup is as follows: Public Internet > Router > ASA  > Internal Switch. At this point i have cbac enabled at the router as well as the ASA functioning as a firewall. Its a bit redundant but also complying with the "security in depth" model. If my performance can be increase by removing the firewall's at the router i think it maybe worth doing though and leaving all the firewalling to the ASA's which were designed to do that.

Thanks!
0
Comment
Question by:Psy4HA
  • 2
  • 2
5 Comments
 
LVL 26

Accepted Solution

by:
Soulja earned 400 total points
ID: 39827071
The impact of the CBAC on the router is really determined by how much traffic it has to actually inspect.  Cisco says that CBAC used 600bytes of memory per connection so you may want to take that in consideration. If  multi-tiered firewall is what you have to have I would probably put another ASA in the mix and just let the route do what it does best and route.

If you don't need mult-tier than just restrict as much traffic by ACL at the router and then any traffic that is allow is then inspected.
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 100 total points
ID: 39827981
I would suggest removing CBAC from the router and let the ASA do its intended job.
0
 

Author Comment

by:Psy4HA
ID: 39828452
Ok I should prolly tremove CBAC and implement control plane protection to protect router itself. Also thinking of adding an acl to public interfaces that permit all traffic but maybe only allow ssh from known Ips? If I add acl I think it's still cef switched and wouldn't add any load as I wouldn't needed inspection. Or maybe I do this all through cppr? Thanks all.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39828520
Yeah, as I stated. Use ACL's on the router to filter most traffic and then the traffic that is allowed in can be inspected by the ASA.
0
 

Author Closing Comment

by:Psy4HA
ID: 39828732
Looks like a good plan.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now