External Router Reuirements Query

Unanswered Question
Jun 30th, 2008
User Badges:


Currently I am desinging a simple network where I'm having an external router accept the internet link (RJ45 ethernet) and then create a zone between the external router and an ASA firewall. My question is what advantages can we gain by having this external router, what would we lose if we took the internet connection straight into the ASA?

Please remember this is only for a medium sized firm >1500 employees with only a single internet connection. Possibly with a default route to our ISP.

I'm thinking of having a cisco 2851 router and a ASA 5520.

Any help would be appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nelson-rick Mon, 06/30/2008 - 04:37
User Badges:

Quite simply, routers are faster than firewalls. A router is a relatively simple networking device designed solely to get packets from point A to point B. In terms of unit cost, it's generally much cheaper for a router to handle a packet than for a firewall to analyze it. Additionally, there are a lot of "junk" packets out there on the Internet, as a result of port scanning and other malicious activity.

With those facts in mind, most organizations choose to use a router as the first perimeter defense, implementing a simple rule set that blocks all unwanted traffic. For example, if the only acceptable inbound traffic is HTTPS and VPN activity, you could write a simple router rule set that allows those two ports (to any address) and blocks everything else. The firewall would then be responsible for more granular filtering, determining which specific hosts may receive HTTPS and/or VPN traffic, for example, and performing advanced analysis, such as stateful inspection and/or application-layer filtering.

It's possible, however, to bypass this norm. One approach that I've seen attempted in smaller organizations is to use only a firewall, dropping the router entirely. In that scenario, the firewall performs routing functions for the network. The primary benefit to such an approach is that it simplifies the environment, providing only one device that must be managed. It's not, however, a scalable design, as the cost quickly becomes prohibitive as network throughput rises.

dan_track Mon, 06/30/2008 - 05:29
User Badges:


Thanks for the detailed response. I'll bear much of it mind. I've always been of the view that security can be best achieved through a layered defence. I'm going to put forward that we have both an external router for our 10Mbit internet link and a firewall.




This Discussion