Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Best Pratice - Protecting your Core Router

What is the best practice for protecting your Internet Edge router? Is it best practice to put a firewall in front of your router, or just have the

router in front, and it's only job is to route. As far as attacks go, if it's on a public addressable network, it doesn't matter what device it is,

it can get attacked theortically.                  

Everyone's tags (4)
4 REPLIES
Gold

Re: Best Pratice - Protecting your Core Router

Hi,

on the public edge, attacks occure, the question is when it happenes how to deal with them.

On your device you have 3 area's to look after: Data Plane, Control Plane and Management plane. within each area you can limit the input / output traffic's src and dst to ur trusted ones. although you can take some protection measures for known attacks and worms, if there is any special attacks u r facing, u have to identify and avoid them with the tools available: NetFlow, ACL, uRPF, IP Source Tracker, QoS, RTBH, CoPP, etc.

of course some ppl pay tons of money for dynamic protection solutions, and some go on their own

plz Rate if it helped.

Soroush.



Hope it Helps!

Soroush.

Best Pratice - Protecting your Core Router

Thanks for your advise soro.

Super Bronze

Re: Best Pratice - Protecting your Core Router

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

As far as attacks go, if it's on a public addressable network, it doesn't matter what device it is,

it can get attacked theortically.                  

"... it doesn't matter ...", yes and no.  Firewalls generally default to blocking everything, you need to open them up for selected traffic.  "Normal" network routers generally default to allow everything, you need lock them down.

"Best practice" is generally using a firewall to protect your Internet edge as that's what the device is designed for.  However, a properly hardened router gains little benefit by being protected by a firewall but the firewall can better protect the rest of your interior network.  So, if you're going to have a firewall for the latter reason, it can make sense, if possible and practical, to also protect your Internet edge router too.

4319
Views
3
Helpful
4
Replies
CreatePlease login to create content