I have a predecessor of mine who has installed for all our customers who have Internet access, ACL for inbound and outboud internet access preventing certain bad foreign ips and dns etc etc . A Firewall is already in place so I am not sure why he had done this and looks weird. I have never come across this when you have a firewall. A router should routing and let the F/W do the filtering.
I have done this in a few setup. My reasoning is never enough security. I have filtered all unwanted traffic at the router and also analyze the wanted traffic at the firewall. also you need some type of security on your router as well.
I'm generally in agreement with you -- firewalls are meant for packet filtering and routers are not, so I think it's usually wise to leave the filtering to the firewalls. Another issue is logging -- firewalls tend to have much better logging functionality than routers do. I'd much rather have unwanted packets hit a firewall instead of a router because I'm more likely to notice them in the logs this way. Packets dropped by edge routers will also never be seen by your IDS.
There are, of course, exceptions. Traffic to the edge routers themselves (TELNET, SNMP, BGP, etc.) obviously can't be filtered by the firewalls. This also applies to any devices that sit between the routers and firewalls. It may also be desirable to block traffic from bogus IP ranges (i.e., private addresses, unallocated addresses) at the edge so that it never has a chance to get onto your LAN and cause harm.
But for the most part, I agree that the firewalls should do the filtering. That's what they're there for.
The best practice (in my humble opinion) is to let the firewall do all the filtering, but with this I'm not saying that no ACL is needed on the router.
I would always create an ACL on the router which blocks malicious IP's or IP subnets (why let them reach the PIX) and also filter all directed broadcasts on the router to prevent your own site from being a so-called "amplifier" for a smurf attack
Also you could IP-spoofing from your network to the Internet on the router (but this can also be done at the PIX)
Although I agree with the fact that main filtering has to take place on the PIX, I would also like to say that having the router in front of it filtering some unwanted traffic is the best way.
Main reason for this is that all traffic which arrives on the PIX does consume procesmemory on the PIX, so, what's the use of routing traffic to the PIX which you do not need there?
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...