There are a few different schools of thought on this. I'm in the "leave the filtering to the firewalls" camp, because firewalls are meant to filter traffic and routers are not. So unless there are hosts in between the routers and firewalls, I wouldn't put ACLs on the router other than to restrict management traffic (Telnet, SNMP, etc.) to the router itself.
I'm from the other school, which believes that every router should be locked down as far as possible to both protect the router and provide an extra layer of protection. In particular:
Routers outside the firewall should filter out all traffic coming in any port which does not make sense (inside source addresses in packets from the outside, inside destination addresses in packets from the inside, martian & broadcast source & destination addresses from anywhere, etc.)
Management traffic should only be accepted from inside addresses coming in from inside ports. Need access from the Internet? Set up an ssh server inside the firewall, ssh to it and telnet back to the router (or ssh if the router supports that). Even if the router supports ssh, force outside access to go through the firewall so you can detect someone knocking on the door.
Don't expect the router to protect you from anything, but do expect it to reduce the random noise the firewall is reporting so you can pay more attention to the firewall and have a better chance to detect real attempts to get in.
As always, your mileage may vary. For more on locking down routers, see Chapter 8 of my book, the numerous articles here on www.cisco.com, and search www.sans.org for cisco details.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...