Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

pros & cons of keeping the router as a separate device from firewalls

An in-house client has pressed the question of why is it a good idea to keep the router and firewall as separate devices, even though some firewalls can perform routing functionality.

Other than keeping clear distinctions for troubleshooting failures and concern of processor load in large networks, please list - with descriptions - other pro's for this type of network design.

8 REPLIES
Bronze

Re: pros & cons of keeping the router as a separate device from

Well I think you addressed the main points. For us, performance was a big issue. The PIX had outstanding performance numbers probably because it doesn’t route. Also, we don’t own the Internet router so I didn’t trust my ISP to configure the firewall features on it to meet my security design. Can anyone else think of any other reasons?

Re: pros & cons of keeping the router as a separate device from

I would think that what has been listed is enough but I have never seen a firewall with routing ability that can match the perfomrnce and flexibility of 2 dedicated systems. Hey Horace, can you knock a few bucks off my bill for me?

Community Member

Re: pros & cons of keeping the router as a separate device from

Thanks for the reply and I can't do much for my own bill. Wouldn't that make a nice holiday gift?

Community Member

Re: pros & cons of keeping the router as a separate device from

Maintaining a perimeter router in front of a firewall is a sound practice and one that I learned from Cisco recommendations years back. This creates one more point that an intruder has to breach before he even begins on the Firewall. If correctly configured for security (services turned off, access-lists, etc)then the perimeter router usually deters the novice hackers which make up the majority of perimeter breach attempts.

In addition, if your internal network includes multiple subnets which require traffic handoff, then I always maintain an internal router behind my PIX. This allows for a cleaner handoff to remote subnets on my own network without taxing the PIX. The PIX is a very fast Internet device, but it is not a router.

Community Member

Re: pros & cons of keeping the router as a separate device from

Cisco wrote a paper (URL below) that sort of lists the

differences or when you may consider one box vs

seperate devices... Fred http://www.cisco.com/warp/public/cc/pd/rt/2600/prodlit/flrrr_ov.htm

Community Member

Re: pros & cons of keeping the router as a separate device from

I'll definitely spend a little time with this URL. Thanks for the useful information.

Community Member

Re: pros & cons of keeping the router as a separate device from

I'd recommend using a router with the firewall feature set as the outside device, backed up by a firewall-only device between the router and LAN. That gives another layer of protection.

Community Member

Re: pros & cons of keeping the router as a separate device from

Its a good practice to keep the ISP router and private network firewall seperate because the perimeter router apart from normal duties can be used for limiting outbound ping & inbound tcp SYN, filtering for RFC 1918 & 2267. An enterprise network would typically look like this :

Perimeter router running BGP

Perimeter firewall with more throughput

Internal firewall with more functionality & features for protecting internal segments

Regards....Ketan Chaudhari, CCSA, CCNP, MCSE

474
Views
0
Helpful
8
Replies
CreatePlease to create content