Screening router
DCD
Member Posts: 475 ■■■■□□□□□□
Should you use a router in front of your firewall ? And why would you in the first place? I've seen it a couple of time but nobody can say why it was done.
Comments
-
pevangel
Member Posts: 342
I know one reason is because ASAs don't support BGP. I don't know if any newer ones do, but most customers that I've dealt with have ASAs that don't support BGP. -
Jobene
Member Posts: 63 ■■■□□□□□□□
Asa X does
I always put a router in front ( with hardening ) and than behind the asa!
Pro: less performanceproblems on the asa
Con:You need Publicaddresses between router and asa for nat -
docrice
Member Posts: 1,706 ■■■■■■■■■■
Plus if you do some basic filtering on the router interfaces, you reduce the amount of random Internet radiation (automated portscans, etc.) from hitting your firewall and creating excessive log noise, which in turn helps make your logs easier to parse, store, and ultimately read.
It does mean an additional hardware in the path which can have problems, of course.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/