Router and Firewall Configuration
My setup is a standard router and firewall, with both a private network and a DMZ hanging off the firewall.
The router and the firewall can both block packets and can both do NAT. I assume that offloading one of those devices puts more load on the other.
Where does it make sense to do which function? Are there any practical guidelines or best practices out there? For example, my DMZ contains a public webserver. Do I give it a private non-routable address and then NAT it to a public address at the firewall or at the router? On the other side, do I block all non-routable addresses at the router or at the firewall or both? What are the trade-offs?
Software/Hardware used:
Software/Hardware used:
ASKED:
May 25, 2005 3:13 PM
UPDATED:
May 30, 2005 1:39 AM
RELATED QUESTIONS
Answer Wiki:
Hi,
Assuming your router and your firewall have both more than two interfaces, and you have enough IP addresses I will configure the Internet access like this:
ISP
!
Router
!
Firewall
! !
Internal DMZ
On the router I will setup some inbound and outbound access list to block the traffic (inbound only ICMP Echo, no IP packet with private address as source, ...).
On the firewall I will setup NAT and block all unecessary traffic until the layer 7 (have a proxy fnction)
Like this it will be easier to put an IDS between the router and firewall and the traffic analysis will be easier. This allows you also to put a host "in Internet" behind the router, but in front of the firewall. In a later time you could also add a second firewall (or VPN Concentrator) to terminate your VPN).
I hope these lines will help you.
Regards
To see all answers submitted to the Answer Wiki: View Answer History.
Remember, security in layers! Here’s the setup I did when I use to manage ISP/Firewalls/Internet Security:
ISP Router was setup to block all ‘private’ IP addresses, the ones that shouldn’t be out there anyway but are because the hackers spoof them. No NAT on the ISP router, just ACLs. I also blocked ports at the ISP that shouldn’t be coming in from the Internet; basically allowed HTTP, FTP, POP3, SMTP, etc.
My firewall ran Static NAT to the web/mail server(s) in the DMZ, allowing only the specific ports to the specific machines that needed them and blocking everything else destined for the DMZ. From the DMZ to the internal network was the same thing: blocking everything coming from the DMZ except the ports specifically needed and coming from the specific machine.
Finally, my firewall ran Dynamic NAT to the internal network. Everything blocked except what was needed.
There are few design considerations
1- what is the your network traffic ? If the traffic is heavy and I would suggest NAT at the FW level, generally the FW appliance have better CPU and network handling power
2- What is the plan for the fail over and redundancy of the firewall? If you are planning to have dual firewall, it is better to do restrict the NAT to firewall level.
and what FW appliance or solution you are choosing ?
Dharminder Dargan