Results 1 to 7 of 7

Thread: Uses of edge routers?

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    22

    Uses of edge routers?

    Newbie to security and currently trying to design my home network. I came across an article that stated edge routers should be the first layers of defense, and then it went on in marketing-hype fashion about Cisco IOS Firewall Feature Set.

    This had me a bit confused. Is there any real use to having an edge router? I mean some point out that it relieves the load on the firewall itself, but then the edge router would still be congested wouldn't it? If it does packet inspection / filtering, wouldn't it be acting in similar fashion to a firewall? But quite a few sources say an edge router should be the first layer of defense.

    Wouldn't be easier, not to mention less expensive, to not place an edge router and instead have the firewall in its place?

  2. #2
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Wouldn't be easier, not to mention less expensive, to not place an edge router and instead have the firewall in its place?
    A fair amount of decent routers are inexpensive now. Add to that, most routers don't require any type of configuration for the firewall.
    Most routers I've seen have two rules (out of the box):
    1) Allow all LAN traffic outbound
    2) Deny all WAN traffic inbound
    This provides a basic level of protection right out of the box (granted it provides no security for a "leaky" computer). Add Network Address Translation (NAT) to that, and you've got a nice layer of security with basically, no configuration.
    As for handling the load, most routers these days are quite adept at handling internet traffic. A router should have no problem handling the traffic of your home network.
    Also, while most routers are capable of SPI, I wouldn't just chalk it up as the same thing as a firewall. Routers possess a great deal of other functions outside of monitoring traffic. Overall, I'd say that with the low cost of most routers these days, it wouldn't be a bad idea to get one and use it as the first layer in your perimeter security.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    If you are a home high speed user, you essentially already have this with the cable/dsl modem. Have a look at the ruleset on that device (if you can view it). On mine, it has several default filtering rules and a variety of others. The "High Security" canned ACL set is exactly what Shag pointed out. Inbound deny all. Outbound allow all.

    Once you add your SOHO router/firewall device, you have formed a perimeter network between your cable/dsl modem and the outside interface of your SOHO router/firewall and then you have a relatively secure internal LAN behind that SOHO router/firewall. You can tweak and tune accordingly. Do so only if you know what you're up to though.

    As pointed out, modern networking gear is VERY capable of keeping up with load.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    As you noted the perimeter router relieves the load on the firewall.

    I think the assumption is that a firewall is going to have larger ACL lists then a router. The larger your ACL list the more processing power required. So if your firewall were at the perimeter it would see just as much traffic as a router but would use more resources processing it.

    This would only be necessary in a corporate environment as the typical SOHO would not have complicated ACL's setup.

  5. #5
    Senior Member alakhiyar's Avatar
    Join Date
    Dec 2006
    Location
    Land of Oryx
    Posts
    255
    There are a couple of ways you can setup layered security for a LAN with publicly accessible resources, such as HTTP, FTP, DNS, SMTP relay, etc... The easiest and more affordable way to do it is buy a firewall with DMZ support. That way, you can put all the public servers inside the DMZ and it will basically act as a dead-end between the public network and the private LAN. Most higher-end firewalls have great support for DMZs, but most of the lower-end simple NAT firewalls don't really bring what’s needed to support medium to large scale enterprises. The basic technology is the same between high-end and low-end firewalls, but high-end firewalls have a lot more features that you can take advantage of in order to make your LAN and DMZ more secure from each other. A true DMZ doesn't allow any traffic from the DMZ to enter the LAN zone; however the LAN zone can access the entire DMZ.

    The other way you can do it, if you can't take advantage of built-in DMZs, is to have two firewalls; one that is in-front of the other. That way, you can create a type of physical DMZ if you will that has the public servers running behind the first standard firewall with the private LAN on the other side of the second more high-end firewall. In both cases you are accomplishing the same task, separating the public resources from the private resources. If you don't need to have any public resources, then all you need is a good firewall in-front of the LAN...or you can throw in the dreaded "honeypot" behind that firewall for noob hackers . Many times people like to try and attack the DMZ which is all fine and dandy, but the real prize is the LAN that sits right next to it untouched . That is why you should always get a decent dedicated firewall.

  6. #6
    Junior Member
    Join Date
    Nov 2005
    Posts
    22
    I guess I should've clarified some things. I'm aware of the low cost of consumer routers and such as well as the default settings, but from a network design point of view, aren't edge routers redundant? For instance, some sources state that the design should start out like so:

    Internet --- Edge Router --- Firewall --- Router ( Internal Network )

    Now what is the value of the edge router there? I'll just argue my thinking against the "advantages":

    1) Relieves load on firewall :
    Ok so what? Even if you relieve the load on the firewall, the edge router is still picking up that same load. If lets say a DDOS attack locks up a firewall, wouldnt it do the same for an edge router with ACL?

    2) Acts as a choke point:
    Well the firewall without an edge router in front of it acts as a choke point too. Again if any attacks were to lock up a firewall....yada yada yada.

    3) Another layer of security:
    Isn't this more of an additional layer of headache? Support for another additional piece of hardware. Although I would be wrong in this case if the above were wrong also.

    As for the DMZ, well there is a 3rd way if the firewall doesnt have a 3rd port. I havent tried it myself, just on paper. A VLAN could be set up with some ACL's that can act in a similar manner as a firewall with a 3rd port for the DMZ.

  7. #7
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    Hi,
    I think there is a slight confusion in terms. Normally, for me, the edge router is nothing more than the last network element on your network before you go to the public network(internet). You can have a firewall on it or behind it. For example my edge router is my old linksys. It has a built in firewall and a DMZ. The performance are more than adaquate for my home network.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •