Hello,
What does the advantage put the router before firewall and internet? Or what is the purpose to do this setup.
thx
You will have to protect the router very well. Router compromised = being hacked !
Sometimes needed, like for a Fortigate cluster (only with active-active cluster!) as firewall, that would not negotiate the DHCP lease properly with the ISP’s cable modem.
Also done to give a dedicated fixed IP address to the firewall for each connection, when multiple connections ( with multiple cable modems) to the same ISP have a dynamic IP address only (in the same subnet).
The router may be able to handle IP protocols that the Firewall cannot. (Like login with mixed “untagged and VLAN=0” tagged packets)
This topology makes sense if your router can’t do required firewalling and firewal unable to do required routing. Typical for NGFW or IPS - these systems need to see data flowing including client’s IP, therefore if they are before the router, client’s IP might be NATted and in that case, it will be hard (or impossible) to detect a threat. Also, once it is behind the router, it will see data flowing through VPN and other tunnels, therefore if there is threat coming from your branch or remote site, it can detect it and protect you.
Router will always be sufficiently protected from the internet - with a few crude rules you can block everything. You don’t need “smart” firewall to protect the router (e.g. to do some DPI and other high level stuff…). But you may need “smart” firewall to detect traffic going to your clients or even FROM your clients.
Router will always be sufficiently protected from the internet - with a few crude rules you can block everything.
Be careful with that router ! There is no security if you do not process the logs and alerts. (Ethical hackers first compromise the upfront router, and change the DNS flow)
Just imagine if your ISP gets hacked …everything that it feeds into becomes now vulnerable, hence regardless of what we do, we rely expect that the ISP is not hacked.
Similarly we have to protect the router as it feeds into our LANS. Is also why most of the MT routers come with a default set of firewall rules. To protect the router mostly.
For that matter, internet got hacked when DARPA let in businesses back in early 1990’s.
How can you prove we are not in a simulation???
But I know we are in a simulation, there’s serious literature prooving it. Vogons are about to start building that hyperspace bypass …
Good point, but that applies to every device, no matter if it is in front or behind the firewall.
If the router is correctly set up, it will not have any interface open to the wild, therefore, nothing can be hacked. (lets ignore the possibility that there is vulnerability in router’s firewall - in such case we are not safe no matter what we do). So far, all Mikrotik’s vulnerabilities were in management processes and devices with proper firewall rules were never actually vulnerable.
If the router is not correctly set up (remember every few weeks there is someone asking how to open winbox port to the internet?), then it will be open to the wild and firewall will not change anything, because if someone willingly opens a management interface to the internet, they will almost certainly make an exception in the firewall)
Actually, putting the firewall BEHIND the router, has a chance of improving the security of the router, because it may detect brute-force attacks on the router from within the LAN. We can safely assume that router’s management interface is open to the LAN or management LAN and therefore potentially vulnerable to attacks from inside of the company. And if not management interface, then certainly some other service, for example a DNS.
Not that hard to imagine. It won’t be any different than every other MITM attack. Thats why we have encryption almost everywhere nowadays, right?
(talking about firewalls, are we? Last year I found Cisco ASA 5505 configured to strip the encryption tag from the SMTP handshake, so our email server never established an encrypted communication with the counterpart…)