General discussion


Firewall versus Router for WAN

By jim_bierlein ·
I am at a company where they are using a firewall to protect the DMZ from the LAN and an ACL based router to protect the DMZ from the internet. I think this is backwards for many reasons but am trying to find best practice documentation to support my claims. Anyone have anything solid on this or am I off base

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by mshavrov In reply to Firewall versus Router fo ...

It's OK and in this situation it's better than have them swaped. Just consider this:

You have firewall, protecting your DMZ from the Internet and router between DMZ and LAN. Hacker trying to break-in into company's WEB server in DMZ. Firewall will permit these connections since it's legitime traffic (HTTP to port 80). Now say hacker broke WEB server and he's in there, having full control over the box. Now he just use that host to surf over your LAN.

In general, better idea is to use 3-interfaces firewall (what most people do). And another rule - you use higher protection in places which are more valuable. If somegody will get into DMZ what he gets? And what will he get if he will break-in into your LAN?

Good luck,

Michael Shavrov
CCNP, CCDP, CCSP, MCSE W2K, Checkpoint CSSA, Security+

Collapse -

by jim_bierlein In reply to

Thanks, you make sense and I understand why this is acceptable

Collapse -

by jim_bierlein In reply to Firewall versus Router fo ...

This question was closed by the author

Related Discussions

Related Forums