For today we will be talking about Perimeter Router, Internal Router and Firewall.
Firstly, what is a Perimeter Router? It is actually an interface that has connections to both the inside of the network and with the outside world. Typically, an ISP is at the other end of that connection, and then the Internet.
The perimeter router is responsible of filtering outside
traffic to implement basic security for the dirty DMZ and also the primary
filtering for the inside network. The perimeter router could also be running
the firewall feature set for additional security options.
Since the perimeter router is usually connected to a slower WAN
interface on one side and it doesn’t provide routing functions for internal
networks, the LAN interface speed isn’t as important as making sure decent
memory and features exist to handle the outside connection. Even if the inside
network is 100MB and all protected DMZ interfaces are full-duplex 100MB, if the
Internet connection is a T1 (1.54MB), then a 10MB LAN interface on the
perimeter router shouldn’t interfere traffic. Even most DSL or cable
connections would be below 10MB.
Although bandwidth issues are important, feature sets are more
important on perimeter routers. Routers can clear down to the 800 series
support access list, firewall features, and so forth, making low-end devices
attractive in some perimeter implementations. If intrusion detection features
are needed, though, firewall feature sets for devices below 2600 do not include
intrusion detection. Thus, while a 1700 or 2500 device might be able to handle
the traffic, it will not provide intrusion detection services.
Next,
Firewall is a device that separates or joins the internal
network to the dirty DMZ and any optional protected DMZs. The firewall can be a
router-running firewall feature set, a specialty server with two or more NICs
in different networks, or a specialty device like the Cisco PIX that does
nothing except providing firewall services. While suitable applications exist
for each type of firewall, it is best is to use a dedicated device performing
only security features, and leave routing and serving to other devices.
Unsolicited access from the outside directed to the inside would
typically be blocked. Certain well-thought-out exceptions and configurations
could be created, so e-mail server(s) residing on the inside network, instead
of the DMZ, could still exchange e-mails. Securing this type of connection is
covered in the firewall chapters.
A typical firewall device has two or more LAN interfaces: one for
the inside and outside networks respectively. Optionally, an additional LAN
interface can exist for each protected DMZ network.
Resources:http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/
Resources:http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/Part+II+Securing+the+Network+Perimeter/Chapter+5+Securing+Cisco+Perimeter+Routers/Perimeter+Router+Terms+and+Concepts/
No comments:
Post a Comment