1

Network scenario.... I have a typical enterprise network meaning 

ISP > Edge Router > Firewall|DMZ  > Switch > LAN

I know there are several debates about what device comes first, but based on a typical medium-size office (500 people), what should come first in the network architecture; the firewall or the router?

My thought was that the router should come first because the IOS firewall would be the first line of defence, then a Palo or Sonicwall for the firewall would come next to take what's left..

schroeder
  • 123,438
  • 55
  • 284
  • 319
errMSG
  • 177
  • 2
  • 10

1 Answers1

1

ISP->Edge Router->Firewall->Main Switch->LAN is fine. That even helps if you have complex routing configurations like xGRP tunnels. Also helps in multi-WAN scenarios. Your objective is to protect your internal infrastructure, not the Edge Router itself. Any Edge router should support extended ACLs so if you want to protect against something very specific you can do it anyway.

The only case where you should put a Firewall in front of the router is when you have type-specific targeted attacks (using exploits, etc) against that particular router model, but that is a very rare case.

Overmind
  • 8,779
  • 3
  • 19
  • 28