Ju Kong Fui,

Using a firewall behind a perimeter router allows you to implement "defense 
in depth", or multiple barriers between your protected network and the 
public Internet.  Using this "defense in depth" strategy you can implement 
a portion of your security or access control policy on the router and a 
portion on the firewall.  For example, you can screen various IP subnets or 
protocols using a access control list (ACL) at the router, and then track 
the state of allowed connections at the firewall.

Comparing an IOS router with the IOS firewall with a "pure firewall" such 
as the PIX behind a perimeter router I'd suggest that same strategy.

One issue that sometimes comes up is the need to be able to run an "ED" 
(Engineering Distribution) or "LD" (Limited Distribution as compared to 
"GD" or General Distribution) IOS image on the perimeter router to support 
the feature  requirements of your Internet connection.  All versions of IOS 
code support standard and extended access control lists (ACLs).  There are 
versions of code that do not support the IOS firewall.

For example if you needed to install a new version of IOS (that did not 
support IOS firewall ) to use a new serial interface feature, you'd be 
taking down your only firewall.

I hope this helps.

Regards,

Brian


>Date: Wed, 31 Jan 2001 09:09:14 +0800
>From: Ju Kong Fui <[EMAIL PROTECTED]>
>Subject: Difference between a firewall and a perimeter router
>
>Hi everybody,
>
>I am new to firewall and I wonder why we need a firewall behind perimeter
>router? As what I know it that we can filter most of the malicious traffic
>using perimeter router itself, for example Cisco router with IOS.
>
>Comparing a Cisco router with firewall version IOS and a pure firewall
>behind a perimeter router, which of them offers more safety?
>
>Pls help. Thanks.
>- -
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to