Ju Kong Fui, Using a firewall behind a perimeter router allows you to implement "defense in depth", or multiple barriers between your protected network and the public Internet. Using this "defense in depth" strategy you can implement a portion of your security or access control policy on the router and a portion on the firewall. For example, you can screen various IP subnets or protocols using a access control list (ACL) at the router, and then track the state of allowed connections at the firewall. Comparing an IOS router with the IOS firewall with a "pure firewall" such as the PIX behind a perimeter router I'd suggest that same strategy. One issue that sometimes comes up is the need to be able to run an "ED" (Engineering Distribution) or "LD" (Limited Distribution as compared to "GD" or General Distribution) IOS image on the perimeter router to support the feature requirements of your Internet connection. All versions of IOS code support standard and extended access control lists (ACLs). There are versions of code that do not support the IOS firewall. For example if you needed to install a new version of IOS (that did not support IOS firewall ) to use a new serial interface feature, you'd be taking down your only firewall. I hope this helps. Regards, Brian >Date: Wed, 31 Jan 2001 09:09:14 +0800 >From: Ju Kong Fui <[EMAIL PROTECTED]> >Subject: Difference between a firewall and a perimeter router > >Hi everybody, > >I am new to firewall and I wonder why we need a firewall behind perimeter >router? As what I know it that we can filter most of the malicious traffic >using perimeter router itself, for example Cisco router with IOS. > >Comparing a Cisco router with firewall version IOS and a pure firewall >behind a perimeter router, which of them offers more safety? > >Pls help. Thanks. >- - >[To unsubscribe, send mail to [EMAIL PROTECTED] with >"unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
