Re: [OT ish] Router vs Firewall - corporate environment

[James Wright <jamfwright () gmail com>]

Hi Martin,

The WAN link is MPLS I assume?  Regardless, a firewall can provide
better management and possibly even save some bandwidth, as well as
prepare your office for a DIA - Direct Internet Access - link if one
is needed down the road.  You will get better logging and auditing,
you can generally choose which "rules" to log.  You will gain a better
understanding of your network behavior and traffic.  In regards to the
saving bandwidth, it is easy to block broadcasts and any other
unnecessary traffic from crossing the WAN, improving - maybe minimally
- the performance of your router.  Assuming there is a firewall at the
other office on the Internet link side, you may find that it is
cheaper to get a decent firewall, and switch from a private WAN link
to a DIA and do a site-to-site VPN.  A lot of firewall solutions come
with extra protections now as well, content filtering and sometimes
exploit protection.  I see a lot of reasons for going with the
firewall, but every situation is unique, and you will need to figure
out what works best for your environment.

Good luck!

- James


On Tue, Feb 2, 2010 at 8:38 AM, martin <martiniscool () gmail com> wrote:
> Hi all
>
> We're in the process of planning to split up our corporate network -
> ie, a subnet for servers, one for users, one for admins etc etc.
> Although we have over 200 users, our internet connection is not at
> this office, it goes over a WAN to another office and then via a proxy
> (which is duly firewalled etc).  We have a cisco router at our site
> which handles the WAN traffic etc.
>
> Now a debate has started over whether we should use the router to
> split up our network, or whether we should go to the extra expense of
> buying a firewall to do this.  As I understand it, if I send a request
> from subnet 1 to subnet 2 on port 80, the source port (is over 1024)
> would have to be open for the reply to come back from subnet 2 to
> subnet 1.  However, as firewalls are stateful, they do not require
> this - I would just need to open port 80 to subnet 2.
>
> Apart from the greater logging capabilities, this is the only reason I
> can come up with to use a firewall.  Does anybody have any additional
> suggestions as to why we should use a firewall ?  Or likewise, why a
> firewall might not be necessary.
>
> Thanks in advance for any help
>
> M
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------