From: Laszlo Csosza (tr@contract.hu)
Date: Tue Mar 28 2006 - 17:45:51 GMT-3
Hi!
> Could you please explain why 1st design is bad. Why shaping is so
> necessary on the perimeter router. Why this router is needed and which
> bad things could I receive if I build design 1. (with just one ASA or PIX).
>
Your presales engineer could meant this:
Usually, in a security design the perimeter router (if it is
administered by the customer) is not only for terminating xDSL, leased
line, ISDN or what so ever the Internet is received on.
It makes some prefiltering before the firewall:
- ICMP rate limiting
- network filtering: RFC 1918, unneeded multicast, network zero,
hostnet, non-dhcp autoconfig, testnet
- reverse path filtering and anti-spoofing
- etc
In addition to these, if you prepare a very, very, very secure
environment then a good idea is to make an exact copy of the firewall
policy in the routers access-lists. Just to be sure at a paranoid level!
This design is very popular at our customers in spite of the difficulty
to synchronize the firewall and the router filtering policy.
bye!
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3