This question requires technical knowledge, and an understanding of business.
We’ll address both.
Remember this, and it’ll save you a lot of time: Routers move packets, and firewalls inspect packets. It is cheaper to move packets than it is to inspect them.
Put the cheaper device facing the onslaught of the Internet first, rather than the more expensive firewall device.
A router is really good at receiving packets. It looks at the destination IP addresses, and then sends it to where it has to go next.
A firewall is really good at looking not just at the destination of a packet, but also the source, source port, destination port, and the payload. The firewall will then use all this information to determine if the incoming packet should be allowed, or dropped before entering the internal network.
That’s another thing, the firewall is really good at deciding if a packet should enter the network or not. A router can’t really do that as well as a firewall, if at all.
Sounds like a firewall has to do a lot more work than a router does, doesn’t it?
A firewall’s job should really be just to inspect, not to route. A firewall shouldn’t be your main router.
Given that, doesn’t it make sense to put the router facing all the incoming packets from the Internet?
Then, once they are in your network, have the traffic pass through a firewall to get inspected carefully one by one?
I think so, and so do a ton of other organizations. A router at the edge of the network is the most common network architecture. I have no statistical numbers to back this up, but it’s all I’ve seen during my security career.
A router is not built to inspect packets.
But it is built take the impact of multiple dynamic protocols like BGP or OSPF. If there is a potential DDOS, then a router can blackhole the traffic. You’d want to blackhole traffic at the perimeter edge, and not after it has entered your network!
Usually you don’t want routing protocols running on a firewall for several reasons. First, routing protocols can be inherently insecure. For example, in OSPF, routes that belong to your network are propogated and advertised throughout the autonomous systems (an internal network). An attacker can find out a lot about a network if they were to know these advertised routes. If the firewall is running OSPF, you can protect against this vulnerability by turning route advertisement off.
The term “to blackhole” (also known as “null route”) traffic means dropping all incoming packets, without alerting the sender. This is one of the techniques used in mitigating DDOS attacks. The only downside could be that not only will blackholing the traffic drop DDOS traffic, but also legitimate ones as well. It is a temporary tactic, hours after which the null route will be removed.
Now onto the business side of why you should put the router in front of the firewall, and one that will most likely be more useful for the CISSP exam. As you already know, the CISSP isn’t a technical exam.
Who owns the router at the edge network? Your company? Or your ISP? Who is responsible when a router needs to failover to another site?
Suppose your organization has a router in their Ashburn, Virginia data center. And another router in their San Jose, California data center.
When it comes to disaster recovery at the Ashburn site, traffic destined to the Ashburn router can failover to the San Jose router. Routers are usually in charge of failing over traffic between two sites, not firewalls. Firewalls sit behind the router to continue to make sure traffic allowed in is being inspected, and dropped if necessary.
If traffic needs to be failed over to another site, you want it to be done fast and responsibly, otherwise it could risk data loss or damage to your organization’s reputation.
An organization may want to transfer this risk to an ISP, they will manage the router and be responsible for failing over traffic per SLA.
SLA is something you are bound to hear in the security world when it comes to customers and vendors. SLA stands for Service Level Agreement and is a contract between two parties on what services will be provided, and under what time constraints.
SLA Example of Response Times
DDOS Attack: Vendor has 15 minutes to mitigate the attack
Web Site is Hacked: Vendor has 30 minutes to bring up the backup site
Database Servers Unreachable : Vendor has 30 minutes to restore connectivity
SLA Example of Uptime
Website: Hosting company has to guarantee 99.99% uptime
Database Servers: Data Center hosting company has to provide 99.99% uptime
Having everything in your organization covered by an SLA is cost-effective and provides a larger ROI, instead of having to manage and pay for everything yourself.
Do you want the firewall to inspect traffic, perform intrusion prevention, filter URLs, AND handle the routing for an entire organization? Probably not. The firewall can become a huge single point of failure.
If you have an organization that receives very little traffic per day, then a small router/firewall combo device is probably more of a cost effective measure. You don’t want to spend $100,000 securing data that is worth $50,000.