Uses of edge routers?

[cargo]

Newbie to security and currently trying to design my home network. I came across an article that stated edge routers should be the first layers of defense, and then it went on in marketing-hype fashion about Cisco IOS Firewall Feature Set.

This had me a bit confused. Is there any real use to having an edge router? I mean some point out that it relieves the load on the firewall itself, but then the edge router would still be congested wouldn't it? If it does packet inspection / filtering, wouldn't it be acting in similar fashion to a firewall? But quite a few sources say an edge router should be the first layer of defense.

Wouldn't be easier, not to mention less expensive, to not place an edge router and instead have the firewall in its place?

 

[Markware17]

There are a couple of ways you can setup layered security for a LAN with publicly accessible resources, such as HTTP, FTP, DNS, SMTP relay, etc... The easiest and more affordable way to do it is buy a firewall with DMZ support. That way, you can put all the public servers inside the DMZ and it will basically act as a dead-end between the public network and the private LAN. Most higher-end firewalls have great support for DMZs, but most of the lower-end simple NAT firewalls don't really bring what’s needed to support medium to large scale enterprises. The basic technology is the same between high-end and low-end firewalls, but high-end firewalls have a lot more features that you can take advantage of in order to make your LAN and DMZ more secure from each other. A true DMZ doesn't allow any traffic from the DMZ to enter the LAN zone; however the LAN zone can access the entire DMZ.

The other way you can do it, if you can't take advantage of built-in DMZs, is to have two firewalls; one that is in-front of the other. That way, you can create a type of physical DMZ if you will that has the public servers running behind the first standard firewall with the private LAN on the other side of the second more high-end firewall. In both cases you are accomplishing the same task, separating the public resources from the private resources. If you don't need to have any public resources, then all you need is a good firewall in-front of the LAN...or you can throw in the dreaded "honeypot" behind that firewall for noob hackers . Many times people like to try and attack the DMZ which is all fine and dandy, but the real prize is the LAN that sits right next to it untouched . That is why you should always get a decent dedicated firewall.