---

---

Router Security Configuration Guide UNCLASSIFIED 32 UNCLASSIFIED Version 1.0g 3.2.  Protecting the Network with the Router   3.2.1.    Roles in Perimeter Security and Security Policy   A router provides a capability to help secure the perimeter of a protected network.  It can do this by itself.  The diagram at right shows a typical topology with the router being the component that connects the protected network to the Internet. A router can also be used as part of defense-in-depth approach as shown in the diagram below.  It acts as the first line of defense and is known as a screening router.   It contains a static route that passes all connections intended for the protected network to the firewall.  The firewall provides additional access control over the content of the connections.  It can also perform user authentication.  This approach is recommended over using only a router because it offers more security. Figure 3-1: Typical One-router Internet Connection Configuration Another approach is to position one router at the connection between the local premises and the Internet, and then another router between the firewall and the protected network.  This configuration offers two points at which policy can be enforced.  It also offers an intermediate area, often called the de-militarized zone (DMZ) between the two routers.  The DMZ is often used for servers that must be accessible from the Internet or other external network. Figure 3-2: Typical Two-router Internet Connection Configuration Internet Router Protected Network Firewall Internet Router Protected Network Firewall Router Premises or Gateway router Internal or Local net router Internet Router    Local Network