HOW TO ELIMINATE A DEFAULT ROUTE FOR GREATER SECURITY
If portions of enterprise data-center networks have no need to communicate directly with the internet, then why do we configure routers so every system on the network winds up with internet access by default?Part of the reason is that many enterprises use an internet perimeter firewall performing port address translation (PAT) with a default policy that allows access the internet, a solution that leaves open a possible path by which attackers can breach security.
TRADITIONAL NETWORK DESIGN WITH DEFAULT ROUTING
Removing the Default Gateway Now,
the end-nodes connected to these internal edge routers also use a default gateway that directs all non-local network traffic toward the first-hop router. For access networks, the end-user devices receive this default route from DHCP options. Although it is possible to remove the default route from all hosts, it would be an administrative burden to do this manually for each-and-every server. It would be easier to configure the presence or absence of the default route on a limited set of data center network equipment to achieve the same
WHY DYNAMIC ROUTING PREFERED OVER STATIC ROUTING
Static Routes are better when your network is small but it is very difficult to change routing every time when there is a routers in your network.dynamic routes, such as EIGRP, OSPF & BGP automatically updates routes & no need to change routing and will automatically updates the routes.kindly note Static route is stronger than any dynamic route because of
administrative distance of static route is=1
DUAL ISO & REDUNDANT ROUTERS TRAFFIC
Dual internet connections or Redundant internet connections refers to use to WAN interface on the Firewall connected to both Routers. Dual internet connections traffic could be managed by two ways.
- Active-Active
- Active-Passive
Active -Active : it mean both connections are up and running. each internet connection should be routed to different gateway & can be use different techniques to make traffic sharing on each connection. like define range of IP address to make route/ policy for each internet connection or browsing traffic go from one connection and all other traffic like voice/tunneling go to second ISP connections.
Active- Passive :- if active connection becomes unavailable. all traffic routed through passive connection. you need make high administrative distance to one of your link for it’s to be passive links.
For both solutions Active-Active /Active-Passive FortiGATE Firewall has best solution and even you can make load balancing between two internet connection to create session of internet from separate link for each users / browsing.
ITWEB 