From: Shahid Ansari (shahid1357@gmail.com)
Date: Sun Sep 07 2008 - 00:07:18 ART
If you are receiving default route in BGP no problem let firewall to do two
functionality(Routing and Firewalling)
but if you are receiving full BGP table then keep enough memory to support
routing and Firewalling .
May be Juniper has some higher end products which can supports both Routing
and Firewall in large networks.
Thanks
Shahid
On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <muhammad.nasim@gmail.com>wrote:
> I don't think so that one should avoid running routing protocol due to the
> fear of BUGS and other things. If we think like that trust me then we will
> not be able to run most of the feature set of firewall.
>
> For example ASA support S2S, Remote Access and SSL VPNs so I should avoid
> to
> run two or more type of VPNs together ? The answer is simple NO. Yes some
> error or bug occur I will try to solve it or workaround it other wise
> calling TAC is the last step.
>
> I don't think so firewall becomes more vulnerable by running routing
> protocol. if we think like that then we will be also avoiding running VPN
> and CBAC (application firewall) on the routers and also then we will also
> be
> avoiding running CME on the Routers as well.
>
>
> So no need to worries : )
>
> HTH
>
>
> 2008/9/7 CCIEin2006 <ciscocciein2006@gmail.com>
>
> > Thanks for the reply Muhammad.
> >
> > From a security perspective, do you think running routing protocols on a
> > firewall makes the firewall more vulnerable? If so how?
> >
> > I am thinking that extra processes running on the firewall leads to more
> > bugs and more likelyhood of exploitation. What do you think?
> >
> > No one else wants to chime in here?
> >
> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
> muhammad.nasim@gmail.com>wrote:
> >
> >> Ok lets have a debate on it.
> >>
> >> It depends what exactly the design you have on your network. For example
> >> standard is to have router for ROUTING and Firewall for firewalling and
> IPS
> >> and other things.
> >>
> >> Now if u already have router and firewall in place then it is good to
> keep
> >> the routing on the routers BUT if u really want to save money then just
> >> purchase firewall which supports good routing and again Juniper takes
> the
> >> edge.
> >>
> >>
> >> Juniper SSG series have very strong support of routing not only that it
> >> also supports WAN , DSL and other interfaces so in short u can only buy
> SSG
> >> and do routing and firewalling not only that from version 6.1.0 juniper
> >> firewall support DMVPN as well which unfortunaly cisco is lacking
> behind.
> >>
> >> There is no hard and fast rule for it. It really depends on your
> scenario
> >>
> >> For example if I am going to desing network for 10 branches now I will
> >> first look into the budget of the my customer if it permits I will
> surley go
> >> for one router and one firewall.
> >>
> >>
> >> if it budget does not permit I will go for firewall which supports good
> >> routing as well.
> >>
> >> Hope this helps
> >>
> >> 2008/9/6 CCIEin2006 <ciscocciein2006@gmail.com>
> >>
> >>> No brave ones want to tackle this one?
> >>>
> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <ciscocciein2006@gmail.com
> >>> >wrote:
> >>>
> >>> > Hiya folks,
> >>> >
> >>> > I was wondering if the group could share some pro/cons of running
> >>> dynamic
> >>> > routing protocols on a firewall?
> >>> > Can anyone share their experience with this?
> >>> >
> >>> > I have a few branch offices connected to HQ in a hub and spoke
> fashion
> >>> via
> >>> > metro ethernet links. I am looking to add VPN as a backup (each
> branch
> >>> has
> >>> > local internet access). The routers are currently runnign OSPF.
> >>> >
> >>> > I am thinking of doing it all on the ASA platform to save money, but
> >>> > something in my gut tells me to leave the routing up to routers. So I
> >>> am
> >>> > thinking I might need to bite the bullet and buy some routers too.
> >>> >
> >>> > What do you think?
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Muhammad Nasim
> >> Network Engineer
> >> Saudi Arabia
> >>
> >
> >
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Regards,Shahid
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART