From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Sun Sep 07 2008 - 03:53:34 ART
BGP is not supported on ASA until now.
Juniper supports it.
Now a days memory is not an issue in firewalls. Rams are in GB now a days.
2008/9/7 Shahid Ansari <shahid1357@gmail.com>
>
> If you are receiving default route in BGP no problem let firewall to do two
> functionality(Routing and Firewalling)
> but if you are receiving full BGP table then keep enough memory to
> support routing and Firewalling .
>
> May be Juniper has some higher end products which can supports both Routing
> and Firewall in large networks.
>
> Thanks
> Shahid
>
> On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <muhammad.nasim@gmail.com>wrote:
>
>> I don't think so that one should avoid running routing protocol due to the
>> fear of BUGS and other things. If we think like that trust me then we will
>> not be able to run most of the feature set of firewall.
>>
>> For example ASA support S2S, Remote Access and SSL VPNs so I should avoid
>> to
>> run two or more type of VPNs together ? The answer is simple NO. Yes some
>> error or bug occur I will try to solve it or workaround it other wise
>> calling TAC is the last step.
>>
>> I don't think so firewall becomes more vulnerable by running routing
>> protocol. if we think like that then we will be also avoiding running VPN
>> and CBAC (application firewall) on the routers and also then we will also
>> be
>> avoiding running CME on the Routers as well.
>>
>>
>> So no need to worries : )
>>
>> HTH
>>
>>
>> 2008/9/7 CCIEin2006 <ciscocciein2006@gmail.com>
>>
>> > Thanks for the reply Muhammad.
>> >
>> > From a security perspective, do you think running routing protocols on a
>> > firewall makes the firewall more vulnerable? If so how?
>> >
>> > I am thinking that extra processes running on the firewall leads to more
>> > bugs and more likelyhood of exploitation. What do you think?
>> >
>> > No one else wants to chime in here?
>> >
>> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
>> muhammad.nasim@gmail.com>wrote:
>> >
>> >> Ok lets have a debate on it.
>> >>
>> >> It depends what exactly the design you have on your network. For
>> example
>> >> standard is to have router for ROUTING and Firewall for firewalling and
>> IPS
>> >> and other things.
>> >>
>> >> Now if u already have router and firewall in place then it is good to
>> keep
>> >> the routing on the routers BUT if u really want to save money then just
>> >> purchase firewall which supports good routing and again Juniper takes
>> the
>> >> edge.
>> >>
>> >>
>> >> Juniper SSG series have very strong support of routing not only that it
>> >> also supports WAN , DSL and other interfaces so in short u can only buy
>> SSG
>> >> and do routing and firewalling not only that from version 6.1.0 juniper
>> >> firewall support DMVPN as well which unfortunaly cisco is lacking
>> behind.
>> >>
>> >> There is no hard and fast rule for it. It really depends on your
>> scenario
>> >>
>> >> For example if I am going to desing network for 10 branches now I will
>> >> first look into the budget of the my customer if it permits I will
>> surley go
>> >> for one router and one firewall.
>> >>
>> >>
>> >> if it budget does not permit I will go for firewall which supports good
>> >> routing as well.
>> >>
>> >> Hope this helps
>> >>
>> >> 2008/9/6 CCIEin2006 <ciscocciein2006@gmail.com>
>> >>
>> >>> No brave ones want to tackle this one?
>> >>>
>> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <
>> ciscocciein2006@gmail.com
>> >>> >wrote:
>> >>>
>> >>> > Hiya folks,
>> >>> >
>> >>> > I was wondering if the group could share some pro/cons of running
>> >>> dynamic
>> >>> > routing protocols on a firewall?
>> >>> > Can anyone share their experience with this?
>> >>> >
>> >>> > I have a few branch offices connected to HQ in a hub and spoke
>> fashion
>> >>> via
>> >>> > metro ethernet links. I am looking to add VPN as a backup (each
>> branch
>> >>> has
>> >>> > local internet access). The routers are currently runnign OSPF.
>> >>> >
>> >>> > I am thinking of doing it all on the ASA platform to save money, but
>> >>> > something in my gut tells me to leave the routing up to routers. So
>> I
>> >>> am
>> >>> > thinking I might need to bite the bullet and buy some routers too.
>> >>> >
>> >>> > What do you think?
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> Muhammad Nasim
>> >> Network Engineer
>> >> Saudi Arabia
>> >>
>> >
>> >
>>
>>
>> --
>> Muhammad Nasim
>> Network Engineer
>> Saudi Arabia
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Regards,
>
> Shahid
>
-- Muhammad Nasim Network Engineer Saudi ArabiaBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART