From: Scott Morris (smorris@internetworkexpert.com)
Date: Sun Sep 07 2008 - 11:01:43 ART
Kinda hard to virtualize an ASIC-driven operation....
AFAIK, no. Not for the Netscreen firewalls.
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Shahid Ansari
Sent: Sunday, September 07, 2008 4:36 AM
To: Muhammad Nasim
Cc: CCIEin2006; Cisco certification
Subject: Re: OT - Dynamic Routing on a Firewall?
Cisco made ASA for pure firewalling,IPS and content security technologies
with Multiple vulnerabilities. : )
Can We do Virtualization for Juniper`s Firewall ? : ) ;)
Thanks
Shahid
On Sun, Sep 7, 2008 at 9:53 AM, Muhammad Nasim
<muhammad.nasim@gmail.com>wrote:
> BGP is not supported on ASA until now.
>
> Juniper supports it.
>
> Now a days memory is not an issue in firewalls. Rams are in GB now a
days.
>
>
>
>
> 2008/9/7 Shahid Ansari <shahid1357@gmail.com>
>
>
>> If you are receiving default route in BGP no problem let firewall to
>> do two functionality(Routing and Firewalling)
>> but if you are receiving full BGP table then keep enough memory to
>> support routing and Firewalling .
>>
>> May be Juniper has some higher end products which can supports both
>> Routing and Firewall in large networks.
>>
>> Thanks
>> Shahid
>>
>> On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <
>> muhammad.nasim@gmail.com> wrote:
>>
>>> I don't think so that one should avoid running routing protocol due
>>> to the fear of BUGS and other things. If we think like that trust me
>>> then we will not be able to run most of the feature set of firewall.
>>>
>>> For example ASA support S2S, Remote Access and SSL VPNs so I should
>>> avoid to run two or more type of VPNs together ? The answer is
>>> simple NO. Yes some error or bug occur I will try to solve it or
>>> workaround it other wise calling TAC is the last step.
>>>
>>> I don't think so firewall becomes more vulnerable by running routing
>>> protocol. if we think like that then we will be also avoiding
>>> running VPN and CBAC (application firewall) on the routers and also
>>> then we will also be avoiding running CME on the Routers as well.
>>>
>>>
>>> So no need to worries : )
>>>
>>> HTH
>>>
>>>
>>> 2008/9/7 CCIEin2006 <ciscocciein2006@gmail.com>
>>>
>>> > Thanks for the reply Muhammad.
>>> >
>>> > From a security perspective, do you think running routing
>>> > protocols on
>>> a
>>> > firewall makes the firewall more vulnerable? If so how?
>>> >
>>> > I am thinking that extra processes running on the firewall leads
>>> > to
>>> more
>>> > bugs and more likelyhood of exploitation. What do you think?
>>> >
>>> > No one else wants to chime in here?
>>> >
>>> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
>>> muhammad.nasim@gmail.com>wrote:
>>> >
>>> >> Ok lets have a debate on it.
>>> >>
>>> >> It depends what exactly the design you have on your network. For
>>> example
>>> >> standard is to have router for ROUTING and Firewall for
>>> >> firewalling
>>> and IPS
>>> >> and other things.
>>> >>
>>> >> Now if u already have router and firewall in place then it is
>>> >> good to
>>> keep
>>> >> the routing on the routers BUT if u really want to save money
>>> >> then
>>> just
>>> >> purchase firewall which supports good routing and again Juniper
>>> >> takes
>>> the
>>> >> edge.
>>> >>
>>> >>
>>> >> Juniper SSG series have very strong support of routing not only
>>> >> that
>>> it
>>> >> also supports WAN , DSL and other interfaces so in short u can
>>> >> only
>>> buy SSG
>>> >> and do routing and firewalling not only that from version 6.1.0
>>> juniper
>>> >> firewall support DMVPN as well which unfortunaly cisco is lacking
>>> behind.
>>> >>
>>> >> There is no hard and fast rule for it. It really depends on your
>>> scenario
>>> >>
>>> >> For example if I am going to desing network for 10 branches now I
>>> >> will first look into the budget of the my customer if it permits
>>> >> I will
>>> surley go
>>> >> for one router and one firewall.
>>> >>
>>> >>
>>> >> if it budget does not permit I will go for firewall which
>>> >> supports
>>> good
>>> >> routing as well.
>>> >>
>>> >> Hope this helps
>>> >>
>>> >> 2008/9/6 CCIEin2006 <ciscocciein2006@gmail.com>
>>> >>
>>> >>> No brave ones want to tackle this one?
>>> >>>
>>> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <
>>> ciscocciein2006@gmail.com
>>> >>> >wrote:
>>> >>>
>>> >>> > Hiya folks,
>>> >>> >
>>> >>> > I was wondering if the group could share some pro/cons of
>>> >>> > running
>>> >>> dynamic
>>> >>> > routing protocols on a firewall?
>>> >>> > Can anyone share their experience with this?
>>> >>> >
>>> >>> > I have a few branch offices connected to HQ in a hub and spoke
>>> fashion
>>> >>> via
>>> >>> > metro ethernet links. I am looking to add VPN as a backup
>>> >>> > (each
>>> branch
>>> >>> has
>>> >>> > local internet access). The routers are currently runnign OSPF.
>>> >>> >
>>> >>> > I am thinking of doing it all on the ASA platform to save
>>> >>> > money,
>>> but
>>> >>> > something in my gut tells me to leave the routing up to
>>> >>> > routers. So
>>> I
>>> >>> am
>>> >>> > thinking I might need to bite the bullet and buy some routers too.
>>> >>> >
>>> >>> > What do you think?
>>> >>>
>>> >>>
>>> >>> Blogs and organic groups at http://www.ccie.net
>>> >>>
>>> >>>
>>> ____________________________________________________________________
>>> ___
>>> >>> Subscription information may be found at:
>>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> Muhammad Nasim
>>> >> Network Engineer
>>> >> Saudi Arabia
>>> >>
>>> >
>>> >
>>>
>>>
>>> --
>>> Muhammad Nasim
>>> Network Engineer
>>> Saudi Arabia
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> ____________________________________________________________________
>>> ___ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>>
>> Shahid
>>
>
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
>
-- Regards,Shahid
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART