Re: OT - Dynamic Routing on a Firewall?

From: Simon Tee (teetengloong@gmail.com)
Date: Sun Sep 07 2008 - 23:08:47 ART

• Next message: CCIE Hunter: "Re: Can I request score report or something like after lab"
• Previous message: Jonathan Greenwood II: "Re: OSPF and Priorities"
• Maybe in reply to: CCIEin2006: "OT - Dynamic Routing on a Firewall?"
• Next in thread: Muhammad Nasim: "Re: OT - Dynamic Routing on a Firewall?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The ISG 1000 and 2000 model support Virtual System.... something like the
virtual firewall....

HTH
On Sun, Sep 7, 2008 at 4:35 PM, Shahid Ansari <shahid1357@gmail.com> wrote:

> Cisco made ASA for pure firewalling,IPS and content security technologies
> with Multiple vulnerabilities. : )
>
> Can We do Virtualization for Juniper`s Firewall ? : ) ;)
>
> Thanks
> Shahid
>
>
>
> On Sun, Sep 7, 2008 at 9:53 AM, Muhammad Nasim <muhammad.nasim@gmail.com
> >wrote:
>
> > BGP is not supported on ASA until now.
> >
> > Juniper supports it.
> >
> > Now a days memory is not an issue in firewalls. Rams are in GB now a
> days.
> >
> >
> >
> >
> > 2008/9/7 Shahid Ansari <shahid1357@gmail.com>
> >
> >
> >> If you are receiving default route in BGP no problem let firewall to do
> >> two functionality(Routing and Firewalling)
> >> but if you are receiving full BGP table then keep enough memory to
> >> support routing and Firewalling .
> >>
> >> May be Juniper has some higher end products which can supports both
> >> Routing and Firewall in large networks.
> >>
> >> Thanks
> >> Shahid
> >>
> >> On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <
> >> muhammad.nasim@gmail.com> wrote:
> >>
> >>> I don't think so that one should avoid running routing protocol due to
> >>> the
> >>> fear of BUGS and other things. If we think like that trust me then we
> >>> will
> >>> not be able to run most of the feature set of firewall.
> >>>
> >>> For example ASA support S2S, Remote Access and SSL VPNs so I should
> avoid
> >>> to
> >>> run two or more type of VPNs together ? The answer is simple NO. Yes
> some
> >>> error or bug occur I will try to solve it or workaround it other wise
> >>> calling TAC is the last step.
> >>>
> >>> I don't think so firewall becomes more vulnerable by running routing
> >>> protocol. if we think like that then we will be also avoiding running
> VPN
> >>> and CBAC (application firewall) on the routers and also then we will
> also
> >>> be
> >>> avoiding running CME on the Routers as well.
> >>>
> >>>
> >>> So no need to worries : )
> >>>
> >>> HTH
> >>>
> >>>
> >>> 2008/9/7 CCIEin2006 <ciscocciein2006@gmail.com>
> >>>
> >>> > Thanks for the reply Muhammad.
> >>> >
> >>> > From a security perspective, do you think running routing protocols
> on
> >>> a
> >>> > firewall makes the firewall more vulnerable? If so how?
> >>> >
> >>> > I am thinking that extra processes running on the firewall leads to
> >>> more
> >>> > bugs and more likelyhood of exploitation. What do you think?
> >>> >
> >>> > No one else wants to chime in here?
> >>> >
> >>> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
> >>> muhammad.nasim@gmail.com>wrote:
> >>> >
> >>> >> Ok lets have a debate on it.
> >>> >>
> >>> >> It depends what exactly the design you have on your network. For
> >>> example
> >>> >> standard is to have router for ROUTING and Firewall for firewalling
> >>> and IPS
> >>> >> and other things.
> >>> >>
> >>> >> Now if u already have router and firewall in place then it is good
> to
> >>> keep
> >>> >> the routing on the routers BUT if u really want to save money then
> >>> just
> >>> >> purchase firewall which supports good routing and again Juniper
> takes
> >>> the
> >>> >> edge.
> >>> >>
> >>> >>
> >>> >> Juniper SSG series have very strong support of routing not only that
> >>> it
> >>> >> also supports WAN , DSL and other interfaces so in short u can only
> >>> buy SSG
> >>> >> and do routing and firewalling not only that from version 6.1.0
> >>> juniper
> >>> >> firewall support DMVPN as well which unfortunaly cisco is lacking
> >>> behind.
> >>> >>
> >>> >> There is no hard and fast rule for it. It really depends on your
> >>> scenario
> >>> >>
> >>> >> For example if I am going to desing network for 10 branches now I
> will
> >>> >> first look into the budget of the my customer if it permits I will
> >>> surley go
> >>> >> for one router and one firewall.
> >>> >>
> >>> >>
> >>> >> if it budget does not permit I will go for firewall which supports
> >>> good
> >>> >> routing as well.
> >>> >>
> >>> >> Hope this helps
> >>> >>
> >>> >> 2008/9/6 CCIEin2006 <ciscocciein2006@gmail.com>
> >>> >>
> >>> >>> No brave ones want to tackle this one?
> >>> >>>
> >>> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <
> >>> ciscocciein2006@gmail.com
> >>> >>> >wrote:
> >>> >>>
> >>> >>> > Hiya folks,
> >>> >>> >
> >>> >>> > I was wondering if the group could share some pro/cons of running
> >>> >>> dynamic
> >>> >>> > routing protocols on a firewall?
> >>> >>> > Can anyone share their experience with this?
> >>> >>> >
> >>> >>> > I have a few branch offices connected to HQ in a hub and spoke
> >>> fashion
> >>> >>> via
> >>> >>> > metro ethernet links. I am looking to add VPN as a backup (each
> >>> branch
> >>> >>> has
> >>> >>> > local internet access). The routers are currently runnign OSPF.
> >>> >>> >
> >>> >>> > I am thinking of doing it all on the ASA platform to save money,
> >>> but
> >>> >>> > something in my gut tells me to leave the routing up to routers.
> So
> >>> I
> >>> >>> am
> >>> >>> > thinking I might need to bite the bullet and buy some routers
> too.
> >>> >>> >
> >>> >>> > What do you think?
> >>> >>>
> >>> >>>
> >>> >>> Blogs and organic groups at http://www.ccie.net
> >>> >>>
> >>> >>>
> >>> _______________________________________________________________________
> >>> >>> Subscription information may be found at:
> >>> >>> http://www.groupstudy.com/list/CCIELab.html
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>
> >>> >>
> >>> >> --
> >>> >> Muhammad Nasim
> >>> >> Network Engineer
> >>> >> Saudi Arabia
> >>> >>
> >>> >
> >>> >
> >>>
> >>>
> >>> --
> >>> Muhammad Nasim
> >>> Network Engineer
> >>> Saudi Arabia
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Regards,
> >>
> >> Shahid
> >>
> >
> >
> >
> > --
> > Muhammad Nasim
> > Network Engineer
> > Saudi Arabia
> >
>
>
>
> --
> Regards,
>
> Shahid
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: CCIE Hunter: "Re: Can I request score report or something like after lab"
• Previous message: Jonathan Greenwood II: "Re: OSPF and Priorities"
• Maybe in reply to: CCIEin2006: "OT - Dynamic Routing on a Firewall?"
• Next in thread: Muhammad Nasim: "Re: OT - Dynamic Routing on a Firewall?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART