From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Mon Sep 08 2008 - 10:13:51 ART
hehe but one thing for information purpose.
The Netscreen devices were/are all ASIC based architecture but NOT SSG
(Secure Servvices Gateway)
Is anybody intersted in trying to emulate the Juniper SSG on PEMU or QEMU I
think it may be possible as the architecture is no more ASIC in SSG series
A real oppourtunity to I think : )
2008/9/8 Scott Morris <smorris@internetworkexpert.com>
> Ohhh... Now lightbulb is going on. After having read a series of
> e-mails about PEMU and Dynamips, I thought the original post was about
> running Netscreen/Juniper firewalls in a virtual environment (e.g. not real
> equipment).
>
> Duh... I'm off to seek more caffeine now. :)
>
>
>
> Scott Morris, *CCIE**4** #4713, JNCIE-M #153**, JNCIS-ER, CISSP, et al.
> **CCSI/JNCI-M/JNCI-ER
> *Senior CCIE Instructor
>
> smorris@internetworkexpert.com
>
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
> Online Community: *Seek it out, well worth the find!*
> CCIE Blog: *Read the blogs... Learn the good stuff....*
>
> Knowledge is power.
> Power corrupts.
> Study hard and be Eeeeviiiil......
>
> ------------------------------
> *From:* Muhammad Nasim [mailto:muhammad.nasim@gmail.com]
> *Sent:* Monday, September 08, 2008 7:30 AM
> *To:* Wes Stevens
> *Cc:* Scott Morris; ccielab@groupstudy.com
>
> *Subject:* Re: OT - Dynamic Routing on a Firewall?
>
> Shahid,
>
> The virtualiztion support in Juniper is far more better then Cisco ASA.
> Cisco Highest model support maximum of 50 contexts where Juniper supports
> 500
>
> Following Juniper firewalls support virtulization (Virtual Firewalls)
>
> 1- ISG 1000
> 2-ISG-2000
> 3-Netscreen 500 (EOS now)
> 4-Netscreen 5200
> 5-Netscreen 5400
>
> in terms of features and other things the virtual firewall of Juniper is
> better then Contexts of Cisco.
>
> But hey I should favour Cisco as I am Cisco Certified : )
>
> HTH
>
>
> 2008/9/7 Wes Stevens <wrsteve33-gsccie@yahoo.com>
>
>> The quantumflow processors in the new asr are cabilble of doing firewall
>> functions (and a lot more) in hardware. The ASR will fuction as a firewall
>> with 4.5gbps of throughput. This chip reminds me of the early days of IBM
>> and the power pc chip. It was basically a mainframe on a chip. It started in
>> the pc and AS400 lines and eventually expanded to run everything.
>>
>> This chip will probably do the same in cisco. It will be the basis of the
>> switch processor engine from the ISR all the way up to the CSR.
>>
>>
>>
>> ----- Original Message ----
>> From: Scott Morris <smorris@internetworkexpert.com>
>> To: Shahid Ansari <shahid1357@gmail.com>; Muhammad Nasim <
>> muhammad.nasim@gmail.com>
>> Cc: CCIEin2006 <ciscocciein2006@gmail.com>; Cisco certification <
>> ccielab@groupstudy.com>
>> Sent: Sunday, September 7, 2008 9:01:43 AM
>> Subject: RE: OT - Dynamic Routing on a Firewall?
>>
>> Kinda hard to virtualize an ASIC-driven operation....
>>
>> AFAIK, no. Not for the Netscreen firewalls.
>>
>> Scott
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Shahid Ansari
>> Sent: Sunday, September 07, 2008 4:36 AM
>> To: Muhammad Nasim
>> Cc: CCIEin2006; Cisco certification
>> Subject: Re: OT - Dynamic Routing on a Firewall?
>>
>> Cisco made ASA for pure firewalling,IPS and content security technologies
>> with Multiple vulnerabilities. : )
>>
>> Can We do Virtualization for Juniper`s Firewall ? : ) ;)
>>
>> Thanks
>> Shahid
>>
>>
>>
>> On Sun, Sep 7, 2008 at 9:53 AM, Muhammad Nasim
>> <muhammad.nasim@gmail.com>wrote:
>>
>> > BGP is not supported on ASA until now.
>> >
>> > Juniper supports it.
>> >
>> > Now a days memory is not an issue in firewalls. Rams are in GB now a
>> days.
>> >
>> >
>> >
>> >
>> > 2008/9/7 Shahid Ansari <shahid1357@gmail.com>
>> >
>> >
>> >> If you are receiving default route in BGP no problem let firewall to
>> >> do two functionality(Routing and Firewalling)
>> >> but if you are receiving full BGP table then keep enough memory to
>> >> support routing and Firewalling .
>> >>
>> >> May be Juniper has some higher end products which can supports both
>> >> Routing and Firewall in large networks.
>> >>
>> >> Thanks
>> >> Shahid
>> >>
>> >> On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <
>> >> muhammad.nasim@gmail.com> wrote:
>> >>
>> >>> I don't think so that one should avoid running routing protocol due
>> >>> to the fear of BUGS and other things. If we think like that trust me
>> >>> then we will not be able to run most of the feature set of firewall.
>> >>>
>> >>> For example ASA support S2S, Remote Access and SSL VPNs so I should
>> >>> avoid to run two or more type of VPNs together ? The answer is
>> >>> simple NO. Yes some error or bug occur I will try to solve it or
>> >>> workaround it other wise calling TAC is the last step.
>> >>>
>> >>> I don't think so firewall becomes more vulnerable by running routing
>> >>> protocol. if we think like that then we will be also avoiding
>> >>> running VPN and CBAC (application firewall) on the routers and also
>> >>> then we will also be avoiding running CME on the Routers as well.
>> >>>
>> >>>
>> >>> So no need to worries : )
>> >>>
>> >>> HTH
>> >>>
>> >>>
>> >>> 2008/9/7 CCIEin2006 <ciscocciein2006@gmail.com>
>> >>>
>> >>> > Thanks for the reply Muhammad.
>> >>> >
>> >>> > From a security perspective, do you think running routing
>> >>> > protocols on
>> >>> a
>> >>> > firewall makes the firewall more vulnerable? If so how?
>> >>> >
>> >>> > I am thinking that extra processes running on the firewall leads
>> >>> > to
>> >>> more
>> >>> > bugs and more likelyhood of exploitation. What do you think?
>> >>> >
>> >>> > No one else wants to chime in here?
>> >>> >
>> >>> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
>> >>> muhammad.nasim@gmail.com>wrote:
>> >>> >
>> >>> >> Ok lets have a debate on it.
>> >>> >>
>> >>> >> It depends what exactly the design you have on your network. For
>> >>> example
>> >>> >> standard is to have router for ROUTING and Firewall for
>> >>> >> firewalling
>> >>> and IPS
>> >>> >> and other things.
>> >>> >>
>> >>> >> Now if u already have router and firewall in place then it is
>> >>> >> good to
>> >>> keep
>> >>> >> the routing on the routers BUT if u really want to save money
>> >>> >> then
>> >>> just
>> >>> >> purchase firewall which supports good routing and again Juniper
>> >>> >> takes
>> >>> the
>> >>> >> edge.
>> >>> >>
>> >>> >>
>> >>> >> Juniper SSG series have very strong support of routing not only
>> >>> >> that
>> >>> it
>> >>> >> also supports WAN , DSL and other interfaces so in short u can
>> >>> >> only
>> >>> buy SSG
>> >>> >> and do routing and firewalling not only that from version 6.1.0
>> >>> juniper
>> >>> >> firewall support DMVPN as well which unfortunaly cisco is lacking
>> >>> behind.
>> >>> >>
>> >>> >> There is no hard and fast rule for it. It really depends on your
>> >>> scenario
>> >>> >>
>> >>> >> For example if I am going to desing network for 10 branches now I
>> >>> >> will first look into the budget of the my customer if it permits
>> >>> >> I will
>> >>> surley go
>> >>> >> for one router and one firewall.
>> >>> >>
>> >>> >>
>> >>> >> if it budget does not permit I will go for firewall which
>> >>> >> supports
>> >>> good
>> >>> >> routing as well.
>> >>> >>
>> >>> >> Hope this helps
>> >>> >>
>> >>> >> 2008/9/6 CCIEin2006 <ciscocciein2006@gmail.com>
>> >>> >>
>> >>> >>> No brave ones want to tackle this one?
>> >>> >>>
>> >>> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <
>> >>> ciscocciein2006@gmail.com
>> >>> >>> >wrote:
>> >>> >>>
>> >>> >>> > Hiya folks,
>> >>> >>> >
>> >>> >>> > I was wondering if the group could share some pro/cons of
>> >>> >>> > running
>> >>> >>> dynamic
>> >>> >>> > routing protocols on a firewall?
>> >>> >>> > Can anyone share their experience with this?
>> >>> >>> >
>> >>> >>> > I have a few branch offices connected to HQ in a hub and spoke
>> >>> fashion
>> >>> >>> via
>> >>> >>> > metro ethernet links. I am looking to add VPN as a backup
>> >>> >>> > (each
>> >>> branch
>> >>> >>> has
>> >>> >>> > local internet access). The routers are currently runnign OSPF.
>> >>> >>> >
>> >>> >>> > I am thinking of doing it all on the ASA platform to save
>> >>> >>> > money,
>> >>> but
>> >>> >>> > something in my gut tells me to leave the routing up to
>> >>> >>> > routers. So
>> >>> I
>> >>> >>> am
>> >>> >>> > thinking I might need to bite the bullet and buy some routers
>> too.
>> >>> >>> >
>> >>> >>> > What do you think?
>> >>> >>>
>> >>> >>>
>> >>> >>> Blogs and organic groups at http://www.ccie.net
>> >>> >>>
>> >>> >>>
>> >>> ____________________________________________________________________
>> >>> ___
>> >>> >>> Subscription information may be found at:
>> >>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> Muhammad Nasim
>> >>> >> Network Engineer
>> >>> >> Saudi Arabia
>> >>> >>
>> >>> >
>> >>> >
>> >>>
>> >>>
>> >>> --
>> >>> Muhammad Nasim
>> >>> Network Engineer
>> >>> Saudi Arabia
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>> ____________________________________________________________________
>> >>> ___ Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >>
>> >> Shahid
>> >>
>> >
>> >
>> >
>> > --
>> > Muhammad Nasim
>> > Network Engineer
>> > Saudi Arabia
>> >
>>
>>
>>
>> --
>> Regards,
>>
>> Shahid
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
>
-- Muhammad Nasim Network Engineer Saudi ArabiaBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART