Re: OT - Dynamic Routing on a Firewall?

From: CCIEin2006 (ciscocciein2006@gmail.com)
Date: Tue Sep 09 2008 - 11:23:19 ART

Whoa lets not get crazy here...no fancy virtual firewalls or VRF's or
anything.

I simply want the branches to have a VPN tunnel backup their P2P circuits. I
want to run OSPF over the VPN tunnel for dynamic failover so this may or may
not require the use of a GRE tunnel depending on what you use.

I also want to treat the tunnel as a logical interface so that if the tunnel
goes down my SNMP monitoring tool will get a link down alert whereas a
plain IPSEC tunnel will not alert (correct me if I'm wrong here).

I also want to be able to poll the tunnel interface for utiliztion stats
which I don't think you can do with a plain IPSEC tunnel.

Since the ASA cannot do GRE I don't think you have the option of creating a
logical interface can you?

On Tue, Sep 9, 2008 at 10:10 AM, Joseph Brunner <joe@affirmedsystems.com>wrote:

> Actually IOS has better vpn routing over tunnels that either of those
> "firewalls that route".
>
> Can an SSG do DMVPN? How about 2547/o/dmvpn? VRF doorstep routing?
>
> LOL
>
> NICE TRY
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Muhammad Nasim
> Sent: Tuesday, September 09, 2008 10:08 AM
> To: CCIEin2006
> Cc: smorris@internetworkexpert.com; Wes Stevens; ccielab@groupstudy.com
> Subject: Re: OT - Dynamic Routing on a Firewall?
>
> Yes I still can switch back to you to Cisco ASA (I think this should be the
> primary responisbilyt of a Consultant) : )
>
> What routing and VPN tunnels you are looking for what exact protcol you
> will
> be running and others.
>
> You can contact me offline if you want : )
>
>
>
> 2008/9/9 CCIEin2006 <ciscocciein2006@gmail.com>
>
> > Thanks guys.
> >
> > Since these branches have less than 100 people it sounds like an all in
> one
> > appliance would suffice.
> >
> > Unfortunately it looks like I'll have to go with...gulp...a Juniper
> > SSG which seems to have a better grip on VPN tunnels and routing than the
> > ASA.
> >
> > Unless you guys can recommend a Cisco product?
> >
> > Thanks,
> > Nick
> >
> > On Mon, Sep 8, 2008 at 10:31 AM, Scott Morris <
> > smorris@internetworkexpert.com> wrote:
> >
> >> In CERTAIN situations (e.g. small office/small routing table) I don't
> >> see anything wrong with it. In larger deployments, I'm a firm believer
> in
> >> everything has it's place in life. Firewalls were designed to be
> >> firewalls. Routers were designed to be routers.
> >>
> >> My best example of it is the DHCP and DNS server capabilities within
> IOS.
> >>
> >> A Cisco router CAN be damn-near everything to your network, but the
> >> question is SHOULD it? :) Small, not-too-many reqest deployments,
> sure,
> >> you can get away with it. Don't get used to it though because you'll
> start
> >> having processing problems in heavier deployments. It's the same kind
> of
> >> logic though where people deploy a single server to be their Win2k AD
> >> controller/PDC plus the SQL server plus the Exchange server, and wonder
> why
> >> things suck.
> >>
> >> Just my two cents. Even after caffeine. :)
> >>
> >> Scott
> >>
> >> ------------------------------
> >> *From:* CCIEin2006 [mailto:ciscocciein2006@gmail.com]
> >> *Sent:* Monday, September 08, 2008 9:23 AM
> >> *To:* Scott Morris
> >> *Cc:* Muhammad Nasim; Wes Stevens; ccielab@groupstudy.com
> >>
> >> *Subject:* Re: OT - Dynamic Routing on a Firewall?
> >>
> >> Hi Scott,
> >>
> >> So what are your thoughts regarding doing the routing on your firewall?
> Is
> >> it a bad idea?
> >>
> >> Thanks
> >>
> >> On Mon, Sep 8, 2008 at 8:30 AM, Scott Morris <
> >> smorris@internetworkexpert.com> wrote:
> >>
> >>> Ohhh... Now lightbulb is going on. After having read a series of
> >>> e-mails
> >>> about PEMU and Dynamips, I thought the original post was about running
> >>> Netscreen/Juniper firewalls in a virtual environment (e.g. not real
> >>> equipment).
> >>>
> >>> Duh... I'm off to seek more caffeine now. :)
> >>>
> >>>
> >>> Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
> >>> CCSI/JNCI-M/JNCI-ER
> >>> Senior CCIE Instructor
> >>>
> >>> smorris@internetworkexpert.com
> >>>
> >>>
> >>>
> >>> Internetwork Expert, Inc.
> >>> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/><
> http://www.internetworkexpert.com/> <
> >>> http://www.internetworkexpert.com/>
> >>> Toll Free: 877-224-8987
> >>> Outside US: 775-826-4344
> >>> Online Community: Seek it out, well worth the find!
> >>> CCIE Blog: Read the blogs... Learn the good stuff....
> >>>
> >>> Knowledge is power.
> >>> Power corrupts.
> >>> Study hard and be Eeeeviiiil......
> >>>
> >>> _____
> >>>
> >>> From: Muhammad Nasim [mailto:muhammad.nasim@gmail.com]
> >>> Sent: Monday, September 08, 2008 7:30 AM
> >>> To: Wes Stevens
> >>> Cc: Scott Morris; ccielab@groupstudy.com
> >>> Subject: Re: OT - Dynamic Routing on a Firewall?
> >>>
> >>>
> >>> Shahid,
> >>>
> >>> The virtualiztion support in Juniper is far more better then Cisco ASA.
> >>> Cisco Highest model support maximum of 50 contexts where Juniper
> supports
> >>> 500
> >>>
> >>> Following Juniper firewalls support virtulization (Virtual Firewalls)
> >>>
> >>> 1- ISG 1000
> >>> 2-ISG-2000
> >>> 3-Netscreen 500 (EOS now)
> >>> 4-Netscreen 5200
> >>> 5-Netscreen 5400
> >>>
> >>> in terms of features and other things the virtual firewall of Juniper
> is
> >>> better then Contexts of Cisco.
> >>>
> >>> But hey I should favour Cisco as I am Cisco Certified : )
> >>>
> >>> HTH
> >>>
> >>>
> >>>
> >>> 2008/9/7 Wes Stevens <wrsteve33-gsccie@yahoo.com>
> >>>
> >>>
> >>> The quantumflow processors in the new asr are cabilble of doing
> firewall
> >>> functions (and a lot more) in hardware. The ASR will fuction as a
> >>> firewall
> >>> with 4.5gbps of throughput. This chip reminds me of the early days of
> IBM
> >>> and the power pc chip. It was basically a mainframe on a chip. It
> started
> >>> in
> >>> the pc and AS400 lines and eventually expanded to run everything.
> >>>
> >>> This chip will probably do the same in cisco. It will be the basis of
> the
> >>> switch processor engine from the ISR all the way up to the CSR.
> >>>
> >>>
> >>>
> >>>
> >>> ----- Original Message ----
> >>> From: Scott Morris <smorris@internetworkexpert.com>
> >>> To: Shahid Ansari <shahid1357@gmail.com>; Muhammad Nasim
> >>> <muhammad.nasim@gmail.com>
> >>> Cc: CCIEin2006 <ciscocciein2006@gmail.com>; Cisco certification
> >>> <ccielab@groupstudy.com>
> >>> Sent: Sunday, September 7, 2008 9:01:43 AM
> >>> Subject: RE: OT - Dynamic Routing on a Firewall?
> >>>
> >>> Kinda hard to virtualize an ASIC-driven operation....
> >>>
> >>> AFAIK, no. Not for the Netscreen firewalls.
> >>>
> >>> Scott
> >>>
> >>> -----Original Message-----
> >>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> >>> Shahid Ansari
> >>> Sent: Sunday, September 07, 2008 4:36 AM
> >>> To: Muhammad Nasim
> >>> Cc: CCIEin2006; Cisco certification
> >>> Subject: Re: OT - Dynamic Routing on a Firewall?
> >>>
> >>> Cisco made ASA for pure firewalling,IPS and content security
> technologies
> >>> with Multiple vulnerabilities. : )
> >>>
> >>> Can We do Virtualization for Juniper`s Firewall ? : ) ;)
> >>>
> >>> Thanks
> >>> Shahid
> >>>
> >>>
> >>>
> >>> On Sun, Sep 7, 2008 at 9:53 AM, Muhammad Nasim
> >>> <muhammad.nasim@gmail.com>wrote:
> >>>
> >>> > BGP is not supported on ASA until now.
> >>> >
> >>> > Juniper supports it.
> >>> >
> >>> > Now a days memory is not an issue in firewalls. Rams are in GB now a
> >>> days.
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > 2008/9/7 Shahid Ansari <shahid1357@gmail.com>
> >>> >
> >>> >
> >>> >> If you are receiving default route in BGP no problem let firewall to
> >>> >> do two functionality(Routing and Firewalling)
> >>> >> but if you are receiving full BGP table then keep enough memory to
> >>> >> support routing and Firewalling .
> >>> >>
> >>> >> May be Juniper has some higher end products which can supports both
> >>> >> Routing and Firewall in large networks.
> >>> >>
> >>> >> Thanks
> >>> >> Shahid
> >>> >>
> >>> >> On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <
> >>> >> muhammad.nasim@gmail.com> wrote:
> >>> >>
> >>> >>> I don't think so that one should avoid running routing protocol due
> >>> >>> to the fear of BUGS and other things. If we think like that trust
> me
> >>> >>> then we will not be able to run most of the feature set of
> firewall.
> >>> >>>
> >>> >>> For example ASA support S2S, Remote Access and SSL VPNs so I should
> >>> >>> avoid to run two or more type of VPNs together ? The answer is
> >>> >>> simple NO. Yes some error or bug occur I will try to solve it or
> >>> >>> workaround it other wise calling TAC is the last step.
> >>> >>>
> >>> >>> I don't think so firewall becomes more vulnerable by running
> routing
> >>> >>> protocol. if we think like that then we will be also avoiding
> >>> >>> running VPN and CBAC (application firewall) on the routers and also
> >>> >>> then we will also be avoiding running CME on the Routers as well.
> >>> >>>
> >>> >>>
> >>> >>> So no need to worries : )
> >>> >>>
> >>> >>> HTH
> >>> >>>
> >>> >>>
> >>> >>> 2008/9/7 CCIEin2006 <ciscocciein2006@gmail.com>
> >>> >>>
> >>> >>> > Thanks for the reply Muhammad.
> >>> >>> >
> >>> >>> > From a security perspective, do you think running routing
> >>> >>> > protocols on
> >>> >>> a
> >>> >>> > firewall makes the firewall more vulnerable? If so how?
> >>> >>> >
> >>> >>> > I am thinking that extra processes running on the firewall leads
> >>> >>> > to
> >>> >>> more
> >>> >>> > bugs and more likelyhood of exploitation. What do you think?
> >>> >>> >
> >>> >>> > No one else wants to chime in here?
> >>> >>> >
> >>> >>> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
> >>> >>> muhammad.nasim@gmail.com>wrote:
> >>> >>> >
> >>> >>> >> Ok lets have a debate on it.
> >>> >>> >>
> >>> >>> >> It depends what exactly the design you have on your network. For
> >>> >>> example
> >>> >>> >> standard is to have router for ROUTING and Firewall for
> >>> >>> >> firewalling
> >>> >>> and IPS
> >>> >>> >> and other things.
> >>> >>> >>
> >>> >>> >> Now if u already have router and firewall in place then it is
> >>> >>> >> good to
> >>> >>> keep
> >>> >>> >> the routing on the routers BUT if u really want to save money
> >>> >>> >> then
> >>> >>> just
> >>> >>> >> purchase firewall which supports good routing and again Juniper
> >>> >>> >> takes
> >>> >>> the
> >>> >>> >> edge.
> >>> >>> >>
> >>> >>> >>
> >>> >>> >> Juniper SSG series have very strong support of routing not only
> >>> >>> >> that
> >>> >>> it
> >>> >>> >> also supports WAN , DSL and other interfaces so in short u can
> >>> >>> >> only
> >>> >>> buy SSG
> >>> >>> >> and do routing and firewalling not only that from version 6.1.0
> >>> >>> juniper
> >>> >>> >> firewall support DMVPN as well which unfortunaly cisco is
> lacking
> >>> >>> behind.
> >>> >>> >>
> >>> >>> >> There is no hard and fast rule for it. It really depends on your
> >>> >>> scenario
> >>> >>> >>
> >>> >>> >> For example if I am going to desing network for 10 branches now
> I
> >>> >>> >> will first look into the budget of the my customer if it permits
> >>> >>> >> I will
> >>> >>> surley go
> >>> >>> >> for one router and one firewall.
> >>> >>> >>
> >>> >>> >>
> >>> >>> >> if it budget does not permit I will go for firewall which
> >>> >>> >> supports
> >>> >>> good
> >>> >>> >> routing as well.
> >>> >>> >>
> >>> >>> >> Hope this helps
> >>> >>> >>
> >>> >>> >> 2008/9/6 CCIEin2006 <ciscocciein2006@gmail.com>
> >>> >>> >>
> >>> >>> >>> No brave ones want to tackle this one?
> >>> >>> >>>
> >>> >>> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <
> >>> >>> ciscocciein2006@gmail.com
> >>> >>> >>> >wrote:
> >>> >>> >>>
> >>> >>> >>> > Hiya folks,
> >>> >>> >>> >
> >>> >>> >>> > I was wondering if the group could share some pro/cons of
> >>> >>> >>> > running
> >>> >>> >>> dynamic
> >>> >>> >>> > routing protocols on a firewall?
> >>> >>> >>> > Can anyone share their experience with this?
> >>> >>> >>> >
> >>> >>> >>> > I have a few branch offices connected to HQ in a hub and
> spoke
> >>> >>> fashion
> >>> >>> >>> via
> >>> >>> >>> > metro ethernet links. I am looking to add VPN as a backup
> >>> >>> >>> > (each
> >>> >>> branch
> >>> >>> >>> has
> >>> >>> >>> > local internet access). The routers are currently runnign
> OSPF.
> >>> >>> >>> >
> >>> >>> >>> > I am thinking of doing it all on the ASA platform to save
> >>> >>> >>> > money,
> >>> >>> but
> >>> >>> >>> > something in my gut tells me to leave the routing up to
> >>> >>> >>> > routers. So
> >>> >>> I
> >>> >>> >>> am
> >>> >>> >>> > thinking I might need to bite the bullet and buy some routers
> >>> too.
> >>> >>> >>> >
> >>> >>> >>> > What do you think?
> >>> >>> >>>
> >>> >>> >>>
> >>> >>> >>> Blogs and organic groups at http://www.ccie.net
> >>> >>> >>>
> >>> >>> >>>
> >>> >>>
> ____________________________________________________________________
> >>> >>> ___
> >>> >>> >>> Subscription information may be found at:
> >>> >>> >>> http://www.groupstudy.com/list/CCIELab.html
> >>> >>> >>>
> >>> >>> >>>
> >>> >>> >>>
> >>> >>> >>>
> >>> >>> >>>
> >>> >>> >>>
> >>> >>> >>>
> >>> >>> >>>
> >>> >>> >>
> >>> >>> >>
> >>> >>> >> --
> >>> >>> >> Muhammad Nasim
> >>> >>> >> Network Engineer
> >>> >>> >> Saudi Arabia
> >>> >>> >>
> >>> >>> >
> >>> >>> >
> >>> >>>
> >>> >>>
> >>> >>> --
> >>> >>> Muhammad Nasim
> >>> >>> Network Engineer
> >>> >>> Saudi Arabia
> >>> >>>
> >>> >>>
> >>> >>> Blogs and organic groups at http://www.ccie.net
> >>> >>>
> >>> >>>
> ____________________________________________________________________
> >>> >>> ___ Subscription information may be found at:
> >>> >>> http://www.groupstudy.com/list/CCIELab.html
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>
> >>> >>
> >>> >> --
> >>> >> Regards,
> >>> >>
> >>> >> Shahid
> >>> >>
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > Muhammad Nasim
> >>> > Network Engineer
> >>> > Saudi Arabia
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> Regards,
> >>>
> >>> Shahid
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Muhammad Nasim
> >>> Network Engineer
> >>> Saudi Arabia
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART