From: Joseph Brunner (joe@affirmedsystems.com)
Date: Tue Sep 09 2008 - 13:58:47 ART
Well if the customer even mentions Juniper, my first rebuttal to them would
be-
"Why would you want to purchase hardware that you'll have to spend $450 an
hour for Scott Morris to come support"
-Joe
Sith lord #19366
_____
From: Scott Morris [mailto:smorris@internetworkexpert.com]
Sent: Tuesday, September 09, 2008 12:18 PM
To: 'CCIEin2006'; 'Muhammad Nasim'
Cc: 'Joseph Brunner'; 'Wes Stevens'; ccielab@groupstudy.com
Subject: RE: OT - Dynamic Routing on a Firewall?
Now where would the fun be if the customer gave ALL of the requirements up
front! :)
Yup, absolutely, you need to know the rebuttals, and change tack on the fly!
_____
From: CCIEin2006 [mailto:ciscocciein2006@gmail.com]
Sent: Tuesday, September 09, 2008 10:30 AM
To: Muhammad Nasim
Cc: Joseph Brunner; smorris@internetworkexpert.com; Wes Stevens;
ccielab@groupstudy.com
Subject: Re: OT - Dynamic Routing on a Firewall?
Absolutley! These are the types of road blocks your customers will throw at
you when you walk in there as a consultant so its good to discuss in this
forum and then you have the ammo to WOW your customer with all your
rebuttals!
On Tue, Sep 9, 2008 at 10:27 AM, Muhammad Nasim <muhammad.nasim@gmail.com>
wrote:
No friend you can not create GRE or any logical interface on ASA.
So for sure now ASA will not fulfill your requirements
Hey we are not getting crazy we are learning here I love to involve in REAL
time scenarios discussion this really helping me to moving towards good
network Engineer : )
2008/9/9 CCIEin2006 <ciscocciein2006@gmail.com>
Whoa lets not get crazy here...no fancy virtual firewalls or VRF's or
anything.
I simply want the branches to have a VPN tunnel backup their P2P circuits. I
want to run OSPF over the VPN tunnel for dynamic failover so this may or may
not require the use of a GRE tunnel depending on what you use.
I also want to treat the tunnel as a logical interface so that if the tunnel
goes down my SNMP monitoring tool will get a link down alert whereas a plain
IPSEC tunnel will not alert (correct me if I'm wrong here).
I also want to be able to poll the tunnel interface for utiliztion stats
which I don't think you can do with a plain IPSEC tunnel.
Since the ASA cannot do GRE I don't think you have the option of creating a
logical interface can you?
On Tue, Sep 9, 2008 at 10:10 AM, Joseph Brunner <joe@affirmedsystems.com>
wrote:
Actually IOS has better vpn routing over tunnels that either of those
"firewalls that route".
Can an SSG do DMVPN? How about 2547/o/dmvpn? VRF doorstep routing?
LOL
NICE TRY
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Muhammad Nasim
Sent: Tuesday, September 09, 2008 10:08 AM
To: CCIEin2006
Cc: smorris@internetworkexpert.com; Wes Stevens; ccielab@groupstudy.com
Subject: Re: OT - Dynamic Routing on a Firewall?
Yes I still can switch back to you to Cisco ASA (I think this should be the
primary responisbilyt of a Consultant) : )
What routing and VPN tunnels you are looking for what exact protcol you will
be running and others.
You can contact me offline if you want : )
2008/9/9 CCIEin2006 <ciscocciein2006@gmail.com>
> Thanks guys.
>
> Since these branches have less than 100 people it sounds like an all in
one
> appliance would suffice.
>
> Unfortunately it looks like I'll have to go with...gulp...a Juniper
> SSG which seems to have a better grip on VPN tunnels and routing than the
> ASA.
>
> Unless you guys can recommend a Cisco product?
>
> Thanks,
> Nick
>
> On Mon, Sep 8, 2008 at 10:31 AM, Scott Morris <
> smorris@internetworkexpert.com> wrote:
>
>> In CERTAIN situations (e.g. small office/small routing table) I don't
>> see anything wrong with it. In larger deployments, I'm a firm believer
in
>> everything has it's place in life. Firewalls were designed to be
>> firewalls. Routers were designed to be routers.
>>
>> My best example of it is the DHCP and DNS server capabilities within IOS.
>>
>> A Cisco router CAN be damn-near everything to your network, but the
>> question is SHOULD it? :) Small, not-too-many reqest deployments, sure,
>> you can get away with it. Don't get used to it though because you'll
start
>> having processing problems in heavier deployments. It's the same kind of
>> logic though where people deploy a single server to be their Win2k AD
>> controller/PDC plus the SQL server plus the Exchange server, and wonder
why
>> things suck.
>>
>> Just my two cents. Even after caffeine. :)
>>
>> Scott
>>
>> ------------------------------
>> *From:* CCIEin2006 [mailto:ciscocciein2006@gmail.com]
>> *Sent:* Monday, September 08, 2008 9:23 AM
>> *To:* Scott Morris
>> *Cc:* Muhammad Nasim; Wes Stevens; ccielab@groupstudy.com
>>
>> *Subject:* Re: OT - Dynamic Routing on a Firewall?
>>
>> Hi Scott,
>>
>> So what are your thoughts regarding doing the routing on your firewall?
Is
>> it a bad idea?
>>
>> Thanks
>>
>> On Mon, Sep 8, 2008 at 8:30 AM, Scott Morris <
>> smorris@internetworkexpert.com> wrote:
>>
>>> Ohhh... Now lightbulb is going on. After having read a series of
>>> e-mails
>>> about PEMU and Dynamips, I thought the original post was about running
>>> Netscreen/Juniper firewalls in a virtual environment (e.g. not real
>>> equipment).
>>>
>>> Duh... I'm off to seek more caffeine now. :)
>>>
>>>
>>> Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
>>> CCSI/JNCI-M/JNCI-ER
>>> Senior CCIE Instructor
>>>
>>> smorris@internetworkexpert.com
>>>
>>>
>>>
>>> Internetwork Expert, Inc.
>>> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
<http://www.internetworkexpert.com/> <
>>> http://www.internetworkexpert.com/>
>>> Toll Free: 877-224-8987
>>> Outside US: 775-826-4344
>>> Online Community: Seek it out, well worth the find!
>>> CCIE Blog: Read the blogs... Learn the good stuff....
>>>
>>> Knowledge is power.
>>> Power corrupts.
>>> Study hard and be Eeeeviiiil......
>>>
>>> _____
>>>
>>> From: Muhammad Nasim [mailto:muhammad.nasim@gmail.com]
>>> Sent: Monday, September 08, 2008 7:30 AM
>>> To: Wes Stevens
>>> Cc: Scott Morris; ccielab@groupstudy.com
>>> Subject: Re: OT - Dynamic Routing on a Firewall?
>>>
>>>
>>> Shahid,
>>>
>>> The virtualiztion support in Juniper is far more better then Cisco ASA.
>>> Cisco Highest model support maximum of 50 contexts where Juniper
supports
>>> 500
>>>
>>> Following Juniper firewalls support virtulization (Virtual Firewalls)
>>>
>>> 1- ISG 1000
>>> 2-ISG-2000
>>> 3-Netscreen 500 (EOS now)
>>> 4-Netscreen 5200
>>> 5-Netscreen 5400
>>>
>>> in terms of features and other things the virtual firewall of Juniper is
>>> better then Contexts of Cisco.
>>>
>>> But hey I should favour Cisco as I am Cisco Certified : )
>>>
>>> HTH
>>>
>>>
>>>
>>> 2008/9/7 Wes Stevens <wrsteve33-gsccie@yahoo.com>
>>>
>>>
>>> The quantumflow processors in the new asr are cabilble of doing firewall
>>> functions (and a lot more) in hardware. The ASR will fuction as a
>>> firewall
>>> with 4.5gbps of throughput. This chip reminds me of the early days of
IBM
>>> and the power pc chip. It was basically a mainframe on a chip. It
started
>>> in
>>> the pc and AS400 lines and eventually expanded to run everything.
>>>
>>> This chip will probably do the same in cisco. It will be the basis of
the
>>> switch processor engine from the ISR all the way up to the CSR.
>>>
>>>
>>>
>>>
>>> ----- Original Message ----
>>> From: Scott Morris <smorris@internetworkexpert.com>
>>> To: Shahid Ansari <shahid1357@gmail.com>; Muhammad Nasim
>>> <muhammad.nasim@gmail.com>
>>> Cc: CCIEin2006 <ciscocciein2006@gmail.com>; Cisco certification
>>> <ccielab@groupstudy.com>
>>> Sent: Sunday, September 7, 2008 9:01:43 AM
>>> Subject: RE: OT - Dynamic Routing on a Firewall?
>>>
>>> Kinda hard to virtualize an ASIC-driven operation....
>>>
>>> AFAIK, no. Not for the Netscreen firewalls.
>>>
>>> Scott
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> Shahid Ansari
>>> Sent: Sunday, September 07, 2008 4:36 AM
>>> To: Muhammad Nasim
>>> Cc: CCIEin2006; Cisco certification
>>> Subject: Re: OT - Dynamic Routing on a Firewall?
>>>
>>> Cisco made ASA for pure firewalling,IPS and content security
technologies
>>> with Multiple vulnerabilities. : )
>>>
>>> Can We do Virtualization for Juniper`s Firewall ? : ) ;)
>>>
>>> Thanks
>>> Shahid
>>>
>>>
>>>
>>> On Sun, Sep 7, 2008 at 9:53 AM, Muhammad Nasim
>>> <muhammad.nasim@gmail.com>wrote:
>>>
>>> > BGP is not supported on ASA until now.
>>> >
>>> > Juniper supports it.
>>> >
>>> > Now a days memory is not an issue in firewalls. Rams are in GB now a
>>> days.
>>> >
>>> >
>>> >
>>> >
>>> > 2008/9/7 Shahid Ansari <shahid1357@gmail.com>
>>> >
>>> >
>>> >> If you are receiving default route in BGP no problem let firewall to
>>> >> do two functionality(Routing and Firewalling)
>>> >> but if you are receiving full BGP table then keep enough memory to
>>> >> support routing and Firewalling .
>>> >>
>>> >> May be Juniper has some higher end products which can supports both
>>> >> Routing and Firewall in large networks.
>>> >>
>>> >> Thanks
>>> >> Shahid
>>> >>
>>> >> On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <
>>> >> muhammad.nasim@gmail.com> wrote:
>>> >>
>>> >>> I don't think so that one should avoid running routing protocol due
>>> >>> to the fear of BUGS and other things. If we think like that trust me
>>> >>> then we will not be able to run most of the feature set of firewall.
>>> >>>
>>> >>> For example ASA support S2S, Remote Access and SSL VPNs so I should
>>> >>> avoid to run two or more type of VPNs together ? The answer is
>>> >>> simple NO. Yes some error or bug occur I will try to solve it or
>>> >>> workaround it other wise calling TAC is the last step.
>>> >>>
>>> >>> I don't think so firewall becomes more vulnerable by running routing
>>> >>> protocol. if we think like that then we will be also avoiding
>>> >>> running VPN and CBAC (application firewall) on the routers and also
>>> >>> then we will also be avoiding running CME on the Routers as well.
>>> >>>
>>> >>>
>>> >>> So no need to worries : )
>>> >>>
>>> >>> HTH
>>> >>>
>>> >>>
>>> >>> 2008/9/7 CCIEin2006 <ciscocciein2006@gmail.com>
>>> >>>
>>> >>> > Thanks for the reply Muhammad.
>>> >>> >
>>> >>> > From a security perspective, do you think running routing
>>> >>> > protocols on
>>> >>> a
>>> >>> > firewall makes the firewall more vulnerable? If so how?
>>> >>> >
>>> >>> > I am thinking that extra processes running on the firewall leads
>>> >>> > to
>>> >>> more
>>> >>> > bugs and more likelyhood of exploitation. What do you think?
>>> >>> >
>>> >>> > No one else wants to chime in here?
>>> >>> >
>>> >>> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
>>> >>> muhammad.nasim@gmail.com>wrote:
>>> >>> >
>>> >>> >> Ok lets have a debate on it.
>>> >>> >>
>>> >>> >> It depends what exactly the design you have on your network. For
>>> >>> example
>>> >>> >> standard is to have router for ROUTING and Firewall for
>>> >>> >> firewalling
>>> >>> and IPS
>>> >>> >> and other things.
>>> >>> >>
>>> >>> >> Now if u already have router and firewall in place then it is
>>> >>> >> good to
>>> >>> keep
>>> >>> >> the routing on the routers BUT if u really want to save money
>>> >>> >> then
>>> >>> just
>>> >>> >> purchase firewall which supports good routing and again Juniper
>>> >>> >> takes
>>> >>> the
>>> >>> >> edge.
>>> >>> >>
>>> >>> >>
>>> >>> >> Juniper SSG series have very strong support of routing not only
>>> >>> >> that
>>> >>> it
>>> >>> >> also supports WAN , DSL and other interfaces so in short u can
>>> >>> >> only
>>> >>> buy SSG
>>> >>> >> and do routing and firewalling not only that from version 6.1.0
>>> >>> juniper
>>> >>> >> firewall support DMVPN as well which unfortunaly cisco is lacking
>>> >>> behind.
>>> >>> >>
>>> >>> >> There is no hard and fast rule for it. It really depends on your
>>> >>> scenario
>>> >>> >>
>>> >>> >> For example if I am going to desing network for 10 branches now I
>>> >>> >> will first look into the budget of the my customer if it permits
>>> >>> >> I will
>>> >>> surley go
>>> >>> >> for one router and one firewall.
>>> >>> >>
>>> >>> >>
>>> >>> >> if it budget does not permit I will go for firewall which
>>> >>> >> supports
>>> >>> good
>>> >>> >> routing as well.
>>> >>> >>
>>> >>> >> Hope this helps
>>> >>> >>
>>> >>> >> 2008/9/6 CCIEin2006 <ciscocciein2006@gmail.com>
>>> >>> >>
>>> >>> >>> No brave ones want to tackle this one?
>>> >>> >>>
>>> >>> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <
>>> >>> ciscocciein2006@gmail.com
>>> >>> >>> >wrote:
>>> >>> >>>
>>> >>> >>> > Hiya folks,
>>> >>> >>> >
>>> >>> >>> > I was wondering if the group could share some pro/cons of
>>> >>> >>> > running
>>> >>> >>> dynamic
>>> >>> >>> > routing protocols on a firewall?
>>> >>> >>> > Can anyone share their experience with this?
>>> >>> >>> >
>>> >>> >>> > I have a few branch offices connected to HQ in a hub and spoke
>>> >>> fashion
>>> >>> >>> via
>>> >>> >>> > metro ethernet links. I am looking to add VPN as a backup
>>> >>> >>> > (each
>>> >>> branch
>>> >>> >>> has
>>> >>> >>> > local internet access). The routers are currently runnign
OSPF.
>>> >>> >>> >
>>> >>> >>> > I am thinking of doing it all on the ASA platform to save
>>> >>> >>> > money,
>>> >>> but
>>> >>> >>> > something in my gut tells me to leave the routing up to
>>> >>> >>> > routers. So
>>> >>> I
>>> >>> >>> am
>>> >>> >>> > thinking I might need to bite the bullet and buy some routers
>>> too.
>>> >>> >>> >
>>> >>> >>> > What do you think?
>>> >>> >>>
>>> >>> >>>
>>> >>> >>> Blogs and organic groups at http://www.ccie.net
<http://www.ccie.net/>
>>> >>> >>>
>>> >>> >>>
>>> >>> ____________________________________________________________________
>>> >>> ___
>>> >>> >>> Subscription information may be found at:
>>> >>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>
>>> >>> >>
>>> >>> >> --
>>> >>> >> Muhammad Nasim
>>> >>> >> Network Engineer
>>> >>> >> Saudi Arabia
>>> >>> >>
>>> >>> >
>>> >>> >
>>> >>>
>>> >>>
>>> >>> --
>>> >>> Muhammad Nasim
>>> >>> Network Engineer
>>> >>> Saudi Arabia
>>> >>>
>>> >>>
>>> >>> Blogs and organic groups at http://www.ccie.net
<http://www.ccie.net/>
>>> >>>
>>> >>> ____________________________________________________________________
>>> >>> ___ Subscription information may be found at:
>>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> Regards,
>>> >>
>>> >> Shahid
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Muhammad Nasim
>>> > Network Engineer
>>> > Saudi Arabia
>>> >
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Shahid
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Muhammad Nasim
>>> Network Engineer
>>> Saudi Arabia
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
-- Muhammad Nasim Network Engineer Saudi ArabiaBlogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART