Hi,
Disclaimer: I know my way around a firewall but I'm not really a 'firewall guy'.
On Tue, Dec 22, 2009 at 1:03 PM, <Keegan.Holley_at_sungard.com> wrote:
> As a router guy who has to connect to the occasional firewall I've always
> been slightly annoyed by the assumption that firewalls should not run
> routing protocols no matter the circumstance. There are plenty of
> circumstances where it is possible and even the optimal design.
Maybe it's a hangover from the two-interface-routing-is-bad type
proxy/ALG firewalls of old (thinking Gauntlet/FWTK type systems).
Or it could be a "I trust my static routes more than I trust any
dynamic routing protocol" thing. Configuring a dynamic routing
protocol is opening up a potential attack vector, and opens up the
possibility for someone without authorised administrative access to
influence or control the behaviour of the firewall: you can't argue
with that. Horses for courses!
What intrigues me is that some people think a "router" with deep
packet inspection/stateful filtering capabilities is somehow
fundamentally different to a "firewall". *Most* "firewalls" are also
"routers".
cheers,
Dale
PS: in case it's not obvious, I'm essentially agreeing with you.
Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 22 2009 - 16:09:19 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 02 2010 - 11:11:08 ART