Re: BGP on PIX525 from Rick Mur on 2009-12-22 (Ccielab archives 12/2009)

From: Rick Mur <rmur_at_ipexpert.com>
Date: Tue, 22 Dec 2009 08:39:35 +0100

I personally think a firewall is perfectly capable of running a routing protocol and depending on the design I would definitely run it. Just like Dale said, people do configure a lot of deep firewalling stuff on a router, but are afraid of running router features on a firewall, the difference between the boxes is getting less and both a router and firewall have dedicated features of what they do best, but are capable of doing a lot of overlapping things.

-- 
Regards,
Rick Mur
CCIE2 #21946 (R&S / Service Provider)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
On 22 dec 2009, at 06:09, Dale Shaw wrote:
> Hi,
> 
> Disclaimer: I know my way around a firewall but I'm not really a 'firewall guy'.
> 
> On Tue, Dec 22, 2009 at 1:03 PM,  <Keegan.Holley_at_sungard.com> wrote:
>> As a router guy who has to connect to the occasional firewall I've always
>> been slightly annoyed by  the assumption that firewalls should not run
>> routing protocols no matter the circumstance.  There are plenty of
>> circumstances where it is possible and even the optimal design.
> 
> Maybe it's a hangover from the two-interface-routing-is-bad type
> proxy/ALG firewalls of old (thinking Gauntlet/FWTK type systems).
> 
> Or it could be a "I trust my static routes more than I trust any
> dynamic routing protocol" thing. Configuring a dynamic routing
> protocol is opening up a potential attack vector, and opens up the
> possibility for someone without authorised administrative access to
> influence or control the behaviour of the firewall: you can't argue
> with that. Horses for courses!
> 
> What intrigues me is that some people think a "router" with deep
> packet inspection/stateful filtering capabilities is somehow
> fundamentally different to a "firewall". *Most* "firewalls" are also
> "routers".
> 
> cheers,
> Dale
> PS: in case it's not obvious, I'm essentially agreeing with you.
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Tue Dec 22 2009 - 08:39:35 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 02 2010 - 11:11:08 ART