The filtering applied by some Firewalls could be circumvented by influencing
routing advertisments, and the routing protocol implementations used in
products which have a different primary focus was also not always trusted to
be robust. Similarly the people with responsibility for the device may not
have sufficient skills to comfortably configure and support both functions.
Also people used to deploy firewalls only at the outer edge of their
networks, and when transit links were more expensive link diversity was not
always available, so simple solutions were often all that was required.
Things have changed of course, and it is now common for companies to have
greater link diversity, and to deploy firewalls in other areas of the
network (perhaps for compliance reasons). That increased the need for
routing protocols. Various firewall/router company mergers, as well as
increasing experience across both areas (both on the part of users and
vendors), has increased the confidence people have in deloying routing and
filtering on the same devices.
There are still hardware differences, and the scale or complexity of your
requirements for one feature may cause you to lean one way or the other.
Only used Gauntlet a little (and forget if it had 2 or three NICs) but
remember it was built on a unix based OS (perhaps BSD). Ignoring the basic
GUI, it never struck me as particularly bad for its time. Did find some
intereresting configs though; e.g. email the admin account if an email
cannot be delivered - which didn't work very well in a site where the
administrator had changed their email address (recursion causing the emails
to queue, disk to fill, and fw to crash once a day). Was an example where a
device with multiple functions was managed by people who did not have the
training or experience required to successfully look after them.
Paul.
On Tue, Dec 22, 2009 at 5:09 AM, Dale Shaw <dale.shaw_at_gmail.com> wrote:
> Hi,
>
> Disclaimer: I know my way around a firewall but I'm not really a 'firewall
> guy'.
>
> On Tue, Dec 22, 2009 at 1:03 PM, <Keegan.Holley_at_sungard.com> wrote:
> > As a router guy who has to connect to the occasional firewall I've always
> > been slightly annoyed by the assumption that firewalls should not run
> > routing protocols no matter the circumstance. There are plenty of
> > circumstances where it is possible and even the optimal design.
>
> Maybe it's a hangover from the two-interface-routing-is-bad type
> proxy/ALG firewalls of old (thinking Gauntlet/FWTK type systems).
>
> Or it could be a "I trust my static routes more than I trust any
> dynamic routing protocol" thing. Configuring a dynamic routing
> protocol is opening up a potential attack vector, and opens up the
> possibility for someone without authorised administrative access to
> influence or control the behaviour of the firewall: you can't argue
> with that. Horses for courses!
>
> What intrigues me is that some people think a "router" with deep
> packet inspection/stateful filtering capabilities is somehow
> fundamentally different to a "firewall". *Most* "firewalls" are also
> "routers".
>
> cheers,
> Dale
> PS: in case it's not obvious, I'm essentially agreeing with you.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 22 2009 - 12:59:00 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 02 2010 - 11:11:08 ART