[147347] in North American Network Operators' Group
RE: BGP and Firewalls...
daemon@ATHENA.MIT.EDU (Holmes,David A)
Wed Dec 7 13:22:23 2011
From: "Holmes,David A" <dholmes@mwdh2o.com>
To: Gregory Croft <gcroft@shoremortgage.com>, Christopher Morrow
<morrowc.lists@gmail.com>
Date: Wed, 7 Dec 2011 10:19:58 -0800
In-Reply-To: <1F4D60B00DE5FB42AD4BB2BC06DC3092207092FB@mail.shoremortgage.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
My concern is whether or not consolidating border router and firewall funct=
ions in the same device violates, if not explicitly, then the spirit of the=
"defense in depth" Internet edge design principle. Here is a link to a Dep=
artment of Homeland Security document where this is discussed (for control =
systems, but has general application), but not addressed directly: http://w=
ww.inl.gov/technicalpublications/Documents/3375141.pdf
The old Checkpoint/Nokia firewalls consolidated routing and firewall functi=
ons, but the question is one of layered defenses, such that it seems intuit=
ive that it is inherently more difficult for the bad actor to penetrate net=
work defenses the more devices that have to be penetrated.
-----Original Message-----
From: Gregory Croft [mailto:gcroft@shoremortgage.com]
Sent: Wednesday, December 07, 2011 10:04 AM
To: Christopher Morrow
Cc: nanog@nanog.org
Subject: RE: BGP and Firewalls...
I'm not having problems... Well, not yet anyways. :)
Just investigating to see if there is a reason I shouldn't use a
firewall at the edge versus a dedicated router as well as to see if
anyone can share their specific experience with the PAN devices.
Thanks everyone!
Greg
-----Original Message-----
From: christopher.morrow@gmail.com [mailto:christopher.morrow@gmail.com]
On Behalf Of Christopher Morrow
Sent: Wednesday, December 07, 2011 12:44 PM
To: Gregory Croft
Cc: nanog@nanog.org
Subject: Re: BGP and Firewalls...
On Wed, Dec 7, 2011 at 12:31 PM, Gregory Croft
<gcroft@shoremortgage.com> wrote:
> Hi All,
>
>
>
> Does anyone have any experience with using firewalls as edge devices
> when BGP is concerned?
>
> Specifically the Palo Alto series of devices.
nokia/checkpoint has done this for ages. what's the problem you have?
This communication, together with any attachments or embedded links, is for=
the sole use of the intended recipient(s) and may contain information that=
is confidential or legally protected. If you are not the intended recipien=
t, you are hereby notified that any review, disclosure, copying, disseminat=
ion, distribution or use of this communication is strictly prohibited. If y=
ou have received this communication in error, please notify the sender imme=
diately by return e-mail message and delete the original and all copies of =
the communication, along with any attachments or embedded links, from your =
system.
