[177793] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Feb 5 14:21:39 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <FAE35F46-1B36-4372-A32B-67E07A8DFB3B@nerd-residenz.de>
From: Owen DeLong <owen@delong.com>
Date: Thu, 5 Feb 2015 15:15:23 -0400
To: "Ralph J.Mayer" <rmayer@nerd-residenz.de>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Some Juniper models actually do a very good job of being both.
In reality, a Firewall _IS_ a router, even if it's a bad one. Anything that m=
oves packets from one interface to another is a router. Of course, the suppo=
rt for routing protocols is a useful feature in a router and one of the area=
s where firewalls often fall short.
Where you want to put things (in front, behind, etc.) really depends on your=
topology and the problem you are trying to solve.
Personally, I like to keep the firewalls as close to the end hosts as possib=
le. This tends to greatly simplify security policies and make them MUCH easi=
er (and more reliable) to audit.
Owen
> On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer <rmayer@nerd-residenz.de> wrote:=
>=20
> Hi David,
>=20
> a router is a router and a firewall is a firewall.
>=20
> Especially a Cisco ASA is no router, period.
>=20
> A router in front of the firewall is my choice, it also keeps broadcasts f=
rom the firewall + can do uRPF.
>=20
>=20
> rm
