[177835] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Bill Thompson)
Fri Feb 6 11:39:31 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <6290.74.129.32.29.1423192783.iglou@webmail.iglou.com>
From: Bill Thompson <billt@mahagonny.com>
Date: Fri, 06 Feb 2015 08:39:18 -0800
CC: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Just because a cat has kittens in the oven, you don't call them biscuits. A firewall can route, but it is not a router. Both have specialized tasks. You can fix a car with a swiss army knife, but why would you want to?
--
Bill Thompson
billt@mahagonny.com
On February 5, 2015 7:19:43 PM PST, Jeff McAdams <jeffm@iglou.com> wrote:
>
>On Thu, February 5, 2015 20:02, Joe Hamelin wrote:
>>> On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer <rmayer@nerd-residenz.de>
>>> wrote:
>>> a router is a router and a firewall is a firewall. Especially a
>Cisco ASA
>>> is no router, period.
>>
>> Man-o-man did I find that out when we had to renumber our network
>after
>> we got bought by the French.
>
>> Oh, I'll just pop on a secondary address on this interface... What?
>
>> Needed to go through fits just to get a hairpin route in the thing.
>
>> The ASA series is good at what it does, just don't plan on it acting
>like
>> router IOS.
>
>Sorry, but I'm with Owen.
>
>Square : Rectangle :: Firewall : Router
>
>A firewall is a router, despite how much so many security folk try to
>deny
>it. And firewalls that seem to try to intentionally be crappy routers
>(ie, ASAs) have no place in my network.
>
>If it can't be a decent router, then its going to suck as a firewall
>too,
>because a firewall has to be able to play nice with the rest of the
>network, and if they can't do that, then I have no use for them. I'll
>get
>a firewall that does.
