[177904] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sat Feb 7 20:19:56 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <DA607367-E6C6-4E6F-863A-043B88EC40BA@mahagonny.com>
Date: Sat, 7 Feb 2015 17:17:59 -0800
To: Bill Thompson <Billt@mahagonny.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
A good firewall can also be a good router.
Of course you can find firewalls that are crappy routers and you can =
find routers that are crappy firewalls, but generally, the two are not =
mutually exclusive.
Owen
> On Feb 6, 2015, at 08:39 , Bill Thompson <Billt@mahagonny.com> wrote:
>=20
> Just because a cat has kittens in the oven, you don't call them =
biscuits. A firewall can route, but it is not a router. Both have =
specialized tasks. You can fix a car with a swiss army knife, but why =
would you want to?
> --=20
> Bill Thompson
> billt@mahagonny.com
>=20
> On February 5, 2015 7:19:43 PM PST, Jeff McAdams <jeffm@iglou.com> =
wrote:
>>=20
>> On Thu, February 5, 2015 20:02, Joe Hamelin wrote:
>>>> On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer <rmayer@nerd-residenz.de>
>>>> wrote:
>>>> a router is a router and a firewall is a firewall. Especially a
>> Cisco ASA
>>>> is no router, period.
>>>=20
>>> Man-o-man did I find that out when we had to renumber our network
>> after
>>> we got bought by the French.
>>=20
>>> Oh, I'll just pop on a secondary address on this interface... What?
>>=20
>>> Needed to go through fits just to get a hairpin route in the thing.
>>=20
>>> The ASA series is good at what it does, just don't plan on it acting
>> like
>>> router IOS.
>>=20
>> Sorry, but I'm with Owen.
>>=20
>> Square : Rectangle :: Firewall : Router
>>=20
>> A firewall is a router, despite how much so many security folk try to
>> deny
>> it. And firewalls that seem to try to intentionally be crappy =
routers
>> (ie, ASAs) have no place in my network.
>>=20
>> If it can't be a decent router, then its going to suck as a firewall
>> too,
>> because a firewall has to be able to play nice with the rest of the
>> network, and if they can't do that, then I have no use for them. =
I'll
>> get
>> a firewall that does.
