[177917] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Feb 8 19:50:04 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <18568D32-108A-4C17-9911-A7D468B938FA@freebsdbrasil.com.br>
Date: Sun, 8 Feb 2015 16:48:58 -0800
To: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Feb 8, 2015, at 06:02 , Patrick Tracanelli =
<eksffa@freebsdbrasil.com.br> wrote:
>=20
> Hello,
>=20
>>=20
>> Some Juniper models actually do a very good job of being both.
>>=20
>> In reality, a Firewall _IS_ a router, even if it's a bad one. =
Anything that moves packets from one interface to another is a router.
>=20
> Technically it=E2=80=99s quite not a precise assumption. While routing =
is much likely an IP core need and OSI Layer 3 related mechanism, a =
firewall does not have to basic L3 forwarding. It can be a =
bridged/bright firewall, may fit in front of a router, protecting it, =
and carrying. Not routing anything. In fact in a fail-safe scenario =
(from availability perspective) a bridged firewall may be shut down =
completely and a Bypass por pair taking place will keep traffic flowing, =
=E2=80=9Cmoving packets from one port to another=E2=80=9D without =
actually ever been a router.
Technically true, but bridged firewalls are pretty much passe these days =
in the real world. As a general rule, when the firewall is shut down, =
one usually doesn=E2=80=99t want the packets flowing past un-hindered. =
The fact that this is kind of the default of what happens with bridged =
firewalls is just one of the many reasons hardly anyone still uses such =
a thing.
> I have recently added netmap-ipfw in front of BGP routers protecting =
=E2=80=98em from DDoS attacks, adding line-rate firewalling capabilities =
to a commodity x86/64 box or a T5 card for 10GbE/40GbE, and netmap-ipfw =
itself acts like mentioned, passing packets back and forth between =
interfaces without ever routing anything.
Sure, there are all kinds of things one can do. Some of them are good =
ideas, many of them are not. If it works in your environment and =
you=E2=80=99re OK with the failure modes and other tradeoffs, then more =
power to you.
>=20
>> Of course, the support for routing protocols is a useful feature in a =
router and one of the areas where firewalls often fall short.
>>=20
>> Where you want to put things (in front, behind, etc.) really depends =
on your topology and the problem you are trying to solve.
>>=20
>> Personally, I like to keep the firewalls as close to the end hosts as =
possible. This tends to greatly simplify security policies and make them =
MUCH easier (and more reliable) to audit.
>=20
> I agree. A firewall belongs better closer to the end hosts being =
protected. Maybe protection of the router is the only exception when =
RTBH will not fit the task (or just won=E2=80=99t be enough).=20
DDoS mitigation on site is a questionable and usually losing proposition =
at best. Other than DDoS mitigation, any good router should be perfectly =
capable of protecting itself. For protecting a router from DDoS that it =
cannot properly protect itself, one needs to be able to control or alter =
the delivery of packets across the upstream link from the upstream side =
anyway. That is best done by an off-site service such as Akamai=E2=80=99s =
Prolexic.
> Therefore, close to the end host usually means far from the core =
routers. Unless one is really considering a CPE device doing poorly jobs =
of =E2=80=9Ca router and a firewall=E2=80=9D=E2=80=A6
Depends on the nature of your network. I know lots of datacenter =
networks where the end hosts are not more than one or two hops removed =
from the core routers. I would hardly refer to those networks as a CPE =
device doing a poor job of =E2=80=9Crouter and firewall=E2=80=9D.
Owen
