[177918] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Feb 8 19:59:48 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CADncWmGRzXNC2hgs7LqhFcLT-ymcvxauY=o0O68uMgy53HrrPw@mail.gmail.com>
Date: Sun, 8 Feb 2015 16:58:49 -0800
To: BPNoC Group <bpnoc.lists@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Feb 8, 2015, at 05:40 , BPNoC Group <bpnoc.lists@gmail.com> wrote:
>=20
>>=20
>>=20
>>=20
>> Of course you can find firewalls that are crappy routers and you can =
find
>> routers that are crappy firewalls, but generally, the two are not =
mutually
>> exclusive.
>>=20
>=20
> I completely disagree w/ such or similar statements.
> On the vendor datasheet it says different. On books it says different.
> And on real life it's different.
No, really it does not.
>=20
> Firewalls are firewalls. Routers are routers. Routers should do some =
very
> basic filtering (stateles, ACLs, data plane protection...) and =
firewalls
> should do basic static routing. And things should not go far beyond =
that.
We can agree to disagree.
> If you keep thinking like that you will soon believe an L3 switch is a
> firewall too.
An L3 switch is just another kind of router and if it=E2=80=99s got the =
ability for its
switching matrix to include a packet classifier that can be =
preprogrammed for
the appropriate firewall functions at line rate in hardware, then, yes, =
it=E2=80=99s a
perfectly fine firewall, and, probably about the only solution that=E2=80=99=
s really going
to work in a high line-rate scenario, actually.
> Firewalls and routers belong to different places in a serious =
topology.
You and I apparently have very different ideas of serous topologies.
> Only small networks should have both functions in the same box. It =
raises
> risks, makes different kernel tasks competing to each other for the =
same
> resources. You may run out of states, memory and CPU specially if =
mixing
> NAT & tunneling beyond firewalling and routing. A router nowadays has =
many
> tasks to accomplish, from 6to4, dual stacking, to multiple routing =
services
> (bgp, ospf, bfd). Don't add extra duties to the box.
If you are firewalling so far away from the edge that any of this =
matters, you have
already lost and your topology is very hard to consider =E2=80=9Cserious=E2=
=80=9D in my opinion.
> Multiple purpose systems that can act like both things (say, a Linux =
box),
> but it's just not right to have more than one critical service in the =
same
> box. They should be distributed along your network. A firewall in =
front of
> the router, a firewall after the router in front of the servers.
I=E2=80=99m thinking more like a large Juniper with an ESPIC or other =
services
interface hardware solution.
> I just had a huge problem with an engineer who decided that a router =
should
> be his CGN, and when the number of translated sessions run above the
> expected and planned capacity, the box just sit down unresponsive. All =
of
> this company (and it's a banking company, not an ISP who just pays =
some SLA
> debit and it's good to go) connectivity was offline due to this =
confusion
> of service profiles on the same box, and all, means servers and hosts =
with
> registered IP addresses, not only RFC1918 addresses that needed to be
> translated.
You can always choose the wrong box for the job. I bet I can point to =
plenty of
routers that could have handled his CGN needs just fine and had plenty =
of memory
to hold all of his translated sessions.
This is no different than if he chose an incorrect CGN box that was =
purpose-built.
Your example is like saying =E2=80=9CThe 2514 was not adequate as a =
100Mbps firewall,
so all routers are inadequate as firewalls=E2=80=9D.
The 2514 was not adequate or even capable of being a 100Mbps router.
> We just split the functions, distributed firewall and CGN to different
> boxes and topologies in a much more logical way and the "auto DoS =
feature"
> just went away.
That=E2=80=99s certainly one viable solution. Maybe even the right one =
for that particular
space. However, it does not change anything I said.
> So, please, don't insist. A firewall is a firewall. A router is a =
router. A
> translation box is another alien. Unless you are SMB or willing to pay =
over
> dimensioned boxes to mix all duties up together, which will be more
> expensive than distributing the services alongside the network.
Technically, a router is any device which takes an IP datagram on one =
interface
and delivers it to an interface with a different network number (whether =
the same
(hairpin) or another interface) after decrementing the TTL or Hop Count =
(depending
on whether IPv4 or IPv6).
Other than the (rather silly in virtually all circumstances) Layer 2 =
firewalls mentioned
earlier, every firewall is technically a router. Not every router is a =
firewall, though there
are plenty of routers that are also very capable firewalls.
I will grant you that there are virtually no purpose-built firewalls =
that make good routers,
but that=E2=80=99s yet another issue truly unrelated to what I said.
As to translation devices, well, those also have no place in a serious =
topology other
than dealing with limitations of an aging and hopefully soon to be =
deprecated protocol
that should have been obsoleted years ago.
Owen
>=20
>=20
>=20
>>=20
>> Owen
>>=20
>>> On Feb 6, 2015, at 08:39 , Bill Thompson <Billt@mahagonny.com> =
wrote:
>>>=20
>>> Just because a cat has kittens in the oven, you don't call them
>> biscuits. A firewall can route, but it is not a router. Both have
>> specialized tasks. You can fix a car with a swiss army knife, but why =
would
>> you want to?
>>> --
>>> Bill Thompson
>>> billt@mahagonny.com
>>>=20
>>> On February 5, 2015 7:19:43 PM PST, Jeff McAdams <jeffm@iglou.com>
>> wrote:
>>>>=20
>>>> On Thu, February 5, 2015 20:02, Joe Hamelin wrote:
>>>>>> On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer =
<rmayer@nerd-residenz.de>
>>>>>> wrote:
>>>>>> a router is a router and a firewall is a firewall. Especially a
>>>> Cisco ASA
>>>>>> is no router, period.
>>>>>=20
>>>>> Man-o-man did I find that out when we had to renumber our network
>>>> after
>>>>> we got bought by the French.
>>>>=20
>>>>> Oh, I'll just pop on a secondary address on this interface... =
What?
>>>>=20
>>>>> Needed to go through fits just to get a hairpin route in the =
thing.
>>>>=20
>>>>> The ASA series is good at what it does, just don't plan on it =
acting
>>>> like
>>>>> router IOS.
>>>>=20
>>>> Sorry, but I'm with Owen.
>>>>=20
>>>> Square : Rectangle :: Firewall : Router
>>>>=20
>>>> A firewall is a router, despite how much so many security folk try =
to
>>>> deny
>>>> it. And firewalls that seem to try to intentionally be crappy =
routers
>>>> (ie, ASAs) have no place in my network.
>>>>=20
>>>> If it can't be a decent router, then its going to suck as a =
firewall
>>>> too,
>>>> because a firewall has to be able to play nice with the rest of the
>>>> network, and if they can't do that, then I have no use for them. =
I'll
>>>> get
>>>> a firewall that does.
>>=20
>>=20
