[177924] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Rich Kulawiec)
Mon Feb 9 04:00:02 2015
X-Original-To: nanog@nanog.org
Date: Mon, 9 Feb 2015 03:59:52 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: nanog@nanog.org
In-Reply-To: <CADncWmGRzXNC2hgs7LqhFcLT-ymcvxauY=o0O68uMgy53HrrPw@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On Sun, Feb 08, 2015 at 11:40:56AM -0200, BPNoC Group wrote:
> Firewalls are firewalls. Routers are routers. Routers should do some very
> basic filtering (stateles, ACLs, data plane protection...) and firewalls
> should do basic static routing. And things should not go far beyond that.
This is, at a network level, an echo of the "Software Tools" philosophy
that has served us exceedingly well for decades. Tools should do one
thing, they should do it well, and if/when we need to do more than one
thing, we should use tools in combination.
There's another advantage to this: if firewalls and routers &etc
are not the same system, then they can run different software on
different operating systems on different architectures -- providing
a significant measure of insulation against attacks unique to one
particular combination.
---rsk
