Re: Dynamic routing on firewalls.

[Rich Kulawiec <rsk () gsp org>]

On Sun, Feb 08, 2015 at 11:40:56AM -0200, BPNoC Group wrote:
> Firewalls are firewalls. Routers are routers. Routers should do some very
> basic filtering (stateles, ACLs, data plane protection...) and firewalls
> should do basic static routing. And things should not go far beyond that.

This is, at a network level, an echo of the "Software Tools" philosophy
that has served us exceedingly well for decades.  Tools should do one
thing, they should do it well, and if/when we need to do more than one
thing, we should use tools in combination.

There's another advantage to this: if firewalls and routers &etc
are not the same system, then they can run different software on
different operating systems on different architectures -- providing
a significant measure of insulation against attacks unique to one
particular combination.

---rsk