nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dynamic routing on firewalls.

From: BPNoC Group <bpnoc.lists () gmail com>
Date: Sun, 8 Feb 2015 13:49:01 -0200
On Sun, Feb 8, 2015 at 12:48 PM, Jeff McAdams <jeffm () iglou com> wrote:


You're missing the point.



I'm not missing, I'm just diverting the point.

As I mentioned from a Linux box example, the fact that it can both act as a
router and a firewall does not mean it should. I disagree with the
simplistic idea that if a firewall L3 forwards, it's a router, or if a
router has ACLs capabilities, it's a firewall.

Someone just illustrated how a mission-critical placed firewall protecting
a BGP router may do it bridged, without actually routing not a single extra
hop.



I would never advocate for trying to deploy a Juniper MX in the role of a
firewall to provide a security boundary.  I would never try to deploy a
Juniper SRX to provide a huge number of GRE tunnel terminations or other
sorts of aggregations of large numbers of connections or however you might
describe a typical router role.



So we agree!

I completely agree that you don't want to overload any particular device

with too many functions.  I've got MXes that terminate a large number of
GRE tunnels, but I've also SRXes terminating a large number of IPSec
tunnels that are basically acting as routers because they can handle the
large quantity of crypto operations involved better than an MX.  But while
the SRXes that terminate the large number of IPSec tunnels do some amount
of firewalling, and I only did that grudgingly because of financial
reasons.



Yes, I understand budget restrictions sometimes takes to accumulating
functions on the same box. But the notion that matters is that although a
firewall *can* be, technically, implemented in the same node, it just
belongs to somewhere else, in a distributed / separed box.



  The firewalling will probably be moved off to a separate set of
SRXes as this project grows.



Yeah, in the end we mostly agree.




--
Jeff

On Sun, February 8, 2015 08:40, BPNoC Group wrote:







Of course you can find firewalls that are crappy routers and you can
find routers that are crappy firewalls, but generally, the two are not
mutually exclusive.



I completely disagree w/ such or similar statements.
On the vendor datasheet it says different. On books it says different.
And on real life it's different.


Firewalls are firewalls. Routers are routers. Routers should do some very
 basic filtering (stateles, ACLs, data plane protection...) and firewalls
 should do basic static routing. And things should not go far beyond
that.

If you keep thinking like that you will soon believe an L3 switch is a
firewall too.

Firewalls and routers belong to different places in a serious topology.


Only small networks should have both functions in the same box. It raises
 risks, makes different kernel tasks competing to each other for the same
 resources. You may run out of states, memory and CPU specially if mixing
 NAT & tunneling beyond firewalling and routing. A router nowadays has
many tasks to accomplish, from 6to4, dual stacking, to multiple routing
services (bgp, ospf, bfd). Don't add extra duties to the box.


Multiple purpose systems that can act like both things (say, a Linux
box), but it's just not right to have more than one critical service in
the same box. They should be distributed along your network. A firewall

in

front of the router, a firewall after the router in front of the servers.

I just had a huge problem with an engineer who decided that a router
should be his CGN, and when the number of translated sessions run above
the expected and planned capacity, the box just sit down unresponsive.

All

of this company (and it's a banking company, not an ISP who just pays

some

SLA
debit and it's good to go) connectivity was offline due to this confusion
of service profiles on the same box, and all, means servers and hosts
with registered IP addresses, not only RFC1918 addresses that needed to

be

 translated.

We just split the functions, distributed firewall and CGN to different
boxes and topologies in a much more logical way and the "auto DoS

feature"

 just went away.

So, please, don't insist. A firewall is a firewall. A router is a router.
A
translation box is another alien. Unless you are SMB or willing to pay
over dimensioned boxes to mix all duties up together, which will be more
expensive than distributing the services alongside the network.





Owen



On Feb 6, 2015, at 08:39 , Bill Thompson <Billt () mahagonny com> wrote:


Just because a cat has kittens in the oven, you don't call them


biscuits. A firewall can route, but it is not a router. Both have
specialized tasks. You can fix a car with a swiss army knife, but why
would you want to?

--
Bill Thompson
billt () mahagonny com

On February 5, 2015 7:19:43 PM PST, Jeff McAdams <jeffm () iglou com>


wrote:



On Thu, February 5, 2015 20:02, Joe Hamelin wrote:


On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer
<rmayer () nerd-residenz de>
wrote:
a router is a router and a firewall is a firewall. Especially a

Cisco ASA


is no router, period.


Man-o-man did I find that out when we had to renumber our network


after

we got bought by the French.



Oh, I'll just pop on a secondary address on this interface...
What?




Needed to go through fits just to get a hairpin route in the
thing.



The ASA series is good at what it does, just don't plan on it
acting

like

router IOS.


Sorry, but I'm with Owen.


Square : Rectangle :: Firewall : Router


A firewall is a router, despite how much so many security folk try
to deny it.  And firewalls that seem to try to intentionally be
crappy routers (ie, ASAs) have no place in my network.


If it can't be a decent router, then its going to suck as a
firewall too, because a firewall has to be able to play nice with the
rest of the network, and if they can't do that, then I have no use
for them.  I'll get a firewall that does.








--
Jeff
Previous By Date Next
Previous By Thread Next

Current thread: