nanog mailing list archives
Re: Dynamic routing on firewalls.
From: Ray Soucy <rps () maine edu>
Date: Thu, 5 Feb 2015 09:51:28 -0500
It all depends how much of the firewall functionality is implemented in CPU. The biggest problem is that firewalls that implement functionality in software usually saturate CPU when stressed (e.g. DOS) and routing protocols start dropping. I'm a strong believer in having a router that can do basic filtering in hardware (specifically uRPF) as the first line of defense in a DOS attack and then using a firewall behind that to reach your security policy goals. We have a pretty large network so we've expanded the concept of RTBH filtering internally and use a small ISR (currently 1841) to inject routes into our network to disable hosts using uRPF at the first router they hit. The entire thing is scripted and works very well at containing problematic hosts centrally. The other thing to watch out for IMHO is the NGFW hype. I haven't seen a NGFW that can actually do everything it claims to at the same time and meet advertised performance levels. You're much better off splitting up the workload and having a series of components architected to work with each other. On Thu, Feb 5, 2015 at 9:42 AM, Eugeniu Patrascu <eugen () imacandi net> wrote:
On Thu, Feb 5, 2015 at 4:10 PM, David Jansen <david () nines nl> wrote:Hi, We have used dynamic routing on firewall in the old days. We did experience several severe outages due to this setup (OSPF en Cisco). As you will understand i'm not eager to go back to this solution but I am curious about your point of views. Is it advisory to so these days?Any specific firewall in mind? As this depends from vendor to vendor. I've had some issues with OSPF and CheckPoint firewalls when the firewalls would be overloaded and started dropping packets at the interface level causing adjacencies to go down, but I solved this by using BGP instead and the routing issues went away. On Juniper things tend work OK. Other than this, make sure you don't run into asymmetric routing as connections might get dropped because the firewall does not know about them or packets arrive out of order and the firewall cannot reassemble all of them.
-- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Current thread:
- Dynamic routing on firewalls. David Jansen (Feb 05)
- Re: Dynamic routing on firewalls. Eugeniu Patrascu (Feb 05)
- Re: Dynamic routing on firewalls. Ray Soucy (Feb 05)
- Re: Dynamic routing on firewalls. David Jansen (Feb 05)
- Re: Dynamic routing on firewalls. David Jansen (Feb 05)
- Re: Dynamic routing on firewalls. ML (Feb 05)
- Re: Dynamic routing on firewalls. santiago martinez (Feb 05)
- Re: Dynamic routing on firewalls. Ray Soucy (Feb 05)
- Re: Dynamic routing on firewalls. Ralph J.Mayer (Feb 05)
- Re: Dynamic routing on firewalls. Owen DeLong (Feb 05)
- Re: Dynamic routing on firewalls. Joe Hamelin (Feb 05)
- Re: Dynamic routing on firewalls. Jeff McAdams (Feb 05)
- Re: Dynamic routing on firewalls. Bill Thompson (Feb 06)
- Re: Dynamic routing on firewalls. Doug Barton (Feb 06)
- Re: Dynamic routing on firewalls. Owen DeLong (Feb 05)
- Re: Dynamic routing on firewalls. Eugeniu Patrascu (Feb 05)