nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dynamic routing on firewalls.

From: Owen DeLong <owen () delong com>
Date: Thu, 5 Feb 2015 15:15:23 -0400
Some Juniper models actually do a very good job of being both.

In reality, a Firewall _IS_ a router, even if it's a bad one. Anything that moves packets from one interface to another 
is a router. Of course, the support for routing protocols is a useful feature in a router and one of the areas where 
firewalls often fall short.

Where you want to put things (in front, behind, etc.) really depends on your topology and the problem you are trying to 
solve.

Personally, I like to keep the firewalls as close to the end hosts as possible. This tends to greatly simplify security 
policies and make them MUCH easier (and more reliable) to audit.

Owen





On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer <rmayer () nerd-residenz de> wrote:

Hi David,

a router is a router and a firewall is a firewall.

Especially a Cisco ASA is no router, period.

A router in front of the firewall is my choice, it also keeps broadcasts from the firewall + can do uRPF.


rm
Previous By Date Next
Previous By Thread Next

Current thread: