On Sun, Feb 8, 2015 at 12:48 PM, Jeff McAdams <je...@iglou.com> wrote:
> You're missing the point. > I'm not missing, I'm just diverting the point. As I mentioned from a Linux box example, the fact that it can both act as a router and a firewall does not mean it should. I disagree with the simplistic idea that if a firewall L3 forwards, it's a router, or if a router has ACLs capabilities, it's a firewall. Someone just illustrated how a mission-critical placed firewall protecting a BGP router may do it bridged, without actually routing not a single extra hop. > I would never advocate for trying to deploy a Juniper MX in the role of a > firewall to provide a security boundary. I would never try to deploy a > Juniper SRX to provide a huge number of GRE tunnel terminations or other > sorts of aggregations of large numbers of connections or however you might > describe a typical router role. > So we agree! I completely agree that you don't want to overload any particular device > with too many functions. I've got MXes that terminate a large number of > GRE tunnels, but I've also SRXes terminating a large number of IPSec > tunnels that are basically acting as routers because they can handle the > large quantity of crypto operations involved better than an MX. But while > the SRXes that terminate the large number of IPSec tunnels do some amount > of firewalling, and I only did that grudgingly because of financial > reasons. Yes, I understand budget restrictions sometimes takes to accumulating functions on the same box. But the notion that matters is that although a firewall *can* be, technically, implemented in the same node, it just belongs to somewhere else, in a distributed / separed box. > The firewalling will probably be moved off to a separate set of > SRXes as this project grows. > Yeah, in the end we mostly agree. > > -- > Jeff > > On Sun, February 8, 2015 08:40, BPNoC Group wrote: > >> > > >> > >> > >> Of course you can find firewalls that are crappy routers and you can > >> find routers that are crappy firewalls, but generally, the two are not > >> mutually exclusive. > >> > > > > I completely disagree w/ such or similar statements. > > On the vendor datasheet it says different. On books it says different. > > And on real life it's different. > > > > > > Firewalls are firewalls. Routers are routers. Routers should do some very > > basic filtering (stateles, ACLs, data plane protection...) and firewalls > > should do basic static routing. And things should not go far beyond > > that. > > > > If you keep thinking like that you will soon believe an L3 switch is a > > firewall too. > > > > Firewalls and routers belong to different places in a serious topology. > > > > > > Only small networks should have both functions in the same box. It raises > > risks, makes different kernel tasks competing to each other for the same > > resources. You may run out of states, memory and CPU specially if mixing > > NAT & tunneling beyond firewalling and routing. A router nowadays has > > many tasks to accomplish, from 6to4, dual stacking, to multiple routing > > services (bgp, ospf, bfd). Don't add extra duties to the box. > > > > > > Multiple purpose systems that can act like both things (say, a Linux > > box), but it's just not right to have more than one critical service in > > the same box. They should be distributed along your network. A firewall > in > > front of the router, a firewall after the router in front of the servers. > > > > I just had a huge problem with an engineer who decided that a router > > should be his CGN, and when the number of translated sessions run above > > the expected and planned capacity, the box just sit down unresponsive. > All > > of this company (and it's a banking company, not an ISP who just pays > some > > SLA > > debit and it's good to go) connectivity was offline due to this confusion > > of service profiles on the same box, and all, means servers and hosts > > with registered IP addresses, not only RFC1918 addresses that needed to > be > > translated. > > > > We just split the functions, distributed firewall and CGN to different > > boxes and topologies in a much more logical way and the "auto DoS > feature" > > just went away. > > > > So, please, don't insist. A firewall is a firewall. A router is a router. > > A > > translation box is another alien. Unless you are SMB or willing to pay > > over dimensioned boxes to mix all duties up together, which will be more > > expensive than distributing the services alongside the network. > > > > > > > >> > >> Owen > >> > >> > >>> On Feb 6, 2015, at 08:39 , Bill Thompson <bi...@mahagonny.com> wrote: > >>> > >>> > >>> Just because a cat has kittens in the oven, you don't call them > >>> > >> biscuits. A firewall can route, but it is not a router. Both have > >> specialized tasks. You can fix a car with a swiss army knife, but why > >> would you want to? > >>> -- > >>> Bill Thompson > >>> bi...@mahagonny.com > >>> > >>> On February 5, 2015 7:19:43 PM PST, Jeff McAdams <je...@iglou.com> > >>> > >> wrote: > >> > >>>> > >>>> On Thu, February 5, 2015 20:02, Joe Hamelin wrote: > >>>> > >>>>>> On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer > >>>>>> <rma...@nerd-residenz.de> > >>>>>> wrote: > >>>>>> a router is a router and a firewall is a firewall. Especially a > >>>> Cisco ASA > >>>> > >>>>>> is no router, period. > >>>>> > >>>>> Man-o-man did I find that out when we had to renumber our network > >>>>> > >>>> after > >>>>> we got bought by the French. > >>>> > >>>>> Oh, I'll just pop on a secondary address on this interface... > >>>>> What? > >>>>> > >>>> > >>>>> Needed to go through fits just to get a hairpin route in the > >>>>> thing. > >>>> > >>>>> The ASA series is good at what it does, just don't plan on it > >>>>> acting > >>>> like > >>>>> router IOS. > >>>> > >>>> Sorry, but I'm with Owen. > >>>> > >>>> > >>>> Square : Rectangle :: Firewall : Router > >>>> > >>>> > >>>> A firewall is a router, despite how much so many security folk try > >>>> to deny it. And firewalls that seem to try to intentionally be > >>>> crappy routers (ie, ASAs) have no place in my network. > >>>> > >>>> > >>>> If it can't be a decent router, then its going to suck as a > >>>> firewall too, because a firewall has to be able to play nice with the > >>>> rest of the network, and if they can't do that, then I have no use > >>>> for them. I'll get a firewall that does. > >> > >> > > > > > -- > Jeff > >
