On Sun, Feb 08, 2015 at 11:40:56AM -0200, BPNoC Group wrote: > Firewalls are firewalls. Routers are routers. Routers should do some very > basic filtering (stateles, ACLs, data plane protection...) and firewalls > should do basic static routing. And things should not go far beyond that.
This is, at a network level, an echo of the "Software Tools" philosophy that has served us exceedingly well for decades. Tools should do one thing, they should do it well, and if/when we need to do more than one thing, we should use tools in combination. There's another advantage to this: if firewalls and routers &etc are not the same system, then they can run different software on different operating systems on different architectures -- providing a significant measure of insulation against attacks unique to one particular combination. ---rsk