Dynamic routing on firewalls.

Sun Feb 8 15:49:01 UTC 2015

On Sun, Feb 8, 2015 at 12:48 PM, Jeff McAdams <jeffm at iglou.com> wrote:

> You're missing the point.
>

I'm not missing, I'm just diverting the point.

As I mentioned from a Linux box example, the fact that it can both act as a
router and a firewall does not mean it should. I disagree with the
simplistic idea that if a firewall L3 forwards, it's a router, or if a
router has ACLs capabilities, it's a firewall.

Someone just illustrated how a mission-critical placed firewall protecting
a BGP router may do it bridged, without actually routing not a single extra
hop.

> I would never advocate for trying to deploy a Juniper MX in the role of a
> firewall to provide a security boundary.  I would never try to deploy a
> Juniper SRX to provide a huge number of GRE tunnel terminations or other
> sorts of aggregations of large numbers of connections or however you might
> describe a typical router role.
>

So we agree!

I completely agree that you don't want to overload any particular device
> with too many functions.  I've got MXes that terminate a large number of
> GRE tunnels, but I've also SRXes terminating a large number of IPSec
> tunnels that are basically acting as routers because they can handle the
> large quantity of crypto operations involved better than an MX.  But while
> the SRXes that terminate the large number of IPSec tunnels do some amount
> of firewalling, and I only did that grudgingly because of financial
> reasons.

Yes, I understand budget restrictions sometimes takes to accumulating
functions on the same box. But the notion that matters is that although a
firewall *can* be, technically, implemented in the same node, it just
belongs to somewhere else, in a distributed / separed box.

>   The firewalling will probably be moved off to a separate set of
> SRXes as this project grows.
>

Yeah, in the end we mostly agree.

>
> --
> Jeff
>
> On Sun, February 8, 2015 08:40, BPNoC Group wrote:
> >>
>
> >>
> >>
> >> Of course you can find firewalls that are crappy routers and you can
> >> find routers that are crappy firewalls, but generally, the two are not
> >> mutually exclusive.
> >>
> >
> > I completely disagree w/ such or similar statements.
> > On the vendor datasheet it says different. On books it says different.
> > And on real life it's different.
> >
> >
> > Firewalls are firewalls. Routers are routers. Routers should do some very
> >  basic filtering (stateles, ACLs, data plane protection...) and firewalls
> >  should do basic static routing. And things should not go far beyond
> > that.
> >
> > If you keep thinking like that you will soon believe an L3 switch is a
> > firewall too.
> >
> > Firewalls and routers belong to different places in a serious topology.
> >
> >
> > Only small networks should have both functions in the same box. It raises
> >  risks, makes different kernel tasks competing to each other for the same
> >  resources. You may run out of states, memory and CPU specially if mixing
> >  NAT & tunneling beyond firewalling and routing. A router nowadays has
> > many tasks to accomplish, from 6to4, dual stacking, to multiple routing
> > services (bgp, ospf, bfd). Don't add extra duties to the box.
> >
> >
> > Multiple purpose systems that can act like both things (say, a Linux
> > box), but it's just not right to have more than one critical service in
> > the same box. They should be distributed along your network. A firewall
> in
> > front of the router, a firewall after the router in front of the servers.
> >
> > I just had a huge problem with an engineer who decided that a router
> > should be his CGN, and when the number of translated sessions run above
> > the expected and planned capacity, the box just sit down unresponsive.
> All
> > of this company (and it's a banking company, not an ISP who just pays
> some
> > SLA
> > debit and it's good to go) connectivity was offline due to this confusion
> > of service profiles on the same box, and all, means servers and hosts
> > with registered IP addresses, not only RFC1918 addresses that needed to
> be
> >  translated.
> >
> > We just split the functions, distributed firewall and CGN to different
> > boxes and topologies in a much more logical way and the "auto DoS
> feature"
> >  just went away.
> >
> > So, please, don't insist. A firewall is a firewall. A router is a router.
> > A
> > translation box is another alien. Unless you are SMB or willing to pay
> > over dimensioned boxes to mix all duties up together, which will be more
> > expensive than distributing the services alongside the network.
> >
> >
> >
> >>
> >> Owen
> >>
> >>
> >>> On Feb 6, 2015, at 08:39 , Bill Thompson <Billt at mahagonny.com> wrote:
> >>>
> >>>
> >>> Just because a cat has kittens in the oven, you don't call them
> >>>
> >> biscuits. A firewall can route, but it is not a router. Both have
> >> specialized tasks. You can fix a car with a swiss army knife, but why
> >> would you want to?
> >>> --
> >>> Bill Thompson
> >>> billt at mahagonny.com
> >>>
> >>> On February 5, 2015 7:19:43 PM PST, Jeff McAdams <jeffm at iglou.com>
> >>>
> >> wrote:
> >>
> >>>>
> >>>> On Thu, February 5, 2015 20:02, Joe Hamelin wrote:
> >>>>
> >>>>>> On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer
> >>>>>> <rmayer at nerd-residenz.de>
> >>>>>> wrote:
> >>>>>> a router is a router and a firewall is a firewall. Especially a
> >>>> Cisco ASA
> >>>>
> >>>>>> is no router, period.
> >>>>>
> >>>>> Man-o-man did I find that out when we had to renumber our network
> >>>>>
> >>>> after
> >>>>> we got bought by the French.
> >>>>
> >>>>> Oh, I'll just pop on a secondary address on this interface...
> >>>>> What?
> >>>>>
> >>>>
> >>>>> Needed to go through fits just to get a hairpin route in the
> >>>>> thing.
> >>>>
> >>>>> The ASA series is good at what it does, just don't plan on it
> >>>>> acting
> >>>> like
> >>>>> router IOS.
> >>>>
> >>>> Sorry, but I'm with Owen.
> >>>>
> >>>>
> >>>> Square : Rectangle :: Firewall : Router
> >>>>
> >>>>
> >>>> A firewall is a router, despite how much so many security folk try
> >>>> to deny it.  And firewalls that seem to try to intentionally be
> >>>> crappy routers (ie, ASAs) have no place in my network.
> >>>>
> >>>>
> >>>> If it can't be a decent router, then its going to suck as a
> >>>> firewall too, because a firewall has to be able to play nice with the
> >>>> rest of the network, and if they can't do that, then I have no use
> >>>> for them.  I'll get a firewall that does.
> >>
> >>
> >
>
>
> --
> Jeff
>
>