Dynamic routing on firewalls.

• Previous message (by thread): Dynamic routing on firewalls.
• Next message (by thread): Dynamic routing on firewalls.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 9, 2015 at 10:59 AM, Rich Kulawiec <rsk at gsp.org> wrote:

> On Sun, Feb 08, 2015 at 11:40:56AM -0200, BPNoC Group wrote:
> > Firewalls are firewalls. Routers are routers. Routers should do some very
> > basic filtering (stateles, ACLs, data plane protection...) and firewalls
> > should do basic static routing. And things should not go far beyond that.
>
> This is, at a network level, an echo of the "Software Tools" philosophy
> that has served us exceedingly well for decades.  Tools should do one
> thing, they should do it well, and if/when we need to do more than one
> thing, we should use tools in combination.
>

And then reality comes and disagrees with you :)
I am a fan of the "use the right tool for the right job", but it is not
always possible due to economical/technical/political reasons.

I had situations where running dynamic routing on firewalls was the way to
go to allow for geographic distribution of traffic without having to touch
routers and/or firewalls when adding/deleting subnets. Devices would just
learn routes and if permitted by the firewalls, traffic would pass.



> There's another advantage to this: if firewalls and routers &etc
> are not the same system, then they can run different software on
> different operating systems on different architectures -- providing
> a significant measure of insulation against attacks unique to one
> particular combination.
>
>
This is a bit of a fallacy, because considering all things equal, a router
looks at only Layer 3/4 headers to route a packet, whereby a firewall will
look more deeper up the stack (considering a simple scenario, not
considering MPLS stuff). Even if they run the same OS but with different
functions enabled, a firewall having a vulnerability because it mishandles
TCP packets with SYN/RST flags set, it does not mean it will be vulnerable
as a router.

I know companies running firewall back to back from different vendors just
to make sure that they are secure if someone "hacks" one of the firewalls.

My point is that:

1) you can run dynamic routing on a firewall without issues
2) it depends on the situation if it advisable to do so
3) there is no size fits all scenario whereby it is verboten to have
anything else than static routes on a firewall
4) you have to consider the pros/cons about doing it or not doing it

• Previous message (by thread): Dynamic routing on firewalls.
• Next message (by thread): Dynamic routing on firewalls.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]