Firewall in Routers??

Andrew Smith awsmith at
Tue Mar 4 02:37:58 UTC 1997

> Just to throw in a little bit more info..
> Theres little comparrison between the two.
> PIX is more of an address translation unit with firewalling
> capabilities.
> Firewall-1 is a fully functional Firewall with limited address
> translation. 
> i.e. PIX has a pool of IP addresses.. true address translation.
> Firewall-1 does address 'hiding' making it look to the external world
> like all connects come from a single IP.

Actually, hide mode is only one of the options in FW-1. You can do
a static one-to-one allocation (but not dynamically).

> I tend to prefer to keep routers as routers and firewalls as firewalls,
> it reduces the CPU overhead, Problem Determination is easier, and 
> configurations are kept in a distinct logical box.
> Of course this is at the expense of cost, and space.

Agreed...but in certain situations, ie a widely diverse network,
to follow this purist paradigm, you really need a separate firewall/
uniquely routed subnet. If someone has a 75XX with a T1 Internet
connection, why not let the extra CPU go towards firewall functions.
Granted, you are very limited in logging, authentication, and
proxies or content monitoring, but such capabilities could be made
with proprietary communication to a central firewall/management
server...but then you are really straying away from IOS/whatever OS
each router uses.  In short, if it's built, someone will buy it.
Is it enough people to pay for the development/political maneuvering?
Andrew Smith ** awsmith at ** Network Engineer ** 1-888-NEOSOFT
       ** "Opportunities multiply as they are seized" - Sun Tzu **
            ** ** 

More information about the NANOG mailing list