BGP and Firewalls...

Holmes,David A dholmes at
Wed Dec 7 18:19:58 UTC 2011

My concern is whether or not consolidating border router and firewall functions in the same device violates, if not explicitly, then the spirit of the "defense in depth" Internet edge design principle. Here is a link to a Department of Homeland Security document where this is discussed (for control systems, but has general application), but not addressed directly:

The old Checkpoint/Nokia firewalls consolidated routing and firewall functions, but the question is one of layered defenses, such that it seems intuitive that it is inherently more difficult for the bad actor to penetrate network defenses the more devices that have to be penetrated.

-----Original Message-----
From: Gregory Croft [mailto:gcroft at]
Sent: Wednesday, December 07, 2011 10:04 AM
To: Christopher Morrow
Cc: nanog at
Subject: RE: BGP and Firewalls...

I'm not having problems... Well, not yet anyways.  :)

Just investigating to see if there is a reason I shouldn't use a
firewall at the edge versus a dedicated router as well as to see if
anyone can share their specific experience with the PAN devices.

Thanks everyone!

-----Original Message-----
From: christopher.morrow at [mailto:christopher.morrow at]
On Behalf Of Christopher Morrow
Sent: Wednesday, December 07, 2011 12:44 PM
To: Gregory Croft
Cc: nanog at
Subject: Re: BGP and Firewalls...

On Wed, Dec 7, 2011 at 12:31 PM, Gregory Croft
<gcroft at> wrote:
> Hi All,
> Does anyone have any experience with using firewalls as edge devices
> when BGP is concerned?
> Specifically the Palo Alto series of devices.

nokia/checkpoint has done this for ages. what's the problem you have?

This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) and may contain information that is confidential or legally protected. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by return e-mail message and delete the original and all copies of the communication, along with any attachments or embedded links, from your system.

More information about the NANOG mailing list