BGP and Firewalls...

Leo Bicknell bicknell at
Wed Dec 7 18:36:53 UTC 2011

In a message written on Wed, Dec 07, 2011 at 10:19:58AM -0800, Holmes,David A wrote:
> My concern is whether or not consolidating border router and firewall functions in the same device violates, if not explicitly, then the spirit of the "defense in depth" Internet edge design principle. Here is a link to a Department of Homeland Security document where this is discussed (for control systems, but has general application), but not addressed directly:

I don't think you're looking at defense in depth in the right way,
and thus your question doesn't quite make sense.

If you look at the attack vector described in the paper you link
it shows what many of us in the ISP world call the "soft gooey
center".  As you see the attacker finds a way to bypass the corporate
firewall, and once inside the network there are no further controls
to prevent the attacker from hopping between corporate desktops,
corporate servers, and eventually a SCADA network.

Defense in depth is about internal compartmentalization.  The diagram
shows deploying additional firewalls between corporate LAN users
and corporate servers, and then again between corproate servers and
SCADA networks.  The idea is even if the attacker is able to bypass
one firewall, they have to pass through a second to get to another

Even with a defense in depth design with these multiple firewalls
(really, access control points), there is still the question you
ask, should the checkpoint devices be multiple boxes (e.g. firewall
and IDS in separate chassis) or unified boxes (firewall+IDS in a
single box).  It's really a totally orthogonal question.

What defense in depth does not allow you to do (from my understanding)
is consolidate these multiple firewall functions into one large
virtual firewall, because then you're back to a single point of

To summarize, "defense in depth" requires access control and
monitoring between different security zones, and that those access
control devices be not shared with devices handling other zones.
The devices themselves can include multiple functions on a single
device without affecting the strategy.

Is stacking functions on one device a good idea?  Well, millions of
residential users do it (firewall+ids+ips all in one), and plenty of
corporate users have had trouble scaling all in one devices.  Multiple
devices provides greater opportunity to select best in breed, but adds
more failure points and more things to manage and coorolate.  Which
tradeoffs are best for you and your network is something that can't be
easily answered with a rule, or by someone else on the Internet.

       Leo Bicknell - bicknell at - CCIE 3440
        PGP keys at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list