Dynamic routing on firewalls.

Owen DeLong owen at delong.com
Sun Feb 8 01:17:59 UTC 2015


A good firewall can also be a good router.

Of course you can find firewalls that are crappy routers and you can find routers that are crappy firewalls, but generally, the two are not mutually exclusive.

Owen

> On Feb 6, 2015, at 08:39 , Bill Thompson <Billt at mahagonny.com> wrote:
> 
> Just because a cat has kittens in the oven, you don't call them biscuits. A firewall can route, but it is not a router. Both have specialized tasks. You can fix a car with a swiss army knife, but why would you want to?
> -- 
> Bill Thompson
> billt at mahagonny.com
> 
> On February 5, 2015 7:19:43 PM PST, Jeff McAdams <jeffm at iglou.com> wrote:
>> 
>> On Thu, February 5, 2015 20:02, Joe Hamelin wrote:
>>>> On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer <rmayer at nerd-residenz.de>
>>>> wrote:
>>>> a router is a router and a firewall is a firewall. Especially a
>> Cisco ASA
>>>> is no router, period.
>>> 
>>> Man-o-man did I find that out when we had to renumber our network
>> after
>>> we got bought by the French.
>> 
>>> Oh, I'll just pop on a secondary address on this interface... What?
>> 
>>> Needed to go through fits just to get a hairpin route in the thing.
>> 
>>> The ASA series is good at what it does, just don't plan on it acting
>> like
>>> router IOS.
>> 
>> Sorry, but I'm with Owen.
>> 
>> Square : Rectangle :: Firewall : Router
>> 
>> A firewall is a router, despite how much so many security folk try to
>> deny
>> it.  And firewalls that seem to try to intentionally be crappy routers
>> (ie, ASAs) have no place in my network.
>> 
>> If it can't be a decent router, then its going to suck as a firewall
>> too,
>> because a firewall has to be able to play nice with the rest of the
>> network, and if they can't do that, then I have no use for them.  I'll
>> get
>> a firewall that does.




More information about the NANOG mailing list