Re: Dynamic routing on firewalls.

[Owen DeLong <owen () delong com>]

> On Feb 8, 2015, at 05:40 , BPNoC Group <bpnoc.lists () gmail com> wrote:
>
> > Of course you can find firewalls that are crappy routers and you can find
> > routers that are crappy firewalls, but generally, the two are not mutually
> > exclusive.
>
> I completely disagree w/ such or similar statements.
> On the vendor datasheet it says different. On books it says different.
> And on real life it's different.

No, really it does not.

> Firewalls are firewalls. Routers are routers. Routers should do some very
> basic filtering (stateles, ACLs, data plane protection...) and firewalls
> should do basic static routing. And things should not go far beyond that.

We can agree to disagree.

> If you keep thinking like that you will soon believe an L3 switch is a
> firewall too.

An L3 switch is just another kind of router and if it’s got the ability for its
switching matrix to include a packet classifier that can be preprogrammed for
the appropriate firewall functions at line rate in hardware, then, yes, it’s a
perfectly fine firewall, and, probably about the only solution that’s really going
to work in a high line-rate scenario, actually.

> Firewalls and routers belong to different places in a serious topology.

You and I apparently have very different ideas of serous topologies.

> Only small networks should have both functions in the same box. It raises
> risks, makes different kernel tasks competing to each other for the same
> resources. You may run out of states, memory and CPU specially if mixing
> NAT & tunneling beyond firewalling and routing. A router nowadays has many
> tasks to accomplish, from 6to4, dual stacking, to multiple routing services
> (bgp, ospf, bfd). Don't add extra duties to the box.

If you are firewalling so far away from the edge that any of this matters, you have
already lost and your topology is very hard to consider “serious” in my opinion.

> Multiple purpose systems that can act like both things (say, a Linux box),
> but it's just not right to have more than one critical service in the same
> box. They should be distributed along your network. A firewall in front of
> the router, a firewall after the router in front of the servers.

I’m thinking more like a large Juniper with an ESPIC or other services
interface hardware solution.

> I just had a huge problem with an engineer who decided that a router should
> be his CGN, and when the number of translated sessions run above the
> expected and planned capacity, the box just sit down unresponsive. All of
> this company (and it's a banking company, not an ISP who just pays some SLA
> debit and it's good to go) connectivity was offline due to this confusion
> of service profiles on the same box, and all, means servers and hosts with
> registered IP addresses, not only RFC1918 addresses that needed to be
> translated.

You can always choose the wrong box for the job. I bet I can point to plenty of
routers that could have handled his CGN needs just fine and had plenty of memory
to hold all of his translated sessions.

This is no different than if he chose an incorrect CGN box that was purpose-built.

Your example is like saying “The 2514 was not adequate as a 100Mbps firewall,
so all routers are inadequate as firewalls”.

The 2514 was not adequate or even capable of being a 100Mbps router.

> We just split the functions, distributed firewall and CGN to different
> boxes and topologies in a much more logical way and the "auto DoS feature"
> just went away.

That’s certainly one viable solution. Maybe even the right one for that particular
space. However, it does not change anything I said.

> So, please, don't insist. A firewall is a firewall. A router is a router. A
> translation box is another alien. Unless you are SMB or willing to pay over
> dimensioned boxes to mix all duties up together, which will be more
> expensive than distributing the services alongside the network.

Technically, a router is any device which takes an IP datagram on one interface
and delivers it to an interface with a different network number (whether the same
(hairpin) or another interface) after decrementing the TTL or Hop Count (depending
on whether IPv4 or IPv6).

Other than the (rather silly in virtually all circumstances) Layer 2 firewalls mentioned
earlier, every firewall is technically a router. Not every router is a firewall, though there
are plenty of routers that are also very capable firewalls.

I will grant you that there are virtually no purpose-built firewalls that make good routers,
but that’s yet another issue truly unrelated to what I said.

As to translation devices, well, those also have no place in a serious topology other
than dealing with limitations of an aging and hopefully soon to be deprecated protocol
that should have been obsoleted years ago.

Owen

> > Owen
> >
> > > On Feb 6, 2015, at 08:39 , Bill Thompson <Billt () mahagonny com> wrote:
> > >
> > > Just because a cat has kittens in the oven, you don't call them
> > biscuits. A firewall can route, but it is not a router. Both have
> > specialized tasks. You can fix a car with a swiss army knife, but why would
> > you want to?
> > > --
> > > Bill Thompson
> > > billt () mahagonny com
> > >
> > > On February 5, 2015 7:19:43 PM PST, Jeff McAdams <jeffm () iglou com>
> > wrote:
> > > > On Thu, February 5, 2015 20:02, Joe Hamelin wrote:
> > > > > > On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer <rmayer () nerd-residenz de>
> > > > > > wrote:
> > > > > > a router is a router and a firewall is a firewall. Especially a
> > > > Cisco ASA
> > > > > > is no router, period.
> > > > >
> > > > > Man-o-man did I find that out when we had to renumber our network
> > > > after
> > > > > we got bought by the French.
> > > >
> > > > > Oh, I'll just pop on a secondary address on this interface... What?
> > > >
> > > > > Needed to go through fits just to get a hairpin route in the thing.
> > > >
> > > > > The ASA series is good at what it does, just don't plan on it acting
> > > > like
> > > > > router IOS.
> > > >
> > > > Sorry, but I'm with Owen.
> > > >
> > > > Square : Rectangle :: Firewall : Router
> > > >
> > > > A firewall is a router, despite how much so many security folk try to
> > > > deny
> > > > it.  And firewalls that seem to try to intentionally be crappy routers
> > > > (ie, ASAs) have no place in my network.
> > > >
> > > > If it can't be a decent router, then its going to suck as a firewall
> > > > too,
> > > > because a firewall has to be able to play nice with the rest of the
> > > > network, and if they can't do that, then I have no use for them.  I'll
> > > > get
> > > > a firewall that does.