nanog mailing list archives
Re: Dynamic routing on firewalls.
From: Owen DeLong <owen () delong com>
Date: Sun, 8 Feb 2015 16:58:49 -0800
On Feb 8, 2015, at 05:40 , BPNoC Group <bpnoc.lists () gmail com> wrote:Of course you can find firewalls that are crappy routers and you can find routers that are crappy firewalls, but generally, the two are not mutually exclusive.I completely disagree w/ such or similar statements. On the vendor datasheet it says different. On books it says different. And on real life it's different.
No, really it does not.
Firewalls are firewalls. Routers are routers. Routers should do some very basic filtering (stateles, ACLs, data plane protection...) and firewalls should do basic static routing. And things should not go far beyond that.
We can agree to disagree.
If you keep thinking like that you will soon believe an L3 switch is a firewall too.
An L3 switch is just another kind of router and if it’s got the ability for its switching matrix to include a packet classifier that can be preprogrammed for the appropriate firewall functions at line rate in hardware, then, yes, it’s a perfectly fine firewall, and, probably about the only solution that’s really going to work in a high line-rate scenario, actually.
Firewalls and routers belong to different places in a serious topology.
You and I apparently have very different ideas of serous topologies.
Only small networks should have both functions in the same box. It raises risks, makes different kernel tasks competing to each other for the same resources. You may run out of states, memory and CPU specially if mixing NAT & tunneling beyond firewalling and routing. A router nowadays has many tasks to accomplish, from 6to4, dual stacking, to multiple routing services (bgp, ospf, bfd). Don't add extra duties to the box.
If you are firewalling so far away from the edge that any of this matters, you have already lost and your topology is very hard to consider “serious” in my opinion.
Multiple purpose systems that can act like both things (say, a Linux box), but it's just not right to have more than one critical service in the same box. They should be distributed along your network. A firewall in front of the router, a firewall after the router in front of the servers.
I’m thinking more like a large Juniper with an ESPIC or other services interface hardware solution.
I just had a huge problem with an engineer who decided that a router should be his CGN, and when the number of translated sessions run above the expected and planned capacity, the box just sit down unresponsive. All of this company (and it's a banking company, not an ISP who just pays some SLA debit and it's good to go) connectivity was offline due to this confusion of service profiles on the same box, and all, means servers and hosts with registered IP addresses, not only RFC1918 addresses that needed to be translated.
You can always choose the wrong box for the job. I bet I can point to plenty of routers that could have handled his CGN needs just fine and had plenty of memory to hold all of his translated sessions. This is no different than if he chose an incorrect CGN box that was purpose-built. Your example is like saying “The 2514 was not adequate as a 100Mbps firewall, so all routers are inadequate as firewalls”. The 2514 was not adequate or even capable of being a 100Mbps router.
We just split the functions, distributed firewall and CGN to different boxes and topologies in a much more logical way and the "auto DoS feature" just went away.
That’s certainly one viable solution. Maybe even the right one for that particular space. However, it does not change anything I said.
So, please, don't insist. A firewall is a firewall. A router is a router. A translation box is another alien. Unless you are SMB or willing to pay over dimensioned boxes to mix all duties up together, which will be more expensive than distributing the services alongside the network.
Technically, a router is any device which takes an IP datagram on one interface and delivers it to an interface with a different network number (whether the same (hairpin) or another interface) after decrementing the TTL or Hop Count (depending on whether IPv4 or IPv6). Other than the (rather silly in virtually all circumstances) Layer 2 firewalls mentioned earlier, every firewall is technically a router. Not every router is a firewall, though there are plenty of routers that are also very capable firewalls. I will grant you that there are virtually no purpose-built firewalls that make good routers, but that’s yet another issue truly unrelated to what I said. As to translation devices, well, those also have no place in a serious topology other than dealing with limitations of an aging and hopefully soon to be deprecated protocol that should have been obsoleted years ago. Owen
OwenOn Feb 6, 2015, at 08:39 , Bill Thompson <Billt () mahagonny com> wrote: Just because a cat has kittens in the oven, you don't call thembiscuits. A firewall can route, but it is not a router. Both have specialized tasks. You can fix a car with a swiss army knife, but why would you want to?-- Bill Thompson billt () mahagonny com On February 5, 2015 7:19:43 PM PST, Jeff McAdams <jeffm () iglou com>wrote:On Thu, February 5, 2015 20:02, Joe Hamelin wrote:On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer <rmayer () nerd-residenz de> wrote: a router is a router and a firewall is a firewall. Especially aCisco ASAis no router, period.Man-o-man did I find that out when we had to renumber our networkafterwe got bought by the French.Oh, I'll just pop on a secondary address on this interface... What?Needed to go through fits just to get a hairpin route in the thing.The ASA series is good at what it does, just don't plan on it actinglikerouter IOS.Sorry, but I'm with Owen. Square : Rectangle :: Firewall : Router A firewall is a router, despite how much so many security folk try to deny it. And firewalls that seem to try to intentionally be crappy routers (ie, ASAs) have no place in my network. If it can't be a decent router, then its going to suck as a firewall too, because a firewall has to be able to play nice with the rest of the network, and if they can't do that, then I have no use for them. I'll get a firewall that does.
Current thread:
- Re: Dynamic routing on firewalls., (continued)
- Re: Dynamic routing on firewalls. Ralph J.Mayer (Feb 05)
- Re: Dynamic routing on firewalls. Owen DeLong (Feb 05)
- Re: Dynamic routing on firewalls. Joe Hamelin (Feb 05)
- Re: Dynamic routing on firewalls. Jeff McAdams (Feb 05)
- Re: Dynamic routing on firewalls. Bill Thompson (Feb 06)
- Re: Dynamic routing on firewalls. Doug Barton (Feb 06)
- Re: Dynamic routing on firewalls. Owen DeLong (Feb 07)
- Re: Dynamic routing on firewalls. BPNoC Group (Feb 08)
- Re: Dynamic routing on firewalls. Jeff McAdams (Feb 08)
- Re: Dynamic routing on firewalls. BPNoC Group (Feb 08)
- Re: Dynamic routing on firewalls. Owen DeLong (Feb 08)
- Re: Dynamic routing on firewalls. Rich Kulawiec (Feb 09)
- Re: Dynamic routing on firewalls. Eugeniu Patrascu (Feb 09)
- Re: Dynamic routing on firewalls. Owen DeLong (Feb 05)
- Re: Dynamic routing on firewalls. Ralph J.Mayer (Feb 05)
- Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 08)
- Re: Dynamic routing on firewalls. Owen DeLong (Feb 08)
- Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
- Re: Dynamic routing on firewalls. Valdis . Kletnieks (Feb 09)
- Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
- Re: Dynamic routing on firewalls. Valdis . Kletnieks (Feb 09)
- Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)