GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: OT - Dynamic Routing on a Firewall? posted 09/08/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Hi Scott,

So what are your thoughts regarding doing the routing on your firewall? Is
it a bad idea?

Thanks

On Mon, Sep 8, 2008 at 8:30 AM, Scott Morris <smorris@xxxxxxxxxxxxxxxxxxxxxx
> wrote:

> Ohhh...   Now lightbulb is going on.  After having read a series of e-mails
> about PEMU and Dynamips, I thought the original post was about running
> Netscreen/Juniper firewalls in a virtual environment (e.g. not real
> equipment).
>
> Duh...  I'm off to seek more caffeine now.  :)
>
>
> Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
> CCSI/JNCI-M/JNCI-ER
> Senior CCIE Instructor
>
> smorris@xxxxxxxxxxxxxxxxxxxxxx
>
>
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/> <
> http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
> Online Community: Seek it out, well worth the find!
> CCIE Blog: Read the blogs...  Learn the good stuff....
>
> Knowledge is power.
> Power corrupts.
> Study hard and be Eeeeviiiil......
>
>  _____
>
> From: Muhammad Nasim [mailto:muhammad.nasim@xxxxxxxxx]
> Sent: Monday, September 08, 2008 7:30 AM
> To: Wes Stevens
> Cc: Scott Morris; ccielab@xxxxxxxxxxxxxx
>  Subject: Re: OT - Dynamic Routing on a Firewall?
>
>
> Shahid,
>
> The virtualiztion support in Juniper is far more better then Cisco ASA.
> Cisco Highest model support maximum of 50 contexts where Juniper supports
> 500
>
> Following Juniper firewalls support virtulization (Virtual Firewalls)
>
> 1- ISG 1000
> 2-ISG-2000
> 3-Netscreen 500 (EOS now)
> 4-Netscreen 5200
> 5-Netscreen 5400
>
> in terms of features and other things the virtual firewall of Juniper is
> better then Contexts of Cisco.
>
> But hey I should favour Cisco as I am Cisco Certified : )
>
> HTH
>
>
>
> 2008/9/7 Wes Stevens <wrsteve33-gsccie@xxxxxxxxx>
>
>
> The quantumflow processors in the new asr are cabilble of doing firewall
> functions (and a lot more) in hardware. The ASR will fuction as a firewall
> with 4.5gbps of throughput. This chip reminds me of the early days of IBM
> and the power pc chip. It was basically a mainframe on a chip. It started
> in
> the pc and AS400 lines and eventually expanded to run everything.
>
> This chip will probably do the same in cisco. It will be the basis of the
> switch processor engine from the ISR all the way up to the CSR.
>
>
>
>
> ----- Original Message ----
> From: Scott Morris <smorris@xxxxxxxxxxxxxxxxxxxxxx>
> To: Shahid Ansari <shahid1357@xxxxxxxxx>; Muhammad Nasim
> <muhammad.nasim@xxxxxxxxx>
> Cc: CCIEin2006 <ciscocciein2006@xxxxxxxxx>; Cisco certification
> <ccielab@xxxxxxxxxxxxxx>
> Sent: Sunday, September 7, 2008 9:01:43 AM
> Subject: RE: OT - Dynamic Routing on a Firewall?
>
> Kinda hard to virtualize an ASIC-driven operation....
>
> AFAIK, no.  Not for the Netscreen firewalls.
>
> Scott
>
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
> Shahid Ansari
> Sent: Sunday, September 07, 2008 4:36 AM
> To: Muhammad Nasim
> Cc: CCIEin2006; Cisco certification
> Subject: Re: OT - Dynamic Routing on a Firewall?
>
> Cisco made ASA for pure firewalling,IPS and content security technologies
> with Multiple vulnerabilities. : )
>
> Can We do Virtualization for Juniper`s Firewall ? : )  ;)
>
> Thanks
> Shahid
>
>
>
> On Sun, Sep 7, 2008 at 9:53 AM, Muhammad Nasim
> <muhammad.nasim@xxxxxxxxx>wrote:
>
> > BGP is not supported on ASA until now.
> >
> > Juniper supports it.
> >
> > Now a days memory is not an issue in firewalls. Rams are in GB now  a
> days.
> >
> >
> >
> >
> > 2008/9/7 Shahid Ansari <shahid1357@xxxxxxxxx>
> >
> >
> >> If you are receiving default route in BGP no problem let firewall to
> >> do two functionality(Routing and Firewalling)
> >>  but if you are receiving full BGP table then keep enough memory to
> >> support routing and Firewalling .
> >>
> >> May be Juniper has some higher end products which can supports both
> >> Routing and Firewall in large networks.
> >>
> >> Thanks
> >> Shahid
> >>
> >>  On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <
> >> muhammad.nasim@xxxxxxxxx> wrote:
> >>
> >>> I don't think so that one should avoid running routing protocol due
> >>> to the fear of BUGS and other things. If we think like that trust me
> >>> then we will not be able to run most of the feature set of firewall.
> >>>
> >>> For example ASA support S2S, Remote Access and SSL VPNs so I should
> >>> avoid to run two or more type of VPNs together ? The answer is
> >>> simple NO. Yes some error or bug  occur I will try to solve it or
> >>> workaround it other wise calling TAC is the last step.
> >>>
> >>> I don't think so firewall becomes more vulnerable by running routing
> >>> protocol. if we think like that then we will be also avoiding
> >>> running VPN and CBAC (application firewall) on the routers and also
> >>> then we will also be avoiding running CME on the Routers as well.
> >>>
> >>>
> >>> So no need to worries : )
> >>>
> >>> HTH
> >>>
> >>>
> >>> 2008/9/7 CCIEin2006 <ciscocciein2006@xxxxxxxxx>
> >>>
> >>> > Thanks for the reply Muhammad.
> >>> >
> >>> > From a security perspective, do you think running routing
> >>> > protocols on
> >>> a
> >>> > firewall makes the firewall more vulnerable? If so how?
> >>> >
> >>> > I am thinking that extra processes running on the firewall leads
> >>> > to
> >>> more
> >>> > bugs and more likelyhood of exploitation. What do you think?
> >>> >
> >>> > No one else wants to chime in here?
> >>> >
> >>> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
> >>> muhammad.nasim@xxxxxxxxx>wrote:
> >>> >
> >>> >> Ok lets have a debate on it.
> >>> >>
> >>> >> It depends what exactly the design you have on your network. For
> >>> example
> >>> >> standard is to have router for ROUTING and Firewall for
> >>> >> firewalling
> >>> and IPS
> >>> >> and other things.
> >>> >>
> >>> >> Now if u already have router and firewall in place then it is
> >>> >> good to
> >>> keep
> >>> >> the routing on the routers BUT if u really want to save money
> >>> >> then
> >>> just
> >>> >> purchase firewall which supports good routing and again Juniper
> >>> >> takes
> >>> the
> >>> >> edge.
> >>> >>
> >>> >>
> >>> >> Juniper SSG series have very strong support of routing not only
> >>> >> that
> >>> it
> >>> >> also supports WAN , DSL and other interfaces so in short u can
> >>> >> only
> >>> buy SSG
> >>> >> and do routing and firewalling not only that from version 6.1.0
> >>> juniper
> >>> >> firewall support DMVPN as well which unfortunaly cisco is lacking
> >>> behind.
> >>> >>
> >>> >> There is no hard and fast rule for it. It really depends on your
> >>> scenario
> >>> >>
> >>> >> For example if I am going to desing network for 10 branches now I
> >>> >> will first look into the budget of the my customer if it permits
> >>> >> I will
> >>> surley go
> >>> >> for one router and one firewall.
> >>> >>
> >>> >>
> >>> >> if it budget does not permit I will go for firewall which
> >>> >> supports
> >>> good
> >>> >> routing as well.
> >>> >>
> >>> >> Hope this helps
> >>> >>
> >>> >> 2008/9/6 CCIEin2006 <ciscocciein2006@xxxxxxxxx>
> >>> >>
> >>> >>>  No brave ones want to tackle this one?
> >>> >>>
> >>> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <
> >>> ciscocciein2006@xxxxxxxxx
> >>> >>> >wrote:
> >>> >>>
> >>> >>> >  Hiya folks,
> >>> >>> >
> >>> >>> > I was wondering if the group could share some pro/cons of
> >>> >>> > running
> >>> >>> dynamic
> >>> >>> > routing protocols on a firewall?
> >>> >>> > Can anyone share their experience with this?
> >>> >>> >
> >>> >>> > I have a few branch offices connected to HQ in a hub and spoke
> >>> fashion
> >>> >>> via
> >>> >>> > metro ethernet links. I am looking to add VPN as a backup
> >>> >>> > (each
> >>> branch
> >>> >>> has
> >>> >>> > local internet access). The routers are currently runnign OSPF.
> >>> >>> >
> >>> >>> > I am thinking of doing it all on the ASA platform to save
> >>> >>> > money,
> >>> but
> >>> >>> > something in my gut tells me to leave the routing up to
> >>> >>> > routers. So
> >>> I
> >>> >>> am
> >>> >>> > thinking I might need to bite the bullet and buy some routers
> too.
> >>> >>> >
> >>> >>> > What do you think?
> >>> >>>
> >>> >>>
> >>> >>> Blogs and organic groups at http://www.ccie.net
> >>> >>>
> >>> >>>
> >>> ____________________________________________________________________
> >>> ___
> >>> >>> Subscription information may be found at:
> >>> >>> http://www.groupstudy.com/list/CCIELab.html
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>
> >>> >>
> >>> >> --
> >>> >> Muhammad Nasim
> >>> >> Network Engineer
> >>> >> Saudi Arabia
> >>> >>
> >>> >
> >>> >
> >>>
> >>>
> >>> --
> >>>  Muhammad Nasim
> >>> Network Engineer
> >>> Saudi Arabia
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> ____________________________________________________________________
> >>> ___ Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Regards,
> >>
> >> Shahid
> >>
> >
> >
> >
> > --
> > Muhammad Nasim
> > Network Engineer
> > Saudi Arabia
> >
>
>
>
> --
> Regards,
>
> Shahid
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html