GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: OT - Dynamic Routing on a Firewall? posted 09/09/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Yes I still can switch back to you to Cisco ASA (I think this should be the
primary responisbilyt of a Consultant) : )

What routing and VPN tunnels you are looking for what exact protcol you will
be running and others.

You can contact me offline if you want : )



2008/9/9 CCIEin2006 <ciscocciein2006@xxxxxxxxx>

> Thanks guys.
>
> Since these branches have less than 100 people it sounds like an all in one
> appliance would suffice.
>
> Unfortunately it looks like I'll have to go with...gulp...a Juniper
> SSG which seems to have a better grip on VPN tunnels and routing than the
> ASA.
>
> Unless you guys can recommend a Cisco product?
>
> Thanks,
> Nick
>
> On Mon, Sep 8, 2008 at 10:31 AM, Scott Morris <
> smorris@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>>  In CERTAIN situations (e.g. small office/small routing table) I don't
>> see anything wrong with it.  In larger deployments, I'm a firm believer in
>> everything has it's place in life.  Firewalls were designed to be
>> firewalls.  Routers were designed to be routers.
>>
>> My best example of it is the DHCP and DNS server capabilities within IOS.
>>
>> A Cisco router CAN be damn-near everything to your network, but the
>> question is SHOULD it?  :)  Small, not-too-many reqest deployments, sure,
>> you can get away with it.  Don't get used to it though because you'll start
>> having processing problems in heavier deployments.  It's the same kind of
>> logic though where people deploy a single server to be their Win2k AD
>> controller/PDC plus the SQL server plus the Exchange server, and wonder why
>> things suck.
>>
>> Just my two cents.  Even after caffeine.  :)
>>
>> Scott
>>
>>  ------------------------------
>> *From:* CCIEin2006 [mailto:ciscocciein2006@xxxxxxxxx]
>> *Sent:* Monday, September 08, 2008 9:23 AM
>> *To:* Scott Morris
>> *Cc:* Muhammad Nasim; Wes Stevens; ccielab@xxxxxxxxxxxxxx
>>
>> *Subject:* Re: OT - Dynamic Routing on a Firewall?
>>
>>    Hi Scott,
>>
>> So what are your thoughts regarding doing the routing on your firewall? Is
>> it a bad idea?
>>
>> Thanks
>>
>> On Mon, Sep 8, 2008 at 8:30 AM, Scott Morris <
>> smorris@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>>> Ohhh...   Now lightbulb is going on.  After having read a series of
>>> e-mails
>>> about PEMU and Dynamips, I thought the original post was about running
>>> Netscreen/Juniper firewalls in a virtual environment (e.g. not real
>>> equipment).
>>>
>>> Duh...  I'm off to seek more caffeine now.  :)
>>>
>>>
>>> Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
>>> CCSI/JNCI-M/JNCI-ER
>>> Senior CCIE Instructor
>>>
>>> smorris@xxxxxxxxxxxxxxxxxxxxxx
>>>
>>>
>>>
>>> Internetwork Expert, Inc.
>>> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/> <
>>> http://www.internetworkexpert.com/>
>>> Toll Free: 877-224-8987
>>> Outside US: 775-826-4344
>>> Online Community: Seek it out, well worth the find!
>>> CCIE Blog: Read the blogs...  Learn the good stuff....
>>>
>>> Knowledge is power.
>>> Power corrupts.
>>> Study hard and be Eeeeviiiil......
>>>
>>>  _____
>>>
>>> From: Muhammad Nasim [mailto:muhammad.nasim@xxxxxxxxx]
>>> Sent: Monday, September 08, 2008 7:30 AM
>>> To: Wes Stevens
>>> Cc: Scott Morris; ccielab@xxxxxxxxxxxxxx
>>>  Subject: Re: OT - Dynamic Routing on a Firewall?
>>>
>>>
>>> Shahid,
>>>
>>> The virtualiztion support in Juniper is far more better then Cisco ASA.
>>> Cisco Highest model support maximum of 50 contexts where Juniper supports
>>> 500
>>>
>>> Following Juniper firewalls support virtulization (Virtual Firewalls)
>>>
>>> 1- ISG 1000
>>> 2-ISG-2000
>>> 3-Netscreen 500 (EOS now)
>>> 4-Netscreen 5200
>>> 5-Netscreen 5400
>>>
>>> in terms of features and other things the virtual firewall of Juniper is
>>> better then Contexts of Cisco.
>>>
>>> But hey I should favour Cisco as I am Cisco Certified : )
>>>
>>> HTH
>>>
>>>
>>>
>>> 2008/9/7 Wes Stevens <wrsteve33-gsccie@xxxxxxxxx>
>>>
>>>
>>> The quantumflow processors in the new asr are cabilble of doing firewall
>>> functions (and a lot more) in hardware. The ASR will fuction as a
>>> firewall
>>> with 4.5gbps of throughput. This chip reminds me of the early days of IBM
>>> and the power pc chip. It was basically a mainframe on a chip. It started
>>> in
>>> the pc and AS400 lines and eventually expanded to run everything.
>>>
>>> This chip will probably do the same in cisco. It will be the basis of the
>>> switch processor engine from the ISR all the way up to the CSR.
>>>
>>>
>>>
>>>
>>> ----- Original Message ----
>>> From: Scott Morris <smorris@xxxxxxxxxxxxxxxxxxxxxx>
>>> To: Shahid Ansari <shahid1357@xxxxxxxxx>; Muhammad Nasim
>>> <muhammad.nasim@xxxxxxxxx>
>>> Cc: CCIEin2006 <ciscocciein2006@xxxxxxxxx>; Cisco certification
>>> <ccielab@xxxxxxxxxxxxxx>
>>> Sent: Sunday, September 7, 2008 9:01:43 AM
>>> Subject: RE: OT - Dynamic Routing on a Firewall?
>>>
>>> Kinda hard to virtualize an ASIC-driven operation....
>>>
>>> AFAIK, no.  Not for the Netscreen firewalls.
>>>
>>> Scott
>>>
>>> -----Original Message-----
>>> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
>>> Shahid Ansari
>>> Sent: Sunday, September 07, 2008 4:36 AM
>>> To: Muhammad Nasim
>>> Cc: CCIEin2006; Cisco certification
>>> Subject: Re: OT - Dynamic Routing on a Firewall?
>>>
>>> Cisco made ASA for pure firewalling,IPS and content security technologies
>>> with Multiple vulnerabilities. : )
>>>
>>> Can We do Virtualization for Juniper`s Firewall ? : )  ;)
>>>
>>> Thanks
>>> Shahid
>>>
>>>
>>>
>>> On Sun, Sep 7, 2008 at 9:53 AM, Muhammad Nasim
>>> <muhammad.nasim@xxxxxxxxx>wrote:
>>>
>>> > BGP is not supported on ASA until now.
>>> >
>>> > Juniper supports it.
>>> >
>>> > Now a days memory is not an issue in firewalls. Rams are in GB now  a
>>> days.
>>> >
>>> >
>>> >
>>> >
>>> > 2008/9/7 Shahid Ansari <shahid1357@xxxxxxxxx>
>>> >
>>> >
>>> >> If you are receiving default route in BGP no problem let firewall to
>>> >> do two functionality(Routing and Firewalling)
>>> >>  but if you are receiving full BGP table then keep enough memory to
>>> >> support routing and Firewalling .
>>> >>
>>> >> May be Juniper has some higher end products which can supports both
>>> >> Routing and Firewall in large networks.
>>> >>
>>> >> Thanks
>>> >> Shahid
>>> >>
>>> >>  On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <
>>> >> muhammad.nasim@xxxxxxxxx> wrote:
>>> >>
>>> >>> I don't think so that one should avoid running routing protocol due
>>> >>> to the fear of BUGS and other things. If we think like that trust me
>>> >>> then we will not be able to run most of the feature set of firewall.
>>> >>>
>>> >>> For example ASA support S2S, Remote Access and SSL VPNs so I should
>>> >>> avoid to run two or more type of VPNs together ? The answer is
>>> >>> simple NO. Yes some error or bug  occur I will try to solve it or
>>> >>> workaround it other wise calling TAC is the last step.
>>> >>>
>>> >>> I don't think so firewall becomes more vulnerable by running routing
>>> >>> protocol. if we think like that then we will be also avoiding
>>> >>> running VPN and CBAC (application firewall) on the routers and also
>>> >>> then we will also be avoiding running CME on the Routers as well.
>>> >>>
>>> >>>
>>> >>> So no need to worries : )
>>> >>>
>>> >>> HTH
>>> >>>
>>> >>>
>>> >>> 2008/9/7 CCIEin2006 <ciscocciein2006@xxxxxxxxx>
>>> >>>
>>> >>> > Thanks for the reply Muhammad.
>>> >>> >
>>> >>> > From a security perspective, do you think running routing
>>> >>> > protocols on
>>> >>> a
>>> >>> > firewall makes the firewall more vulnerable? If so how?
>>> >>> >
>>> >>> > I am thinking that extra processes running on the firewall leads
>>> >>> > to
>>> >>> more
>>> >>> > bugs and more likelyhood of exploitation. What do you think?
>>> >>> >
>>> >>> > No one else wants to chime in here?
>>> >>> >
>>> >>> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
>>> >>> muhammad.nasim@xxxxxxxxx>wrote:
>>> >>> >
>>> >>> >> Ok lets have a debate on it.
>>> >>> >>
>>> >>> >> It depends what exactly the design you have on your network. For
>>> >>> example
>>> >>> >> standard is to have router for ROUTING and Firewall for
>>> >>> >> firewalling
>>> >>> and IPS
>>> >>> >> and other things.
>>> >>> >>
>>> >>> >> Now if u already have router and firewall in place then it is
>>> >>> >> good to
>>> >>> keep
>>> >>> >> the routing on the routers BUT if u really want to save money
>>> >>> >> then
>>> >>> just
>>> >>> >> purchase firewall which supports good routing and again Juniper
>>> >>> >> takes
>>> >>> the
>>> >>> >> edge.
>>> >>> >>
>>> >>> >>
>>> >>> >> Juniper SSG series have very strong support of routing not only
>>> >>> >> that
>>> >>> it
>>> >>> >> also supports WAN , DSL and other interfaces so in short u can
>>> >>> >> only
>>> >>> buy SSG
>>> >>> >> and do routing and firewalling not only that from version 6.1.0
>>> >>> juniper
>>> >>> >> firewall support DMVPN as well which unfortunaly cisco is lacking
>>> >>> behind.
>>> >>> >>
>>> >>> >> There is no hard and fast rule for it. It really depends on your
>>> >>> scenario
>>> >>> >>
>>> >>> >> For example if I am going to desing network for 10 branches now I
>>> >>> >> will first look into the budget of the my customer if it permits
>>> >>> >> I will
>>> >>> surley go
>>> >>> >> for one router and one firewall.
>>> >>> >>
>>> >>> >>
>>> >>> >> if it budget does not permit I will go for firewall which
>>> >>> >> supports
>>> >>> good
>>> >>> >> routing as well.
>>> >>> >>
>>> >>> >> Hope this helps
>>> >>> >>
>>> >>> >> 2008/9/6 CCIEin2006 <ciscocciein2006@xxxxxxxxx>
>>> >>> >>
>>> >>> >>>  No brave ones want to tackle this one?
>>> >>> >>>
>>> >>> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <
>>> >>> ciscocciein2006@xxxxxxxxx
>>> >>> >>> >wrote:
>>> >>> >>>
>>> >>> >>> >  Hiya folks,
>>> >>> >>> >
>>> >>> >>> > I was wondering if the group could share some pro/cons of
>>> >>> >>> > running
>>> >>> >>> dynamic
>>> >>> >>> > routing protocols on a firewall?
>>> >>> >>> > Can anyone share their experience with this?
>>> >>> >>> >
>>> >>> >>> > I have a few branch offices connected to HQ in a hub and spoke
>>> >>> fashion
>>> >>> >>> via
>>> >>> >>> > metro ethernet links. I am looking to add VPN as a backup
>>> >>> >>> > (each
>>> >>> branch
>>> >>> >>> has
>>> >>> >>> > local internet access). The routers are currently runnign OSPF.
>>> >>> >>> >
>>> >>> >>> > I am thinking of doing it all on the ASA platform to save
>>> >>> >>> > money,
>>> >>> but
>>> >>> >>> > something in my gut tells me to leave the routing up to
>>> >>> >>> > routers. So
>>> >>> I
>>> >>> >>> am
>>> >>> >>> > thinking I might need to bite the bullet and buy some routers
>>> too.
>>> >>> >>> >
>>> >>> >>> > What do you think?
>>> >>> >>>
>>> >>> >>>
>>> >>> >>> Blogs and organic groups at http://www.ccie.net
>>> >>> >>>
>>> >>> >>>
>>> >>> ____________________________________________________________________
>>> >>> ___
>>> >>> >>> Subscription information may be found at:
>>> >>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>
>>> >>> >>
>>> >>> >> --
>>> >>> >> Muhammad Nasim
>>> >>> >> Network Engineer
>>> >>> >> Saudi Arabia
>>> >>> >>
>>> >>> >
>>> >>> >
>>> >>>
>>> >>>
>>> >>> --
>>> >>>  Muhammad Nasim
>>> >>> Network Engineer
>>> >>> Saudi Arabia
>>> >>>
>>> >>>
>>> >>> Blogs and organic groups at http://www.ccie.net
>>> >>>
>>> >>> ____________________________________________________________________
>>> >>> ___ Subscription information may be found at:
>>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> Regards,
>>> >>
>>> >> Shahid
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Muhammad Nasim
>>> > Network Engineer
>>> > Saudi Arabia
>>> >
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Shahid
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Muhammad Nasim
>>> Network Engineer
>>> Saudi Arabia
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>


-- 
Muhammad Nasim
Network Engineer
Saudi Arabia