At 1:22 AM -0400 5/6/02, Tarek Sabry wrote: >Hi everyone > >I was wondering if anyone here ever had experience/expoure to a situation >where you needed to run something like BGP on a firewall (PIX or >CheckPoint). Are there any alternatives in addition to Zebra? I know there's >some shareware and freeware but I'm interested in commercial, field-proven >and supported products. > >If not then can anyone evaluate ZebOS for me or tell me if they know any >organizations using it? The real nice thing about it is that it has a Cisco >IOS interface, which is AWESOME! But my boss still needs some vendor >verification before we include Zebra in any MPLS/VPN designs. > >Thanks a lot >Tarek
First, to answer your question directly, the same people that developed Zebra also have a commercial, supported version called IPinfusion (www.ipinfusion.com). The other alternative is commercial GateD from NextHop Technologies (www.nexthop.com). Native GateD command language is more Juniper- than Cisco-like, but there are ways to get much more Cisco like. Check with NextHop for details; I honestly don't remember which of the details are under NDA. There's a good deal more operational experience with GateD than IPinfusion. That being said, butting BGP on a firewall, IMNSHO, is a BAD idea. One of the basic ideas of firewalls is to put the minimal functionality on them that is necessary for the security function. Best practice is to front-end the firewall with routers, even splitting them into BGP and router-based security functions. Performance optimizations are different for routing and firewall platforms. Also, having an external router gives you better hardware protection against DoS attacks, and also avoids conduit problems for encrypted protocols not supported on the firewall. It's perfectly plausible, depending on your requirements, to have an external BGP router function that feeds a stateful firewall, an SSH or IPsec proxy, and another router function that passes encrypted tunnels. Three or four distinct functions, depending on whether you separate the router functions into different boxes. Some firewalls also may include an SSH or IPsec proxy. Neither IPinfusion nor GateD actually do the forwarding; they are routing protocol and RIB implementations. They rely on the underlying operating system and hardware for forwarding, generally expecting some flavor of UNIX (most commonly NetBSD, FreeBSD, and lately Linux). Having actually worked with these packages, I don't think you'd have a hope of integrating them unless you had access to the source code of the firewall. These routing software packages are really meant for manufacturers, not end users. I've worked with both in that context. Incidentally, don't take the assertion that a non-IOS routing package that claims to have CLI is fully compatible. Think about it. If it's not just a front end to IOS but an independent package, how can it have features that depend on Cisco software and hardware implementation? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43382&t=43373 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
