How about the practicality of managing one of these from thousands of miles away? No IP means that someone needs to be in physical proximity.
At 11:09 AM 4/12/2002 +0200, Diederik Schouten wrote: >Bridging vs Riuting firewalls... > > >The main strength of a bridged firewall to me is the fact that it only >exists virtually on the network. >How to attack a firewall that you cannot address directly? >Even when you are connected to the same network/switch you will not be >able to find the firewall, unless you know what you are >looking for. > >Implementation wise a bridging/routing firewall offers you a few >advantages over a routed one. > >1. when you have to add the firewall to an already existing network, you >do not need to reconfigure any other device on the >network, your addressing schemes and routing stays exactly the same, the >only downtime you will have is due to the fact that >you have to connect the cabels. (and even that can be solved by using >vlan's on your switches and just swapping the upstream >routers interface into a separate vlan together with the downstream >interface of the firewall. > >- Since you do not need to change your routing topology you do not need to >creat more transit subnets, and thus you save IP >addresses. >- When changing routing topologies often many devices will have to have >their configuration changed. With a bridged firewall >this is not needed. > >2. Putting multiple firewalls in series to create for example more ports >becomes very easy, although for example with the >Lucent BRICK this isnot necesary since it supports VLAN tagging and with a >VLAN capable switch you can create virtually any >number of "virtual" firewalls you might need, and give them all their own >ruleset. >No need for recabling and expensive upgrades. > >3. In general purpose build devices are less vulnerable, a purpose build >firewall does not depend on the operating system of >the router/platform it is running at, lowering the chance of being >penetrated due to bugs in code other than for the firewall. >(as Nokia, Checkpoint, Cisco etc.) > >4. When both your routing services and firewall services are based on one >device, then everytime you need to make changes to >the routing you will probably also have to change your firewwall >configuration, creating more downtime. > >Of course not all bridging firewalls are the same, my only bridging >firewall experience is with the Lucent Managed Firewall or >BRICK which does both bridging and routing at the same time if need, and >therefor can be easily deployed in any situation, I >have not come across a setup that I could not realise. > >Greetings, > > Diederik Schouten >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
