Yes, I'm in a sarcastic mood. I get that way when I see uninformed assertions. You've been warned.
Diederik Schouten wrote: > > Bridged firewalls do not need subnet based address assignment on > their interfaces, you can have 10 interfaces with technically > overlapping IP address ranges on all. > > When you have to add the firewall to an already existing network, > you do not need to reconfigure any other device on the network, > your addressing schemes and routing stays exactly the same, the > only downtime you will have is due to the fact that you have to > connect the cabels This is impossible with a routing firewall? Dzang, I must have only dreamed us doing that for all these years. [And all the other boxes doing that I don't remember right now] > Similar situations will require vast/intelligent routing on > a routed firewall Iface Destination ----- ----------- eth0 10.0.0.0/8 eth1 10.0.0.5-10.0.0.8 eth2 10.0.1.0/24, -10.0.1.88 vlan5 10.0.0.15, 10.0.0.18, 10.0.0.20-10.0.0.25 Yeah, in our case, we needed to implement half an AI to get that to work. Took all of about an afternoon. > Link redundance without session loss is also extremely easy to > setup using a bridged firewall Hm I must also have been dreaming when I added those HA slaves with <1 second failover time. Using non-bridging firewalls. With less than five minutes of work per cluster (sans hardware install time, of course). > It will not show up as a gateway anyware. Hm. Enable proxy arp on the internal interface for the entire default route. Problem solved -- it'll look like an L4 switch. > Traceroutes won't show it is there etc. Blocking traceroute isn't exactly rocket science. A determined firewall aims at blocking _firewalking_, plus variations thereof, by default. Are you suggesting that this won't stop that measly traceroute? > Unless you know it's IP address already you will not be able > to find it. Nmap will tell me it is there in about 10 seconds. I betcha its signature sticks out like a sore thumb too. > Putting multiple firewalls in series to create for example more > ports becomes very easy, although for example with the Lucent BRICK > this is not necesary since it supports VLAN tagging and with a VLAN > capable switch you can create virtually any number of "virtual" > firewalls you might need, and give them all their own ruleset. > No need for recabling and expensive upgrades Jeez. I was wrong about VLAN support in routing firewalls too. And only using VLANs must be a SUPERIOR way of adding more interfaces. Especially given the "VLANs and security" thread going on right now. > a purpose build firewall does not depend on the operating system of > the router/platform it is running at, lowering the chance of being > penetrated due to bugs in code other than for the firewall Although I agree 100% with what you are saying here, I cannot for the life of me grasp how this constitutes a "pro" for a bridged firewall over a routing firewall. In summary: you haven't convinced me in any way that a bridging firewall has a single security advantage (or even a management advantage) over a routing firewall. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
