On Mon, 20 May 2013, Phil Fagan wrote:
Just curious and perhaps off topic a tad but; is the stateful filtering of
sessions on a router to replace a firewall? Or is there another reason to
do it? I could see a benefit of creating blacklists, however,
I'm struggling with what other benefits it would provide...service
aware load-balancing? I'm very interested to learn what other strategies
and or design considerations would be made with thinking of using filtering
on a router.
I'm perfectly willing to accept consolidation of services :-)
Stateful firewalling is also painful in environments where path asymmetry
could exist, since either the routing policy would need to be designed to
enforce symmetry (more complex, less reliable), or the stateful
firewalling devices would need to have a way to share state information
with each other to accommodate asymmetry.
jms