> On 09/02/2015, at 13:25, valdis.kletni...@vt.edu wrote:
>
> On Mon, 09 Feb 2015 12:56:37 -0200, Patrick Tracanelli said:
>>> On 09/02/2015, at 12:14, valdis.kletni...@vt.edu wrote:
>>> On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
On a bridged firewall you can have the behav
On Mon, 09 Feb 2015 12:56:37 -0200, Patrick Tracanelli said:
> > On 09/02/2015, at 12:14, valdis.kletni...@vt.edu wrote:
> > On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
> >> On a bridged firewall you can have the behavior you want, whatever it is.
> >> Passing packets with firewal
> On 09/02/2015, at 12:14, valdis.kletni...@vt.edu wrote:
>
> On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
>
>> On a bridged firewall you can have the behavior you want, whatever it is.
>> Passing packets with firewall is down, but the box still up.
>
> Owen's point is that pas
On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
> On a bridged firewall you can have the behavior you want, whatever it is.
> Passing packets with firewall is down, but the box still up.
Owen's point is that passing packets if the firewall is down is really poor
security-wise. If
> On 08/02/2015, at 22:48, Owen DeLong wrote:
>
>>
>> On Feb 8, 2015, at 06:02 , Patrick Tracanelli
>> wrote:
>>
>> Hello,
>>
>>>
>>> Some Juniper models actually do a very good job of being both.
>>>
>>> In reality, a Firewall _IS_ a router, even if it's a bad one. Anything that
>>> mov
to do more than one
> thing, we should use tools in combination.
>
And then reality comes and disagrees with you :)
I am a fan of the "use the right tool for the right job", but it is not
always possible due to economical/technical/political reasons.
I had situations where running
On Sun, Feb 08, 2015 at 11:40:56AM -0200, BPNoC Group wrote:
> Firewalls are firewalls. Routers are routers. Routers should do some very
> basic filtering (stateles, ACLs, data plane protection...) and firewalls
> should do basic static routing. And things should not go far beyond that.
This is, a
: Monday, 9 February 2015 2:21 p.m.
To: David Jansen
Cc: nanog group
Subject: Re: Dynamic routing on firewalls.
Setup a multi tenant setup between Nexus 7K and Juniper Net screen 5400 FW
using OSPF.
It went OK and worked. However when under traffic load/ less than.
Desirable results... OSPF peer
Setup a multi tenant setup between Nexus 7K and Juniper Net screen 5400 FW
using OSPF.
It went OK and worked. However when under traffic load/ less than.
Desirable results... OSPF peer failure / bounces etc.
However using BGP with Juniper SRX FW has been working great. No issues
thus far.
On Feb
> On Feb 8, 2015, at 05:40 , BPNoC Group wrote:
>
>>
>>
>>
>> Of course you can find firewalls that are crappy routers and you can find
>> routers that are crappy firewalls, but generally, the two are not mutually
>> exclusive.
>>
>
> I completely disagree w/ such or similar statements.
> O
> On Feb 8, 2015, at 06:02 , Patrick Tracanelli
> wrote:
>
> Hello,
>
>>
>> Some Juniper models actually do a very good job of being both.
>>
>> In reality, a Firewall _IS_ a router, even if it's a bad one. Anything that
>> moves packets from one interface to another is a router.
>
> Techn
On Sun, Feb 8, 2015 at 12:48 PM, Jeff McAdams wrote:
> You're missing the point.
>
I'm not missing, I'm just diverting the point.
As I mentioned from a Linux box example, the fact that it can both act as a
router and a firewall does not mean it should. I disagree with the
simplistic idea that i
You're missing the point.
I would never advocate for trying to deploy a Juniper MX in the role of a
firewall to provide a security boundary. I would never try to deploy a
Juniper SRX to provide a huge number of GRE tunnel terminations or other
sorts of aggregations of large numbers of connections
>
>
>
> Of course you can find firewalls that are crappy routers and you can find
> routers that are crappy firewalls, but generally, the two are not mutually
> exclusive.
>
I completely disagree w/ such or similar statements.
On the vendor datasheet it says different. On books it says different.
Hello,
>
> Some Juniper models actually do a very good job of being both.
>
> In reality, a Firewall _IS_ a router, even if it's a bad one. Anything that
> moves packets from one interface to another is a router.
Technically it’s quite not a precise assumption. While routing is much likely
an
A good firewall can also be a good router.
Of course you can find firewalls that are crappy routers and you can find
routers that are crappy firewalls, but generally, the two are not mutually
exclusive.
Owen
> On Feb 6, 2015, at 08:39 , Bill Thompson wrote:
>
> Just because a cat has kittens
On 2/6/15 8:39 AM, Bill Thompson wrote:
You can fix a car with a swiss army knife, but why would you want to?
Is it a metric swiss army knife?
Just because a cat has kittens in the oven, you don't call them biscuits. A
firewall can route, but it is not a router. Both have specialized tasks. You
can fix a car with a swiss army knife, but why would you want to?
--
Bill Thompson
bi...@mahagonny.com
On February 5, 2015 7:19:43 PM PST, Jef
On Thu, February 5, 2015 20:02, Joe Hamelin wrote:
>> On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer
>> wrote:
>> a router is a router and a firewall is a firewall. Especially a Cisco ASA
>> is no router, period.
>
> Man-o-man did I find that out when we had to renumber our network after
> we got boug
> On Feb 5, 2015, at 2:49 PM, Ralph J.Mayer wrote:
> a router is a router and a firewall is a firewall.
> Especially a Cisco ASA is no router, period.
Man-o-man did I find that out when we had to renumber our network after we
got bought by the French.
Oh, I'll just pop on a secondary address on
A router behind the firewall is nice too.
It insulates the firewall from direct end-user traffic.
It also makes for a cleaner cutover from one firewall to another. (Instead
of the edge getting stuck ARPs their perspective of the network remains
unchanged.)
It also allows for stateless ACLs on both
Some Juniper models actually do a very good job of being both.
In reality, a Firewall _IS_ a router, even if it's a bad one. Anything that
moves packets from one interface to another is a router. Of course, the support
for routing protocols is a useful feature in a router and one of the areas
w
Hi David,
a router is a router and a firewall is a firewall.
Especially a Cisco ASA is no router, period.
A router in front of the firewall is my choice, it also keeps broadcasts from
the firewall + can do uRPF.
rm
Hi,
We are running Juniper SRX5000 family with around 40ish routing-instances,
most of them using OSPFv2 without any issues. The RIBs are not too big,
just a couple of them with thousands routes. I know that some guys are
testing a similar environment on Fortigates and I'm not aware of any issues
Hi Ray
On 05 Feb 2015, at 15:51, Ray Soucy mailto:r...@maine.edu>>
wrote:
You're much better off
splitting up the workload and having a series of components
architected to work with each other.
Especially in case of datacenter- or enterprise solutions i do agree.
Thanks
On 2/5/2015 9:42 AM, Eugeniu Patrascu wrote:
On Juniper things tend work OK. Other than this, make sure you don't
run into asymmetric routing as connections might get dropped because
the firewall does not know about them or packets arrive out of order
and the firewall cannot reassemble all of
Hi Eugeniu,
On 05 Feb 2015, at 15:42, Eugeniu Patrascu
mailto:eu...@imacandi.net>> wrote:
Any specific firewall in mind? As this depends from vendor to vendor.
We are using Cisco (ASA).
I've had some issues with OSPF and CheckPoint firewalls when the firewalls
would be overloaded and started d
It all depends how much of the firewall functionality is implemented in CPU.
The biggest problem is that firewalls that implement functionality in
software usually saturate CPU when stressed (e.g. DOS) and routing
protocols start dropping.
I'm a strong believer in having a router that can do basi
On Thu, Feb 5, 2015 at 4:10 PM, David Jansen wrote:
> Hi,
>
> We have used dynamic routing on firewall in the old days. We did
> experience several severe outages due to this setup (OSPF en Cisco). As you
> will understand i’m not eager to go back to this solution but I am curious
> about your po
Hi,
We have used dynamic routing on firewall in the old days. We did experience
several severe outages due to this setup (OSPF en Cisco). As you will
understand i’m not eager to go back to this solution but I am curious about
your point of views.
Is it advisory to so these days?
Kind regards,
30 matches
Mail list logo