Dynamic routing and Firewalls
My mate Wimpie wrote to me with the following comment about dynamic routing and firewalls:
"I cannot see any real reason why it should not participate in dynamic routing. I know if you talk to most security people they will say it should not. I cannot understand that. Most of the discussion I have read or heard justifies this view by saying that the firewall should never act as a router. Again I do not understand that because in my mind in reality the Firewall is logically performing a routing function no matter how you look at it. I also think this is an historical issue. The vendors that produce routers / firewalls are at fault as well. Many moons ago these function were supplied by dedicated firewalls / routers as no alternatives existed. However now these functions can be handled on one platform but people / vendors are still stuck in the past. They are still telling people the same thing which was true 10 years ago.
The only issue in my mind is that you should secure the routing protocol by using authentication. It also provides higher levels of overall availability if you ask me. You will still need statics on most firewalls when you do NAT for say DMZ devices behind it. However in the data centre role, I cannot see that this would be required if it sits in the core before internal servers."
I agree with Wimpie's views. Now all I have to do his convince him to become a blogger!!!