Dynamic routing and Firewalls

My mate Wimpie wrote to me with the following comment about dynamic routing and firewalls:
"I cannot see any real reason why it should not participate in dynamic routing. I know if you talk to most security people they will say it should not. I cannot understand that. Most of the discussion I have read or heard justifies this view by saying that the firewall should never act as a router. Again I do not understand that because in my mind in reality the Firewall is logically performing a routing function no matter how you look at it. I also think this is an historical issue. The vendors that produce routers / firewalls are at fault as well. Many moons ago these function were supplied by dedicated firewalls / routers as no alternatives existed. However now these functions can be handled on one platform but people / vendors are still stuck in the past. They are still telling people the same thing which was true 10 years ago.
The only issue in my mind is that you should secure the routing protocol by using authentication. It also provides higher levels of overall availability if you ask me. You will still need statics on most firewalls when you do NAT for say DMZ devices behind it. However in the data centre role, I cannot see that this would be required if it sits in the core before internal servers."

I agree with Wimpie's views. Now all I have to do his convince him to become a blogger!!!


  1. Thanks to Wimpie for forwarding the following from IP Infusion's App note on Integrating Routing and Security: "Because many early routers exhibited security weaknesses, ranging from denial of service vulnerabilities to unauthorized password retrieval, security experts recommended that organizations install dedicated security devices rather than combine security with routing. Over time, routing technology stabilized and equipment vendors addressed the security holes present in earlier routers. Security implementations also matured as security companies developed a
    greater array of instruments to identify and block vulnerabilities. However, neither routing nor security vendors promoted integrated, multi-purpose devices.
    Equipment vendors discouraged building routing and security on a single platform because this consolidation would reduce the number of products that they could sell. Security companies also advocated separating firewall and routing functionality on distinct devices, because few security companies possessed routing expertise and because firewall-enabled routers could displace their dedicated firewall products.
    Wary IT managers accepted this common wisdom and installed dedicated firewall and VPN appliances in-line with routing equipment. Initially, the task of
    provisioning routing and security devices was difficult, but not insurmountable. Organizations installed firewalls at the edge of their networks, beyond internal routers and LAN nodes. Security managers manually updated their firewalls’ route tables and configured “virtual networks” in their firewall rules policies for their LAN routers."


Post a Comment