Home page logo

nanog logo nanog mailing list archives

RE: BGP and Firewalls...
From: "Holmes,David A" <dholmes () mwdh2o com>
Date: Wed, 7 Dec 2011 10:19:58 -0800

My concern is whether or not consolidating border router and firewall functions in the same device violates, if not 
explicitly, then the spirit of the "defense in depth" Internet edge design principle. Here is a link to a Department of 
Homeland Security document where this is discussed (for control systems, but has general application), but not 
addressed directly: http://www.inl.gov/technicalpublications/Documents/3375141.pdf

The old Checkpoint/Nokia firewalls consolidated routing and firewall functions, but the question is one of layered 
defenses, such that it seems intuitive that it is inherently more difficult for the bad actor to penetrate network 
defenses the more devices that have to be penetrated.

-----Original Message-----
From: Gregory Croft [mailto:gcroft () shoremortgage com]
Sent: Wednesday, December 07, 2011 10:04 AM
To: Christopher Morrow
Cc: nanog () nanog org
Subject: RE: BGP and Firewalls...

I'm not having problems... Well, not yet anyways.  :)

Just investigating to see if there is a reason I shouldn't use a
firewall at the edge versus a dedicated router as well as to see if
anyone can share their specific experience with the PAN devices.

Thanks everyone!

-----Original Message-----
From: christopher.morrow () gmail com [mailto:christopher.morrow () gmail com]
On Behalf Of Christopher Morrow
Sent: Wednesday, December 07, 2011 12:44 PM
To: Gregory Croft
Cc: nanog () nanog org
Subject: Re: BGP and Firewalls...

On Wed, Dec 7, 2011 at 12:31 PM, Gregory Croft
<gcroft () shoremortgage com> wrote:
Hi All,

Does anyone have any experience with using firewalls as edge devices
when BGP is concerned?

Specifically the Palo Alto series of devices.

nokia/checkpoint has done this for ages. what's the problem you have?

This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) 
and may contain information that is confidential or legally protected. If you are not the intended recipient, you are 
hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is 
strictly prohibited. If you have received this communication in error, please notify the sender immediately by return 
e-mail message and delete the original and all copies of the communication, along with any attachments or embedded 
links, from your system.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]