Comments on: Firewalls are not Routers http://www.2vcps.com/2010/04/29/firewalls-are-not-routers/ Mon, 02 Jan 2012 06:16:00 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Ben http://www.2vcps.com/2010/04/29/firewalls-are-not-routers/comment-page-1/#comment-232 Ben Fri, 30 Apr 2010 21:33:11 +0000 http://www.2vcps.com/?p=376#comment-232 On the flip side... routers are not good firewalls. You can easily setup a router to route to different segments but then you must rely on Access Lists to protect those networks, not fun. As for routing through the firewall you can often use a dot1q tagged interface to get a lot of flexibility. Firewalls are usually slower at routing than routers, for sure. A hybrid approach is to put servers on the LAN(s) on one side of the firewall, and route them through a Layer 3 capable device. Servers on the 'DMZ' or untrusted side can be routed through a firewall and not a router. It's much, much, much easier to work with statefull firewall policies than to have to create reflexsive ACLs on the routers. Ben On the flip side… routers are not good firewalls. You can easily setup a router to route to different segments but then you must rely on Access Lists to protect those networks, not fun. As for routing through the firewall you can often use a dot1q tagged interface to get a lot of flexibility. Firewalls are usually slower at routing than routers, for sure.

A hybrid approach is to put servers on the LAN(s) on one side of the firewall, and route them through a Layer 3 capable device. Servers on the ‘DMZ’ or untrusted side can be routed through a firewall and not a router. It’s much, much, much easier to work with statefull firewall policies than to have to create reflexsive ACLs on the routers.

Ben

]]> By: Jon Owings http://www.2vcps.com/2010/04/29/firewalls-are-not-routers/comment-page-1/#comment-224 Jon Owings Fri, 30 Apr 2010 03:58:24 +0000 http://www.2vcps.com/?p=376#comment-224 Yes. That is the other great way to fix the problem. I think Checkpoint lets you do the same thing. From what I remember you only get so many sub interfaces on the ASA and the 5505 is a no go with the method all together. Yes. That is the other great way to fix the problem. I think Checkpoint lets you do the same thing. From what I remember you only get so many sub interfaces on the ASA and the 5505 is a no go with the method all together.

]]> By: Justin http://www.2vcps.com/2010/04/29/firewalls-are-not-routers/comment-page-1/#comment-223 Justin Fri, 30 Apr 2010 03:53:41 +0000 http://www.2vcps.com/?p=376#comment-223 While I don't advise using a firewall as the main router for a network, multiple sub-interfaces can be created (at least with Cisco ASA firewalls) on the inside interface. This will provide a default gateway for each VLAN, and if all VLANs have the same security level, traffic will pass between them. While I don’t advise using a firewall as the main router for a network, multiple sub-interfaces can be created (at least with Cisco ASA firewalls) on the inside interface. This will provide a default gateway for each VLAN, and if all VLANs have the same security level, traffic will pass between them.

]]>