Firewalls: Re: Two ISP's to one DMZ

Firewalls
(July 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Two ISP's to one DMZ - final post???
From:	"R. Todd Truitt" <ttruitt @ cisco . com>
Date:	Mon, 14 Jul 1997 09:31:37 -0600
To:	"Mark Horn [ Net Ops ]" <mhorn @ funb . com>, mikech @ avana . net
Cc:	Firewalls @ GreatCircle . COM

<snip....>
>>By the Way, are there any other Firewalls that support BGP natively?
>
>Well, any unix based firewall can do BGP4, so long as you can compile and
>run gated which supports BGP4.  Of course, I would not recommend running a
>routing protocol on a firewall.  What if you can convince the firewall that
>an Internal machine is only reachable by an external interface?  Then you
>can spoof that address and cause all kinds of havoc.
>

BGP is not a routing protocol you want to run on a fw.  Many sites will
soon be
faced with upgrading their Internet connection to t3 speeds. This alone
will push 
conventional fw's to the limit.  Adding BGP processing to this is asking for
a potential nightmare.  Good rule of thumb: let your routers do your routing;
it's what they're built for.

--T


_________________________________________________________________________
R. Todd Truitt                                           ttruitt @
 cisco .
 com
Systems Engineer                      Security, Availabilty and Management
Cisco Systems, Inc.                                           303.220.6164

Indexed By Date	Previous:	Re: NSA backdoors in OS From: peter @ baileynm . com (Peter da Silva)
Indexed By Date	Next:	Re: HI From: "Daniel M. Koster" <mwanzi @ mediamatics . com>
Indexed By Thread	Previous:	RE: Two ISP's to one DMZ - final post??? From: Joseph Judge <joej @ joesmac . ultranet . com>
Indexed By Thread	Next:	Firewall and B2?? From: "Magossa'nyi A'rpa'd" <mag @ bunuel . tii . matav . hu>