Thursday, April 4, 2019

Best Practice - Firewalls Should Not Route??

So basically we've done a global deployment of firewalls and towards the MPLS WAN some of the firewalls do BGP. These are grunty enterprise firewalls so no issue with performance and/or features IMO. So when requesting a new ASN from the (large global) Service Provider one of their employees questioned our setup, saying it's not best practice for Firewalls to do routing. He reckons we should use a router to do the routing "for layers of security". Turns out he's like a director of CyberSecurity or something.

I challenged him respectfully saying I can't see any reason as to why we'd want to add an extra hop/extra device to manage/extra device that can fail/spend extra money. He didn't give a proper reason just some generic statement about security best practices are important blah blah.

So purely from a technical security perspective can someone please shed some light on why? It appears "firewalls should not route" is best practice from a decade ago, but I'm open to be corrected and enlightened. I guess dynamic routing opens up another attack vector but I'd rather have the firewall take the attacks as there would be better logging, visibility and protection...



No comments:

Post a Comment