Hi,
I would be interested to find out the community's view on whether separating "router" and "firewall" roles is still a good thing or whether developments in recent iterations of OpenBSD would permit aggregation whilst maintaining integrity and security ?
If you forgive my attempt at ASCII art (which I hope survives internet mangling), this would be representative of what I would do for a "traditional" setup:
(BGP) (BGP)
| |
["router"] ["router"] | \ / |
| \ / |
| / \ |
| / \ |
["firewall"] ["firewall"]
• The routers talk full BGP externally and default-route BGP to the firewalls.
• The firewalls talk offer VRRP internally and also BGP default-route internally to those that can talk BGP
• The firewalls also offer other internal services such as NTP etc.• The firewalls also act as a VPN endpoint externally using a combination of iked, ifstated and other stuff to make it work
• The firewalls are very much perimeter firewalls, they don't do detailed content handling such as mail etc., that is done elsewhere
Various factors have led to a hardware refresh for this kit, and as part of that I'm curious as to whether I can consolidate without (a) loosing the benefits of the split model and (b) introducing too much un-necessary additional complexity.
Thanks !
Rachel
No comments:
Post a Comment