I can understand that :) I've worked for a few global carriers myself. Of
course on a global level I've never tried to deploy a FW based
architecture.. I always used Tacacs or something similar and let the
clients deal with the FW.
The only other way I know to deploy Fw-1 in a large infastructure is to
place one at ever client connection point (or two as the case maybe). I
know of one such teclo doing that with a fairly hefty pricetag.
But GateD pretty much sovles the problem of FW needing to participate on
routing level with a network.
(Granted GateD isn't the most enjoyible routing engin but it works)
At 10:58 AM 12/23/98 -0500, Ming Lu wrote:
>You rae using policy routing to redirect traffic. we are global carrier,
>one thing we hate to do on our backbone is to put policy routing on
>routers; always try to avoid it.
>
>_ming
>
>On Wed, 23 Dec 1998, William Tarkington stated:
>
>> Policy based routing does indeed have to do with network or host security.
>> With a cisco I can route everything based on poicy to the firewall. That is
>> to say if I have two servers on the same local router (2 ethernets) I can
>> policy route them to the firewall instead of letting it cross the router
>> uninhibited.
>>
>> At 10:19 AM 12/23/98 -0500, Ming Lu wrote:
>> >On Wed, 23 Dec 1998, William Tarkington stated:
>> >
>> >> Now I've watched this descussion bounce around on various lists and
I just
>> >> thought I would throw in my two cents worth.
>> >>
>> >> 1) One firewall is a single point of falure so lets assume we have two.
>> >
>> >than your routing structure will be complicated and costy.
>> >
>> >> 2) Now that we have two we can't do a default routae
>> >
>> > Not true, one is active and another one tsand by.
>> >
>> >> 3) Enter GateD
>> >> 4) OSPF (or some other modern routing protocal)
>> >
>> >GateD supports all of open standard routing protocols, OSPF is one of
>> >them.
>> >
>> >> 5) Problem solved.
>> >> Now with translation outbound and inbound everyone can talk to each
other.
>> >>
>> >> If you seriously want to get down to business you can of course use
Cisco's
>> >> and do policy based routing.
>> >
>> >Policy routing gatta nothing to do with network or host security.
>> >
>> >> Hurm I hope that answered a question perhaps I am just ranting.
>> >>
>> >> Thanks,
>> >> Will
>> >>
>> >>
>>
>============================================================================
>> >Ming Lu Email: [EMAIL PROTECTED]
>> >Sr. Network Engineer Phone: 703-689-5290
(w)
>> >IP Engineering 703-855-4194
(m)
>> >Global One Telecommunications, LLT. 703-689-6575
(f)
>>
>===========================================================================
>> =
>> >"Do not pay attention to every word people say, or you may hear your
>> > servant cursing you ---- for you know in your heart that many times you
>> > yourself have cursed others."
>> >
>> >
>> >
>> William Tarkington
>> Daimler Chrysler
>> 810-758-9563
>>
>>
>
>============================================================================
>Ming Lu Email: [EMAIL PROTECTED]
>Sr. Network Engineer Phone: 703-689-5290 (w)
>IP Engineering 703-855-4194 (m)
>Global One Telecommunications, LLT. 703-689-6575 (f)
>===========================================================================
=
>"Do not pay attention to every word people say, or you may hear your
> servant cursing you ---- for you know in your heart that many times you
> yourself have cursed others."
>
>
>
William Tarkington
Daimler Chrysler
810-758-9563
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
