I would be interested to find out the community's view on whether separating 
"router" and "firewall" roles is still a good thing or whether developments in 
recent iterations of OpenBSD would permit aggregation whilst maintaining 
integrity and security ?

If you forgive my attempt at ASCII art (which I hope survives internet 
mangling), this would be representative of what I would do for a "traditional" 

(BGP)         (BGP)
   |                  |
["router"] ["router"]    |  \          /  |
    |      \    /    |
    |       /   \    |
    |   /         \  |
  ["firewall"] ["firewall"]

• The routers talk full BGP externally and default-route BGP to the firewalls.
• The firewalls talk offer VRRP internally and also BGP default-route 
internally to those that can talk BGP
• The firewalls also offer other internal services such as NTP etc.• The 
firewalls also act as a VPN endpoint externally using a combination of iked, 
ifstated and other stuff to make it work
• The firewalls are very much perimeter firewalls, they don't do detailed 
content handling such as mail etc., that is done elsewhere
Various factors have led to a hardware refresh for this kit, and as part of 
that I'm curious as to whether I can consolidate without (a) loosing the 
benefits of the split model and (b) introducing too much un-necessary 
additional complexity.

Thanks !


Reply via email to