On Sun, Feb 08, 2015 at 11:40:56AM -0200, BPNoC Group wrote:
Firewalls are firewalls. Routers are routers. Routers should do some very basic filtering (stateles, ACLs, data plane protection...) and firewalls should do basic static routing. And things should not go far beyond that.
This is, at a network level, an echo of the "Software Tools" philosophy that has served us exceedingly well for decades. Tools should do one thing, they should do it well, and if/when we need to do more than one thing, we should use tools in combination. There's another advantage to this: if firewalls and routers &etc are not the same system, then they can run different software on different operating systems on different architectures -- providing a significant measure of insulation against attacks unique to one particular combination. ---rsk