Re: [FW1] Is there any way to load Checkpoint Firewall-1 on a Cisco router?

[Lance Spitzner <spitzner@dimension.net>]

    [ The following text is in the "X-UNKNOWN" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


On Thu, 29 Apr 1999, Edward Saxon wrote:

> With FW-1 on my Cisco, I figure is can be used to strengthen my 
> DMZ.    
> 
> Is such a scenario not significantly better and more secure than a 
> router in the front with simple ACL^Òs?

With rare exceptions, I have found it better to let routers route,
switches switch, and firewalls firewall.  I have seen too many
dual pieces of hardware blow up because of this.  Troubleshooting
becomes more difficult, performance becomes an issue, and just
general weirdness can happen.  I'm currently working with a client
that has FW1 installed on over 20 switches, which are doing
routing,switching, and firewalling.  It is a nightmare.  They are
now in the process of moving the FW's to host based systems.

You will get different opinions from different people on this
one, this one happens to be mine :)

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================