Monday, November 3, 2014

Are firewall capable of handling BGP?

I  squirm  when I heard of a  security engineer asking; " can I run a BGP  in my  <insert a firewall model here> ".

There's no solid yes or no answer for this type of question. Too many factors comes into play such as;

  • the size of the firewall
  • expect size of the bgp table you plan to receive ( full, partial, default only, etc....)
  • the number of ebgp peers
  • the number of ibgp peers 
  • how stable is your network
  • how many prefixes are carried via your provider
  • if more than 2 bgp-peers do you have any Equal Cost Multi-Path  concerns
  • the number of other dynamic routing  protocols & neighbors ( eigrp/ibgp/rip/ospf/ etc )
  • any  active UTM features that you may have enabled ( AS/AV, webcontent, DLP, etc....)
  • existing  vpn traffic performance  or concern ( ipsec and/or ssl )
  • do you have a considerable amount of  local generated traffic that will spike CPU ( ldap queries or other lookups )
  • the size of your memory and cpu 
  • are you running into critical high cpu/memory performance ( now )
Okay now you have an ideal of what you must considered before even thinking about  before enabling BGP on a enterprise firewall.

To give you an example for a typical day of BGP updates, I've graph one single day & the total number of updates, withdraws,  and path changes or other path attributes,  and total these over each hourly period.

 YMMV depending on the bgp peering your doing and the upstream provider and how stable there links are with other carriers

NOTE: So think very long and hard before enabling bgp within  your firewall. 

Most firewalls have way less available memory and uses more memory for other tasks and functions outside of dynamic routing.

They also typically have  a smaller CPU footprint for similar priced routed. So to get a equal performance,  and router like function, you will mostly likely need a bigger capacity memory/cpu model.

Routers are good one thing only ; "Routing"
Firewall are good at being a ; "Firewall"

for some good future references & for reviewing

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  *  * )=
      /  \

No comments:

Post a Comment