Firewall Wizards mailing list archives
Re: OSPF on Firewall
From: Paul Robertson <proberts () patriot net>
Date: Wed, 17 Dec 2003 16:34:32 -0500 (EST)
On Wed, 17 Dec 2003, Shimon Silberschlag wrote:
Lets say that I have two routers (on an internal network) that talk OSPF between them. Now I have to insert a firewall in-between the two routers. I am led to believe (by the Communications people I work with) that there is no other option but to install OSPF on the firewall, which doesn't make me feel easy about the solution. Is it true that there is no other way around this problem?
There are several options: 1. Forward the OSPF traffic in bridge mode with MAC address, protocol and/or other criteria. 2. Forward the OSPF traffic in IP mode with source and destination limits *and* ensure the routers filter inbound OSPF on their external interfaces so that there's a containment boundary. 3. Do static routing between the routers, and deal with routing changes by maintaining the tables out of band (may be a really good idea, depending on what the firewall is enforcing.) 4. Run a dynamic routing protocol on the firewall and have the routers export their routes (be careful that the firewall *exports* those routes to each router, and *does NOT* use the routing information itself. Note that the protocol doesn't have to be OSPF, you can do anything that'll import to and export from OSPF, and have the routers do the conversion (good for larting stubborn datacomm folks- make 'em implement BGP with filtering and all the good bells and whistles on.) 5. Carry routing in a tunnel and bypass the firewall (may be very bad, depending on what the firewall's enforcing.) 6. Take over the routers as a part of the "security infrastructure" and enforce policy with their configuration. There are probably other ways to deal with it- note that dynamic routing information is pretty important stuff, and it really shouldn't transit a trust zone without a *really* *really* good reason, and what routes you'll accept from where is important (hence the hammer for BGP, where that stuff is easy to do and easy to implement.) If they can't do static routing (which would be my preference,) I'd be looking pretty hard at why. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX inside interface not accessible using CVPN JC Marze (Dec 13)
- OSPF on Firewall Shimon Silberschlag (Dec 17)
- Re: OSPF on Firewall Paul Robertson (Dec 17)
- RE: OSPF on Firewall Ran Nahmias (Dec 17)
- Re: OSPF on Firewall Luke Butcher (Dec 17)
- Re: OSPF on Firewall Gary Flynn (Dec 17)
- RE: OSPF on Firewall Wes Noonan (Dec 17)
- OSPF on Firewall Shimon Silberschlag (Dec 17)