Firewall Wizards mailing list archives

Re: OSPF on Firewall

From: Paul Robertson <proberts () patriot net>
Date: Wed, 17 Dec 2003 16:34:32 -0500 (EST)

On Wed, 17 Dec 2003, Shimon Silberschlag wrote:

Lets say that I have two routers (on an internal network) that talk OSPF
between them.

Now I have to insert a firewall in-between the two routers.

I am led to believe (by the Communications people I work with) that there is
no other option but to install OSPF on the firewall, which doesn't make me
feel easy about the solution.

Is it true that there is no other way around this problem?


There are several options:

1.  Forward the OSPF traffic in bridge mode with MAC address, protocol
and/or other criteria.

2.  Forward the OSPF traffic in IP mode with source and destination limits
*and* ensure the routers filter inbound OSPF on their external interfaces
so that there's a containment boundary.

3.  Do static routing between the routers, and deal with routing changes
by maintaining the tables out of band (may be a really good idea,
depending on what the firewall is enforcing.)

4.  Run a dynamic routing protocol on the firewall and have the routers
export their routes (be careful that the firewall *exports* those routes
to each router, and *does NOT* use the routing information itself.  Note
that the protocol doesn't have to be OSPF, you can do anything that'll
import to and export from OSPF, and have the routers do the conversion
(good for larting stubborn datacomm folks- make 'em implement BGP with
filtering and all the good bells and whistles on.)

5.  Carry routing in a tunnel and bypass the firewall (may be very bad,
depending on what the firewall's enforcing.)

6.  Take over the routers as a part of the "security infrastructure" and
enforce policy with their configuration.

There are probably other ways to deal with it- note that dynamic routing
information is pretty important stuff, and it really shouldn't transit a
trust zone without a *really* *really* good reason, and what routes you'll
accept from where is important (hence the hammer for BGP, where that stuff
is easy to do and easy to implement.)  If they can't do static routing
(which would be my preference,) I'd be looking pretty hard at why.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX inside interface not accessible using CVPN JC Marze (Dec 13)
- OSPF on Firewall Shimon Silberschlag (Dec 17)
  - Re: OSPF on Firewall Paul Robertson (Dec 17)
  - RE: OSPF on Firewall Ran Nahmias (Dec 17)
  - Re: OSPF on Firewall Luke Butcher (Dec 17)
  - Re: OSPF on Firewall Gary Flynn (Dec 17)
  - RE: OSPF on Firewall Wes Noonan (Dec 17)