Firewall Wizards mailing list archives
Re: Dynamic routing on a firewall
From: Paul Robertson <proberts () patriot net>
Date: Fri, 28 Nov 2003 18:53:52 -0500 (EST)
On Fri, 28 Nov 2003, Dawes, Rogan (ZA - Johannesburg) wrote:
Hi, I just wanted to pick the list's brain with regards to dynamic routing on a firewall. Is it a good idea to allow a firewall to participate in dynamic routing? My first thoughts are that it sounds like a really dangerous thing - you certainly don't want to have routes changing so that a DMZ moves from one interface to a different one, for instance.
That's a part of it, the other piece of it is that dynamic routing protocols are complex animals- and complexity leads to bugs.
What mechanisms do the various firewalls (mostly interested in Pix and FW-1) have to sanity-check routing updates that they receive?
I've never allowed a firewall to do dynamic routing, so I can't directly answer that- but BGP is really the only routing protocol I'd want to place into a hostile environment, and then I'd want the implementation to be bullet-proof, so I'd put in routers, and leave firewalling to the firewalls and routing to the routes... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Dynamic routing on a firewall Dawes, Rogan (ZA - Johannesburg) (Nov 28)
- RE: Dynamic routing on a firewall Alan Holmes (Nov 28)
- RE: Dynamic routing on a firewall Ben Nagy (Nov 28)
- Re: Dynamic routing on a firewall Paul Robertson (Nov 28)
- <Possible follow-ups>
- Re: Dynamic routing on a firewall Bill Van Emburg (Nov 28)