Re: Dynamic routing on a firewall

[Paul Robertson <proberts () patriot net>]

On Fri, 28 Nov 2003, Dawes, Rogan (ZA - Johannesburg) wrote:

> Hi,
>
> I just wanted to pick the list's brain with regards to dynamic routing on a
> firewall.
>
> Is it a good idea to allow a firewall to participate in dynamic routing? My
> first thoughts are that it sounds like a really dangerous thing  - you
> certainly don't want to have routes changing so that a DMZ moves from one
> interface to a different one, for instance.

That's a part of it, the other piece of it is that dynamic routing
protocols are complex animals- and complexity leads to bugs.

> What mechanisms do the various firewalls (mostly interested in Pix and FW-1)
> have to sanity-check routing updates that they receive?

I've never allowed a firewall to do dynamic routing, so I can't directly
answer that- but BGP is really the only routing protocol I'd want to place
into a hostile environment, and then I'd want the implementation to be
bullet-proof, so I'd put in routers, and leave firewalling to the
firewalls and routing to the routes...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards