Firewall Wizards mailing list archives
RE: Dynamic routing on a firewall
From: "Alan Holmes" <alan () tympaniinc com>
Date: Fri, 28 Nov 2003 16:06:00 -0600
Short answer, NO! do not let firewall participate in routing protocols. Long answer, sometimes you have to. If so the security is a function of the security features in the routing protocol, i.e. OSPF supports authentication. A firewall can not really do much more than the security features built into the routing protocol. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Dawes, Rogan (ZA - Johannesburg) Sent: Friday, November 28, 2003 3:39 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Dynamic routing on a firewall Hi, I just wanted to pick the list's brain with regards to dynamic routing on a firewall. Is it a good idea to allow a firewall to participate in dynamic routing? My first thoughts are that it sounds like a really dangerous thing - you certainly don't want to have routes changing so that a DMZ moves from one interface to a different one, for instance. But if the routing can be controlled so that traffic always goes through the right interface (but possibly to a different upstream router), that should be OK, I would think. What mechanisms do the various firewalls (mostly interested in Pix and FW-1) have to sanity-check routing updates that they receive? A (simplistic) scenario that could illustrate my concerns: You have a firewall controlling access to third parties (competitors) which provide services to your company. Each party is in their own DMZ. You have dynamic routing enabled on the firewall, since there are two redundant routers for each party in each parties DMZ, and you need to be able to fail over from one to the other. Party A sends a routing update to say that party B is now reachable via Party A's networks. Any packets that you try to send to party B end up going to Party A, where they can be captured, etc. Leaving out the question of how A gets the packets to B eventually, to complete the connection, is this a realistic scenario? How can one protect against something like this, using the abovementioned firewalls, if one still chooses to use dynamic routing? Rogan -- "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." - Gene Spafford -- Deloitte & Touche Security Services Group Tel: +27(11)806-6216 Fax: +27(11)806-5202 Cell: +27(82)784-9498 -- Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Dynamic routing on a firewall Dawes, Rogan (ZA - Johannesburg) (Nov 28)
- RE: Dynamic routing on a firewall Alan Holmes (Nov 28)
- RE: Dynamic routing on a firewall Ben Nagy (Nov 28)
- Re: Dynamic routing on a firewall Paul Robertson (Nov 28)
- <Possible follow-ups>
- Re: Dynamic routing on a firewall Bill Van Emburg (Nov 28)