Re: Dynamic routing on a firewall

[Bill Van Emburg <bve () quadrix com>]

> From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
> To: firewall-wizards () honor icsalabs com
> Date: Fri, 28 Nov 2003 11:38:32 +0200
> Subject: [fw-wiz] Dynamic routing on a firewall
> [...]
> Is it a good idea to allow a firewall to participate in dynamic routing? My
> first thoughts are that it sounds like a really dangerous thing  - you
> certainly don't want to have routes changing so that a DMZ moves from one
> interface to a different one, for instance.
> [...]
> Leaving out the question of how A gets the packets to B eventually, to
> complete the connection, is this a realistic scenario? How can one protect
> against something like this, using the abovementioned firewalls, if one
> still chooses to use dynamic routing?

Well, in general, you can control what types of routing updates you'll 
accept from which parties.  For example, with BGP, you can set ACLs that 
control which routing updates you'll accept.  It is, however, protocol 
and implementation-dependant.  I don't have specific answers for you for 
FW-1 and PIX, because I have moved away from using those FWs, but I seem 
to recall the means existing in both cases.  (With FW-1, you may have to 
put something onto the box manually -- I don't recall the feature being 
available from within FW-1s software.)
--

                                     -- Bill Van Emburg
                                        Quadrix Solutions, Inc.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards