Firewall Wizards mailing list archives
Re: Dynamic routing on a firewall
From: Bill Van Emburg <bve () quadrix com>
Date: Fri, 28 Nov 2003 14:09:15 -0500
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za> To: firewall-wizards () honor icsalabs com Date: Fri, 28 Nov 2003 11:38:32 +0200 Subject: [fw-wiz] Dynamic routing on a firewall [...] Is it a good idea to allow a firewall to participate in dynamic routing? My first thoughts are that it sounds like a really dangerous thing - you certainly don't want to have routes changing so that a DMZ moves from one interface to a different one, for instance. [...] Leaving out the question of how A gets the packets to B eventually, to complete the connection, is this a realistic scenario? How can one protect against something like this, using the abovementioned firewalls, if one still chooses to use dynamic routing?
Well, in general, you can control what types of routing updates you'll accept from which parties. For example, with BGP, you can set ACLs that control which routing updates you'll accept. It is, however, protocol and implementation-dependant. I don't have specific answers for you for FW-1 and PIX, because I have moved away from using those FWs, but I seem to recall the means existing in both cases. (With FW-1, you may have to put something onto the box manually -- I don't recall the feature being available from within FW-1s software.)
-- -- Bill Van Emburg Quadrix Solutions, Inc. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Dynamic routing on a firewall Dawes, Rogan (ZA - Johannesburg) (Nov 28)
- RE: Dynamic routing on a firewall Alan Holmes (Nov 28)
- RE: Dynamic routing on a firewall Ben Nagy (Nov 28)
- Re: Dynamic routing on a firewall Paul Robertson (Nov 28)
- <Possible follow-ups>
- Re: Dynamic routing on a firewall Bill Van Emburg (Nov 28)