Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OSPF on Firewall

From: Carson Gaspar <carson () taltos org>
Date: Wed, 17 Dec 2003 19:21:11 -0500
One standard solution is to use BGP between the routers, and permit the TCP port through the firewall.
For the several folks who have expressed the opinion "why on earth would you want to do that!?", I have a standard example. You have leased lines to a partner company. For BCP reasons, you have them installed in multiple diverse geographic locations. You need to automatically use the backup circuit if the primary is down, or if the building the primary is in blows up. In order to handle the "building blows up" case, you really need to advertise dynamic routes internally. The easiest way to do this is to have the router (VPN endpoint, whatever) advertise the route, via the firewall, to the internal network. Yes, you want to do route filtering on the internal router (or the firewall), as the external router is exposed to attack. 

Of course, doing this requires one of:

- a firewall that can do remote state sharing
- a stateless firewall
- forced symmetric routes, and an acceptance that existing connections will die when a failure occurs. 

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: