nanog mailing list archives

Re: asymmetric routes/security concerns/Fortinet

From: Anthony Pardini <tony () pardini org>
Date: Fri, 7 Jan 2011 13:45:51 -0600

You can allow asymmetric traffic on the Fortinet, but you lose some
functionality.   Firewalls aren't routers and pretty much all of them
behave in the similar manner.

On Fri, Jan 7, 2011 at 11:40 AM, Greg Whynott <Greg.Whynott () oicr on ca> wrote:

Hello,

we have multiple internet connections of which one is a research network where many medical institutions and
universities are also connected to threw out the country. This research network (ORION) also has internet access but
is not meant to be used as a primary path to the internet by its customers. Connected to the ORION network are
many sites we exchange email with daily who also have multiple internet connections. One of these sites is not
reachable by us. After investigating, it was discovered this site is dropping our connections as the path back to
use would use a different interface on the firewall ( a Fortinet device) than that which it arrived upon.

The admins at this university claim this is by design and for security reasons.. My response was the entire
internet is asymmetrical and while this may of been a legitimate concern in the 90's, I don't think its a real
concern anymore if things are set up correctly. They suggested we add static routes to our equipment to address
this… This seems like a bad idea and I am not comfortable adjusting my routing table to address one site's issues on
the internet due to their (not ours) routing/security policies.

am I correct here? any comments on this would be greatly appreciated as I'll be called into a meeting to discuss
this further (they are digging in their heals in on this, and higher ups are getting involved now). I'd like to arm
myself with a few perspectives.

thanks very much for your time again,

greg

This message and any attachments may contain confidential and/or privileged information for the sole use of the
intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is
strictly prohibited. If you have received this message in error, please contact the sender and delete all copies.
Opinions, conclusions or other information contained in this message may not be that of the organization.

Current thread:

asymmetric routes/security concerns/Fortinet Greg Whynott (Jan 07)
- Re: asymmetric routes/security concerns/Fortinet John Kristoff (Jan 07)
  - Re: asymmetric routes/security concerns/Fortinet Greg Whynott (Jan 07)
    - Re: asymmetric routes/security concerns/Fortinet Ken Chase (Jan 07)
    - Re: asymmetric routes/security concerns/Fortinet Greg Whynott (Jan 07)
    - Re: asymmetric routes/security concerns/Fortinet Ken Chase (Jan 07)
    - Message not available
    - Re: asymmetric routes/security concerns/Fortinet Greg Whynott (Jan 07)
    - Re: asymmetric routes/security concerns/Fortinet Randy Bush (Jan 07)
    - Re: asymmetric routes/security concerns/Fortinet John Kristoff (Jan 07)
- Re: asymmetric routes/security concerns/Fortinet Justin M. Streiner (Jan 07)
- Re: asymmetric routes/security concerns/Fortinet Anthony Pardini (Jan 07)
  - Re: asymmetric routes/security concerns/Fortinet Tarig Ahmed (Jan 08)
- Re: asymmetric routes/security concerns/Fortinet Robert Bonomi (Jan 08)