Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] OSPF on a firewall. Good? Bad? What?

To: "'Chris Koger'" <[email protected]>
Subject: RE: [FW1] OSPF on a firewall. Good? Bad? What?
From: Harjot Sekhon <[email protected]>
Date: Fri, 24 Aug 2001 15:24:58 -0400
Cc: "'[email protected]'" <[email protected]>
Sender: [email protected]

Hi Chris,

	One of the problems with dynamic routing is that it causes headaches
if 
	anti-spoofing is setup.

	Another headache is if someone within your organization started to
advertise
	a routable IP address on the internal network, causes grief to the
firewall
	admin to isolate the issue as to why users cannot get to the
internet site but can
	from home.

	Also could be an issue if multiple internet accesses into the
Internal
	network. What should be the primary default route to the Net on the
internal network, etc.

	I always love to stay static on the firewall as it gives the
firewall admin
	the ability to ensure that the firewall is routing properly and
makes it much easier to
	trouble shoot routing problems. ^_^

	That's pretty much it.

Harjot (Joe) Sekhon
AT&T Canada
Security Engineer

-----Original Message-----
From: Chris Koger [mailto:[email protected]]
Sent: Friday, August 24, 2001 2:33 AM
To: Fw-1-Mailinglist
Subject: [FW1] OSPF on a firewall. Good? Bad? What?



OK, hello to all and TIA for any advice that you may have.

There seems to be two schools of thought on the subject of dynamic routing
protocols on firewalls.  The first says that firewalls should be purely
static and that dynamic protocols such as OSPF, IGMP, and RIP break that
principal.  And, that they have the potential to pose a security risk by
allowing an intruder to break in to the routing tables and perhaps send data
somewhere it should not go, or gain intimate knowledge of the internal
network structure.

The second says that a routing protocol such as OSPF, and the like, assist
in the administration of internal routing and that running them on the
internal interface of a firewall is no different than running them on the
hub routers.  This school of thought seems to feel that the likelihood of
someone breaking in to a routing table by exploiting OSPF may not even be
possible, and that even if it is, running it on the firewall isn't going to
make any difference.

I have been asked for my opinion on this matter and although I know both
schools of thought well, I tend to agree with the first making a firewall a
purely static device.  Aside from the usual someone could do this or that,
could some of you give me some firepower to either help me defend this
stance or good reasons why I should abandon it?  Does anyone have any
experience with problems that arose from actually running one of these
protocols (specifically OSPF) on a firewall and perhaps the consequences
that were incurred?

Again, thanks for any input that any of you may have, and I am open to
discussion on the topic if anyone has some input.

Chris Koger



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Secure Remote doesn't perform authentication
Next by Date: [FW1] Newcomer To Checkpoint
Previous by thread: RE: [FW1] OSPF on a firewall. Good? Bad? What?
Next by thread: [FW1] RE: http-filtering problem
Index(es):
- Date
- Thread