[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] OSPF on a firewall. Good? Bad? What?
Hi Chris, One of the problems with dynamic routing is that it causes headaches if anti-spoofing is setup. Another headache is if someone within your organization started to advertise a routable IP address on the internal network, causes grief to the firewall admin to isolate the issue as to why users cannot get to the internet site but can from home. Also could be an issue if multiple internet accesses into the Internal network. What should be the primary default route to the Net on the internal network, etc. I always love to stay static on the firewall as it gives the firewall admin the ability to ensure that the firewall is routing properly and makes it much easier to trouble shoot routing problems. ^_^ That's pretty much it. Harjot (Joe) Sekhon AT&T Canada Security Engineer -----Original Message----- From: Chris Koger [mailto:[email protected]] Sent: Friday, August 24, 2001 2:33 AM To: Fw-1-Mailinglist Subject: [FW1] OSPF on a firewall. Good? Bad? What? OK, hello to all and TIA for any advice that you may have. There seems to be two schools of thought on the subject of dynamic routing protocols on firewalls. The first says that firewalls should be purely static and that dynamic protocols such as OSPF, IGMP, and RIP break that principal. And, that they have the potential to pose a security risk by allowing an intruder to break in to the routing tables and perhaps send data somewhere it should not go, or gain intimate knowledge of the internal network structure. The second says that a routing protocol such as OSPF, and the like, assist in the administration of internal routing and that running them on the internal interface of a firewall is no different than running them on the hub routers. This school of thought seems to feel that the likelihood of someone breaking in to a routing table by exploiting OSPF may not even be possible, and that even if it is, running it on the firewall isn't going to make any difference. I have been asked for my opinion on this matter and although I know both schools of thought well, I tend to agree with the first making a firewall a purely static device. Aside from the usual someone could do this or that, could some of you give me some firepower to either help me defend this stance or good reasons why I should abandon it? Does anyone have any experience with problems that arose from actually running one of these protocols (specifically OSPF) on a firewall and perhaps the consequences that were incurred? Again, thanks for any input that any of you may have, and I am open to discussion on the topic if anyone has some input. Chris Koger ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|