[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] OSPF on a firewall. Good? Bad? What?
Well, so long as the (interior) dynamic routing protocol is solidly blocked at the router at the edge of your network, *my* opinion is that is doesn't make too much difference. I'd be pretty hesitant to run BGP on a firewall though... OTOH, setting up the static routes for a typical firewall isn't usually that much work, and if you're using NAT, you probably need some anyway, so... -Robert At 05:32 AM 8/24/01 -0400, Chris Koger wrote: > >OK, hello to all and TIA for any advice that you may have. > >There seems to be two schools of thought on the subject of dynamic routing >protocols on firewalls. The first says that firewalls should be purely >static and that dynamic protocols such as OSPF, IGMP, and RIP break that >principal. And, that they have the potential to pose a security risk by >allowing an intruder to break in to the routing tables and perhaps send data >somewhere it should not go, or gain intimate knowledge of the internal >network structure. > >The second says that a routing protocol such as OSPF, and the like, assist >in the administration of internal routing and that running them on the >internal interface of a firewall is no different than running them on the >hub routers. This school of thought seems to feel that the likelihood of >someone breaking in to a routing table by exploiting OSPF may not even be >possible, and that even if it is, running it on the firewall isn't going to >make any difference. > >I have been asked for my opinion on this matter and although I know both >schools of thought well, I tend to agree with the first making a firewall a >purely static device. Aside from the usual someone could do this or that, >could some of you give me some firepower to either help me defend this >stance or good reasons why I should abandon it? Does anyone have any >experience with problems that arose from actually running one of these >protocols (specifically OSPF) on a firewall and perhaps the consequences >that were incurred? > >Again, thanks for any input that any of you may have, and I am open to >discussion on the topic if anyone has some input. > >Chris Koger > > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|