[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] OSPF on a firewall. Good? Bad? What?
At 3:42 PM -0500 8/24/01, Robert C. Wessel wrote: Well, so long as the (interior) dynamic routing protocol is solidly blocked at the router at the edge of your network, *my* opinion is that is doesn't make too much difference. I'd be pretty hesitant to run BGP on a firewall though... I've heard this sort of argument back and forth for years, and it seems like folks overlook a few basics. 1) routing updates, like IP traffic generally, are *filterable*. Thus you would configure a dynamic routing daemon running on the firewall just as you would configure a firewall rule, permitting only certain speakers to be heard. In point of fact you have *more* control, because with any reasonable routing daemon you have control over not only *who* you listen to, but *what content* you would accept from that speaker. Thus your customer-site internet router a.b.c.d could be hijacked and spend its days happily announcing your internal networks to your firewall, but the routing daemon rightly should only listen to non-internal route updates from that source, and would ignore the updates for routes pertaining to the internal network. 2) for internet-facing systems, most often the only dynamic route you want to hear is a default from multiple routers, simple to accept only "0.0.0.0" in most routing daemon configs, and ignore all other updates. 3) I'm not sure how the earlier comment on antispoofing comes into this - antispoofing is configured based upon the firewall owner's complete knowledge of the full set of 'internal' networks - i.e. those which should never appear on the outside interface of a firewall as *source* addresses. I'm not seeing where the source of one's routing updates would break or make configuration of antispoofing difficult. Now I know somewhere on the list somebody's going to say "but what if someone breaks into your internet router and redirects your webserver/mailserver/etc segments to networks that they attacker controls. To which one can only answer "That is an attack for which routing-on-the-firewall is irrelevant" - Ask what would happen if a router somewhere else on the internet started announcing your publicly-shown internet addresses - it could happen even with a statically routed firewall could it not? Remember that an improperly configured firewall is just as unsafe as an improperly configured routing daemon. If you want to run dynamic routing on your firewalls (and I can think of a number of reasons why you would gain benefits from that), you need to configure the routing setup properly -- the same is true of FW1 - just as you wouldn't put a rule in saying "any any any", you wouldn't configured a routing daemon to promiscuosly accept all routing updates (including one's own internal networks) from an *external* router. -james
-- James P. O'Shea III [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|