Re: [FW1] OSPF on a firewall. Good? Bad? What?

["James P. O'Shea III" <jposhea3@FW1-NOSPAMpanix.com>]

At 3:42 PM -0500 8/24/01, Robert C. Wessel wrote:
> Well, so long as the (interior) dynamic routing protocol is solidly blocked
> at the router at the edge of your network, *my* opinion is that is doesn't
> make too much difference.  I'd be pretty hesitant to run BGP on a firewall
> though...


I've heard this sort of argument back and forth for years, and it 
seems like folks overlook a few basics.

1) routing updates, like IP traffic generally, are *filterable*. Thus 
you would configure a dynamic routing daemon running on the firewall 
just as you would configure a firewall rule, permitting only certain 
speakers to be heard.  In point of fact you have *more* control, 
because with any reasonable routing daemon you have control over not 
only *who* you listen to, but *what content* you would accept from 
that speaker. Thus your customer-site internet router a.b.c.d could 
be hijacked and spend its days happily announcing your internal 
networks to your firewall, but the routing daemon rightly should only 
listen to non-internal route updates from that source, and would 
ignore the updates for routes pertaining to the internal network.

2) for internet-facing systems, most often the only dynamic route you 
want to hear is a default from multiple routers, simple to accept 
only "0.0.0.0" in most routing daemon configs, and ignore all other 
updates.

3) I'm not sure how the earlier comment on antispoofing comes into 
this - antispoofing is configured based upon the firewall owner's 
complete knowledge of the full set of 'internal' networks - i.e. 
those which should never appear on the outside interface of a 
firewall as *source* addresses. I'm not seeing where the source of 
one's routing updates would break or make configuration of 
antispoofing difficult.

Now I know somewhere on the list somebody's going to say "but what if 
someone breaks into your internet router and redirects your 
webserver/mailserver/etc segments to networks that they attacker 
controls. To which one can only answer "That is an attack for which 
routing-on-the-firewall is irrelevant" - Ask what would happen if a 
router somewhere else on the internet started announcing your 
publicly-shown internet addresses - it could happen even with a 
statically routed firewall could it not?

Remember that an improperly configured firewall is just as unsafe as 
an improperly configured routing daemon. If you want to run dynamic 
routing on your firewalls (and I can think of a number of reasons why 
you would gain benefits from that), you need to configure the 
routing setup properly -- the same is true of FW1 - just as you 
wouldn't put a rule in saying "any any any", you wouldn't configured 
a routing daemon to promiscuosly accept all routing updates 
(including one's own internal networks) from an *external* router.

-james





> OTOH, setting up the static routes for a typical firewall isn't usually
> that much work, and if you're using NAT, you probably need some anyway, so...
>
> -Robert
>
> At 05:32 AM 8/24/01 -0400, Chris Koger wrote:
> > OK, hello to all and TIA for any advice that you may have.
> >
> > There seems to be two schools of thought on the subject of dynamic routing
> > protocols on firewalls.  The first says that firewalls should be purely
> > static and that dynamic protocols such as OSPF, IGMP, and RIP break that
> > principal.  And, that they have the potential to pose a security risk by
> > allowing an intruder to break in to the routing tables and perhaps send data
> > somewhere it should not go, or gain intimate knowledge of the internal
> > network structure.
> >
> > The second says that a routing protocol such as OSPF, and the like, assist
> > in the administration of internal routing and that running them on the
> > internal interface of a firewall is no different than running them on the
> > hub routers.  This school of thought seems to feel that the likelihood of
>  >someone breaking in to a routing table by exploiting OSPF may not even be
> > possible, and that even if it is, running it on the firewall isn't going to
> > make any difference.
> >
> > I have been asked for my opinion on this matter and although I know both
> > schools of thought well, I tend to agree with the first making a firewall a
> > purely static device.  Aside from the usual someone could do this or that,
> > could some of you give me some firepower to either help me defend this
> > stance or good reasons why I should abandon it?  Does anyone have any
> > experience with problems that arose from actually running one of these
> > protocols (specifically OSPF) on a firewall and perhaps the consequences
> > that were incurred?
> >
> > Again, thanks for any input that any of you may have, and I am open to
> > discussion on the topic if anyone has some input.
> >
> > Chris Koger
> >
> >
> >
> > ===========================================================================
> =====
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > ===========================================================================
> =====
> >
>
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================


--
James P. O'Shea III
jposhea3@panix.com



================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================