[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] OSPF on a firewall. Good? Bad? What?
At some point that border of trust becomes meaningless..usually your ISP's gateway router. -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Enno Rey Sent: August 26, 2001 8:07 AM To: Chris Koger Cc: Fw-1-Mailinglist Subject: Re: [FW1] OSPF on a firewall. Good? Bad? What? Hi, I really do _not_ like the idea (belonging to the first school of thought you mentioned), but if you came to the conclusion it's worth using it you should definitely follow the guidelines in www.liquifried.com/docs/security/securingospf.html www.sans.org/infosecFAQ/protocols/RIP.htm The two most important things to do are 1.) configure neighbors to accept LSAs from 2.) use MD5 authentication (AFAIK the windows based OSPF implementation in RRAS does not implement MD5 authentication, but I assume you are'nt using windows as your platform anyway ;-)) Always consider: if you use OSPF on your bastion host(s) you enable them to take decisions (on forwarding traffic) based on information they got from other devices. You thereby move the 'border of trust'. In short: maybe you trust your bastion host (you configured it according to your policy etc.). But do you trust those other boxes? Do they implement the same sec policy? Are they configured with the same level of diligence? ... HTH, Enno Rey [email protected] --- www.security-academy.de PGP 74C0 C7E1 3875 E4EB 9B75 8B9D 5E2D 3178 685B F222 To: "Fw-1-Mailinglist" <[email protected]> Sent: Friday, August 24, 2001 11:32 AM Subject: [FW1] OSPF on a firewall. Good? Bad? What? > > OK, hello to all and TIA for any advice that you may have. > > There seems to be two schools of thought on the subject of dynamic routing > protocols on firewalls. The first says that firewalls should be purely > static and that dynamic protocols such as OSPF, IGMP, and RIP break that > principal. And, that they have the potential to pose a security risk by > allowing an intruder to break in to the routing tables and perhaps send data > somewhere it should not go, or gain intimate knowledge of the internal > network structure. > > The second says that a routing protocol such as OSPF, and the like, assist > in the administration of internal routing and that running them on the > internal interface of a firewall is no different than running them on the > hub routers. This school of thought seems to feel that the likelihood of > someone breaking in to a routing table by exploiting OSPF may not even be > possible, and that even if it is, running it on the firewall isn't going to > make any difference. > > I have been asked for my opinion on this matter and although I know both > schools of thought well, I tend to agree with the first making a firewall a > purely static device. Aside from the usual someone could do this or that, > could some of you give me some firepower to either help me defend this > stance or good reasons why I should abandon it? Does anyone have any > experience with problems that arose from actually running one of these > protocols (specifically OSPF) on a firewall and perhaps the consequences > that were incurred? > > Again, thanks for any input that any of you may have, and I am open to > discussion on the topic if anyone has some input. > > Chris Koger > > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== > ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|