NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] OSPF on a firewall. Good? Bad? What?




At some point that border of trust becomes meaningless..usually your ISP's
gateway router.


-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Enno
Rey
Sent: August 26, 2001 8:07 AM
To: Chris Koger
Cc: Fw-1-Mailinglist
Subject: Re: [FW1] OSPF on a firewall. Good? Bad? What?




Hi,

I really do _not_ like the idea (belonging to the first school of thought
you mentioned), but if you came to the conclusion it's worth using it you
should definitely follow the guidelines in

www.liquifried.com/docs/security/securingospf.html

www.sans.org/infosecFAQ/protocols/RIP.htm

The two most important things to do are

1.) configure neighbors to accept LSAs from
2.) use MD5 authentication    (AFAIK the windows based OSPF implementation
in RRAS does not implement MD5 authentication, but I assume you are'nt using
windows as your platform anyway ;-))

Always consider: if you use OSPF on your bastion host(s) you enable them to
take decisions (on forwarding traffic) based on information they got from
other devices. You thereby move the 'border of trust'. In short: maybe you
trust your bastion host (you configured it according to your policy etc.).
But do you trust those other boxes? Do they implement the same sec policy?
Are they configured with the same level of diligence? ...

HTH,

Enno Rey

[email protected] --- www.security-academy.de
PGP 74C0 C7E1 3875 E4EB 9B75  8B9D 5E2D 3178 685B F222

To: "Fw-1-Mailinglist" <[email protected]>
Sent: Friday, August 24, 2001 11:32 AM
Subject: [FW1] OSPF on a firewall. Good? Bad? What?


>
> OK, hello to all and TIA for any advice that you may have.
>
> There seems to be two schools of thought on the subject of dynamic routing
> protocols on firewalls.  The first says that firewalls should be purely
> static and that dynamic protocols such as OSPF, IGMP, and RIP break that
> principal.  And, that they have the potential to pose a security risk by
> allowing an intruder to break in to the routing tables and perhaps send
data
> somewhere it should not go, or gain intimate knowledge of the internal
> network structure.
>
> The second says that a routing protocol such as OSPF, and the like, assist
> in the administration of internal routing and that running them on the
> internal interface of a firewall is no different than running them on the
> hub routers.  This school of thought seems to feel that the likelihood of
> someone breaking in to a routing table by exploiting OSPF may not even be
> possible, and that even if it is, running it on the firewall isn't going
to
> make any difference.
>
> I have been asked for my opinion on this matter and although I know both
> schools of thought well, I tend to agree with the first making a firewall
a
> purely static device.  Aside from the usual someone could do this or that,
> could some of you give me some firepower to either help me defend this
> stance or good reasons why I should abandon it?  Does anyone have any
> experience with problems that arose from actually running one of these
> protocols (specifically OSPF) on a firewall and perhaps the consequences
> that were incurred?
>
> Again, thanks for any input that any of you may have, and I am open to
> discussion on the topic if anyone has some input.
>
> Chris Koger
>
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.