Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Ramifications of running RIP on FW-1 box

To: [email protected]
Subject: Re: [FW-1] Ramifications of running RIP on FW-1 box
From: Dan Hitchcock <[email protected]>
Date: Mon, 15 Apr 2002 11:32:05 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: [FW-1] Ramifications of running RIP on FW-1 box

The behavior you observed with static routes is true of all IP routing platforms that I'm aware of. Static routes were never designed for failover based on external events; you have rightly noted that a routing protocol is required to perform the task.

RIPv2 supports authentication via simple auth (cleartext) and md5. MD5 would be preferred from a security perspective, and would greatly decrease the likelihood of someone (even with physical access and a sniffer) from polluting your routing table.

Or, better still, have the provider migrate their network to OSPF :)

HTH

Dan Hitchcock
CCNP, CCSE, MCSE
Security Operations Technical Lead
Breakwater Security Associates, Inc.
"Safe Harbor for Your Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work

The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think you have received this email message in error, please email the sender at dhitchcock (at) breakwatersecurity (dot) com

-----Original Message-----
From: Grabowski, David [mailto:[email protected]]
Sent: Friday, April 12, 2002 11:16 AM
To: [email protected]
Subject: [FW-1] Ramifications of running RIP on FW-1 box

One of our firewall interfaces connects to a particular private data
feed. This feed actually comes in through two routers and two different
point-to-point connections -- one is considered 'primary' and the other
'secondary'

We wanted to simply add static routes on our IP440's (IPSO 3.4.2, FW-1
4.1 NG FP1, VRRP), and prioritize them so that the 'primary' link would
be the link chosen first. However, it appears that the IPSO handles
route priority differently than we would expect -- the only time that a
lower-priority route gets used is if a physical interface ON THE
FIREWALL fails. So, if you've got two routes that are going out the same
interface, the second route will never be used.

The provider is running RIP, and from what I can tell (so far), they are
advertising the routes appropriately. I enabled RIP on the 'backup'
firewall, and it dutifully learned the routes.

Obviously, running a routing protocol on a firewall is a pretty scary
thing. Our other option would be to front-end our firewalls with two
border routers, and have them run HSRP on the firewall side and RIP on
the external side. Although perhaps a better solution, from what I've
learned so far about RIP support on the IPSO platform, I can limit RIP
to 1) a specific interface, and 2) learn only specific routes through
that interface. The worst thing that I can see in this scenario is
somehow somebody polluting the RIP packets, and we'd lose connectivity
to this one particular feed.

Anyone have any opinions or experience?

---------------------------------------------------
David Grabowski
Mizuho Securities USA

#####################################################################################
CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc.

E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s).

#####################################################################################

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] [FW1] FTP reset on certain connections
Next by Date: Re: [FW-1] FW: Arafat Novel prize - Need your help to take it from him.
Previous by thread: [FW-1] Ramifications of running RIP on FW-1 box
Next by thread: [FW-1] Has Anybody seen this Error
Index(es):
- Date
- Thread