On Tue, 12 Sep 2000, Jack Coates wrote:
> The vulnerability is that it's a service that doesn't need to be
> there,
okay, then doesn't your rainwall software fall into the same category?
e.g. i can achieve load balancing and HA with external load balancing
switches. this means i don't need the rainwall service on my firewall.
at least with gated or zebra i get source code to review.
> and installing services that don't need to be there in order to work
> around problems that exist elsewhere (e.g., internal addressing is
> such a mess that the firewall can't get by with a few static routes)
maybe the routing protocol is being used to:
o provide a default route between two HA firewalls (irdp)
o run BGP to two different providers,
o provide failover between two firewalls and a pair of border/choke
routers (OSPF)
basically, just because you run a dynamic routing protocol doesn't mean
your are "working around problems."
> is a bad idea. So you spend some time securing the service -- wouldn't
> that time be better spent in fixing the internal address space?
once again, you are making an assumption on why the routing daemon is
being run.
- brett
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
