Well, so long as the (interior) dynamic routing protocol is solidly blocked
at the router at the edge of your network, *my* opinion is that is doesn't
make too much difference. I'd be pretty hesitant to run BGP on a firewall
though...
OTOH, setting up the static routes for a typical firewall isn't usually
that much work, and if you're using NAT, you probably need some anyway, so...
-Robert
At 05:32 AM 8/24/01 -0400, Chris Koger wrote:
>
>OK, hello to all and TIA for any advice that you may have.
>
>There seems to be two schools of thought on the subject of dynamic routing
>protocols on firewalls. The first says that firewalls should be purely
>static and that dynamic protocols such as OSPF, IGMP, and RIP break that
>principal. And, that they have the potential to pose a security risk by
>allowing an intruder to break in to the routing tables and perhaps send data
>somewhere it should not go, or gain intimate knowledge of the internal
>network structure.
>
>The second says that a routing protocol such as OSPF, and the like, assist
>in the administration of internal routing and that running them on the
>internal interface of a firewall is no different than running them on the
>hub routers. This school of thought seems to feel that the likelihood of
>someone breaking in to a routing table by exploiting OSPF may not even be
>possible, and that even if it is, running it on the firewall isn't going to
>make any difference.
>
>I have been asked for my opinion on this matter and although I know both
>schools of thought well, I tend to agree with the first making a firewall a
>purely static device. Aside from the usual someone could do this or that,
>could some of you give me some firepower to either help me defend this
>stance or good reasons why I should abandon it? Does anyone have any
>experience with problems that arose from actually running one of these
>protocols (specifically OSPF) on a firewall and perhaps the consequences
>that were incurred?
>
>Again, thanks for any input that any of you may have, and I am open to
>discussion on the topic if anyone has some input.
>
>Chris Koger
>
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
