At 3:42 PM -0500 8/24/01, Robert C. Wessel wrote:
>Well, so long as the (interior) dynamic routing protocol is solidly blocked
>at the router at the edge of your network, *my* opinion is that is doesn't
>make too much difference. I'd be pretty hesitant to run BGP on a firewall
>though...
I've heard this sort of argument back and forth for years, and it
seems like folks overlook a few basics.
1) routing updates, like IP traffic generally, are *filterable*. Thus
you would configure a dynamic routing daemon running on the firewall
just as you would configure a firewall rule, permitting only certain
speakers to be heard. In point of fact you have *more* control,
because with any reasonable routing daemon you have control over not
only *who* you listen to, but *what content* you would accept from
that speaker. Thus your customer-site internet router a.b.c.d could
be hijacked and spend its days happily announcing your internal
networks to your firewall, but the routing daemon rightly should only
listen to non-internal route updates from that source, and would
ignore the updates for routes pertaining to the internal network.
2) for internet-facing systems, most often the only dynamic route you
want to hear is a default from multiple routers, simple to accept
only "0.0.0.0" in most routing daemon configs, and ignore all other
updates.
3) I'm not sure how the earlier comment on antispoofing comes into
this - antispoofing is configured based upon the firewall owner's
complete knowledge of the full set of 'internal' networks - i.e.
those which should never appear on the outside interface of a
firewall as *source* addresses. I'm not seeing where the source of
one's routing updates would break or make configuration of
antispoofing difficult.
Now I know somewhere on the list somebody's going to say "but what if
someone breaks into your internet router and redirects your
webserver/mailserver/etc segments to networks that they attacker
controls. To which one can only answer "That is an attack for which
routing-on-the-firewall is irrelevant" - Ask what would happen if a
router somewhere else on the internet started announcing your
publicly-shown internet addresses - it could happen even with a
statically routed firewall could it not?
Remember that an improperly configured firewall is just as unsafe as
an improperly configured routing daemon. If you want to run dynamic
routing on your firewalls (and I can think of a number of reasons why
you would gain benefits from that), you need to configure the
routing setup properly -- the same is true of FW1 - just as you
wouldn't put a rule in saying "any any any", you wouldn't configured
a routing daemon to promiscuosly accept all routing updates
(including one's own internal networks) from an *external* router.
-james
>
>OTOH, setting up the static routes for a typical firewall isn't usually
>that much work, and if you're using NAT, you probably need some anyway, so...
>
>-Robert
>
>At 05:32 AM 8/24/01 -0400, Chris Koger wrote:
>>
>>OK, hello to all and TIA for any advice that you may have.
>>
>>There seems to be two schools of thought on the subject of dynamic routing
>>protocols on firewalls. The first says that firewalls should be purely
>>static and that dynamic protocols such as OSPF, IGMP, and RIP break that
>>principal. And, that they have the potential to pose a security risk by
>>allowing an intruder to break in to the routing tables and perhaps send data
>>somewhere it should not go, or gain intimate knowledge of the internal
>>network structure.
>>
>>The second says that a routing protocol such as OSPF, and the like, assist
>>in the administration of internal routing and that running them on the
>>internal interface of a firewall is no different than running them on the
>>hub routers. This school of thought seems to feel that the likelihood of
> >someone breaking in to a routing table by exploiting OSPF may not even be
>>possible, and that even if it is, running it on the firewall isn't going to
>>make any difference.
>>
>>I have been asked for my opinion on this matter and although I know both
>>schools of thought well, I tend to agree with the first making a firewall a
>>purely static device. Aside from the usual someone could do this or that,
>>could some of you give me some firepower to either help me defend this
>>stance or good reasons why I should abandon it? Does anyone have any
>>experience with problems that arose from actually running one of these
>>protocols (specifically OSPF) on a firewall and perhaps the consequences
>>that were incurred?
>>
>>Again, thanks for any input that any of you may have, and I am open to
>>discussion on the topic if anyone has some input.
>>
>>Chris Koger
>>
>>
>>
>>===========================================================================
>=====
>> To unsubscribe from this mailing list, please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>>===========================================================================
>=====
>>
>>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
--
James P. O'Shea III
[EMAIL PROTECTED]
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
