RE: [fw-wiz] Dynamic routing on a firewall

• Previous message: Andy Lyakhovetskiy: "RE: [fw-wiz] Problem with TCP 1433, conduits and ACLs..."
• In reply to: Dawes, Rogan (ZA - Johannesburg): "[fw-wiz] Dynamic routing on a firewall"
• Next in thread: Ben Nagy: "RE: [fw-wiz] Dynamic routing on a firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Dawes, Rogan (ZA - Johannesburg)'" <rdawes@deloitte.co.za>, <firewall-wizards@honor.icsalabs.com>
Date: Fri, 28 Nov 2003 16:06:00 -0600

Short answer, NO! do not let firewall participate in routing protocols.

Long answer, sometimes you have to. If so the security is a function of
the security features in the routing protocol, i.e. OSPF supports
authentication. A firewall can not really do much more than the security
features built into the routing protocol.

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Dawes,
Rogan (ZA - Johannesburg)
Sent: Friday, November 28, 2003 3:39 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Dynamic routing on a firewall

Hi,

I just wanted to pick the list's brain with regards to dynamic routing
on a firewall.

Is it a good idea to allow a firewall to participate in dynamic routing?
My first thoughts are that it sounds like a really dangerous thing -
you certainly don't want to have routes changing so that a DMZ moves
from one interface to a different one, for instance.

But if the routing can be controlled so that traffic always goes through
the right interface (but possibly to a different upstream router), that
should be OK, I would think.

What mechanisms do the various firewalls (mostly interested in Pix and
FW-1) have to sanity-check routing updates that they receive?

A (simplistic) scenario that could illustrate my concerns:

You have a firewall controlling access to third parties (competitors)
which provide services to your company. Each party is in their own DMZ.
You have dynamic routing enabled on the firewall, since there are two
redundant routers for each party in each parties DMZ, and you need to be
able to fail over from one to the other.

Party A sends a routing update to say that party B is now reachable via
Party A's networks. Any packets that you try to send to party B end up
going to Party A, where they can be captured, etc.

Leaving out the question of how A gets the packets to B eventually, to
complete the connection, is this a realistic scenario? How can one
protect against something like this, using the abovementioned firewalls,
if one still chooses to use dynamic routing?

Rogan

-- 
"Using encryption on the Internet is the equivalent of arranging an 
armored car to deliver credit card information from someone living 
in a cardboard box to someone living on a park bench."
  - Gene Spafford
-- 
Deloitte & Touche Security Services Group
Tel: +27(11)806-6216     Fax: +27(11)806-5202     Cell: +27(82)784-9498
-- 
Important Notice: This email is subject to important restrictions,
qualifications and disclaimers ("the Disclaimer") that must be accessed
and read by clicking here or by copying and pasting the following
address into your Internet browser's address bar:
http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form
part of the content of this email in terms of Section 11 of the
Electronic Communications and Transactions Act, 25 of 2002. If you
cannot access the Disclaimer, please obtain a copy thereof from us by
sending an email to ClientServiceCentre@Deloitte.co.za.
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Andy Lyakhovetskiy: "RE: [fw-wiz] Problem with TCP 1433, conduits and ACLs..."
• In reply to: Dawes, Rogan (ZA - Johannesburg): "[fw-wiz] Dynamic routing on a firewall"
• Next in thread: Ben Nagy: "RE: [fw-wiz] Dynamic routing on a firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Routing problems ... >definition of a default gateway, ... local, or reachable through QWorst, and QWorst knows how to distribute ... >central routing point for all clients on the .1 subnet to access any of the ... I mentioned that the firewall has very tight security, ... (comp.os.linux.networking) Re: isa nur als proxy, vpn ueber dritte nic ... wenn die routing eintraege ... Routing gehört immer professionellen Routingkomponenten überlassen, ... und eine Firewall sollte stets als Firewall eingesetzt werden. ... Network Behind a Network ... (microsoft.public.de.german.isaserver) RE: Mapping problem ... > I've got annoying issue with Routing and Remote access on one of my win2k3 ... > config and chosen only NAT/basic firewall component. ... > of inbound filtering mean only connections that established from the server ... (microsoft.public.windows.server.networking) Re: netmasks and subnets ... >> applies to your firewall forwarding which, ... it for X,Y,Z reasons), then sending through to an internal interface. ... is not really routing as you know it. ... the packets from one internal interface to another. ... (comp.os.linux.networking) Re: Wheres this XP setting to allow a 3rd party FW? ... >Drop down the firewall section click the button there. ... >have a 3rd party firewall that I'll monitor myself". ... After opening Security Center ... Windows FW is off, but ZA's is on),Under that is Automatic Updates, ... (microsoft.public.windowsxp.general)