Re: [fw-wiz] Dynamic routing on a firewall

From: Paul Robertson (
Date: 11/29/03

  • Next message: Chris Ditri: "[fw-wiz] Linux Bridge/Firewall"
    To: "Dawes, Rogan (ZA - Johannesburg)" <>
    Date: Fri, 28 Nov 2003 18:53:52 -0500 (EST)

    On Fri, 28 Nov 2003, Dawes, Rogan (ZA - Johannesburg) wrote:

    > Hi,
    > I just wanted to pick the list's brain with regards to dynamic routing on a
    > firewall.
    > Is it a good idea to allow a firewall to participate in dynamic routing? My
    > first thoughts are that it sounds like a really dangerous thing - you
    > certainly don't want to have routes changing so that a DMZ moves from one
    > interface to a different one, for instance.

    That's a part of it, the other piece of it is that dynamic routing
    protocols are complex animals- and complexity leads to bugs.

    > What mechanisms do the various firewalls (mostly interested in Pix and FW-1)
    > have to sanity-check routing updates that they receive?

    I've never allowed a firewall to do dynamic routing, so I can't directly
    answer that- but BGP is really the only routing protocol I'd want to place
    into a hostile environment, and then I'd want the implementation to be
    bullet-proof, so I'd put in routers, and leave firewalling to the
    firewalls and routing to the routes...

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Chris Ditri: "[fw-wiz] Linux Bridge/Firewall"