Re: [fw-wiz] Dynamic routing on a firewall

• Previous message: Bill Van Emburg: "Re: [fw-wiz] Dynamic routing on a firewall"
• In reply to: Dawes, Rogan (ZA - Johannesburg): "[fw-wiz] Dynamic routing on a firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
Date: Fri, 28 Nov 2003 18:53:52 -0500 (EST)

On Fri, 28 Nov 2003, Dawes, Rogan (ZA - Johannesburg) wrote:

> Hi,
>
> I just wanted to pick the list's brain with regards to dynamic routing on a
> firewall.
>
> Is it a good idea to allow a firewall to participate in dynamic routing? My
> first thoughts are that it sounds like a really dangerous thing - you
> certainly don't want to have routes changing so that a DMZ moves from one
> interface to a different one, for instance.
>

That's a part of it, the other piece of it is that dynamic routing
protocols are complex animals- and complexity leads to bugs.

> What mechanisms do the various firewalls (mostly interested in Pix and FW-1)
> have to sanity-check routing updates that they receive?

I've never allowed a firewall to do dynamic routing, so I can't directly
answer that- but BGP is really the only routing protocol I'd want to place
into a hostile environment, and then I'd want the implementation to be
bullet-proof, so I'd put in routers, and leave firewalling to the
firewalls and routing to the routes...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Bill Van Emburg: "Re: [fw-wiz] Dynamic routing on a firewall"
• In reply to: Dawes, Rogan (ZA - Johannesburg): "[fw-wiz] Dynamic routing on a firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [fw-wiz] Dynamic routing on a firewall ... Is it a good idea to allow a firewall to participate in dynamic routing? ... Each party is in their own DMZ. ... (Firewall-Wizards) RE: [fw-wiz] Dynamic routing on a firewall ... The PIX is a terrible router, for a start, but even so the idea makes my ... > dynamic routing on a firewall. ... > party is in their own DMZ. ... (Firewall-Wizards) Re: Stateful firewalls and dynamic routing question. ... I still don't see how dynamic routing can ... cause problems for a stateful firewall if the firewall only looks at IP ... and port numbers. ... The source MAC address of any packet that arrives at your router will ... (comp.os.linux.networking) Re: [fw-wiz] Dynamic routing on a firewall ... > Is it a good idea to allow a firewall to participate in dynamic routing? ... FW-1 and PIX, because I have moved away from using those FWs, but I seem ... to recall the means existing in both cases. ... (Firewall-Wizards)