Re: [fw-wiz] Dynamic routing on a firewall

From: Paul Robertson (proberts_at_patriot.net)
Date: 11/29/03

  • Next message: Chris Ditri: "[fw-wiz] Linux Bridge/Firewall"
    To: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
    Date: Fri, 28 Nov 2003 18:53:52 -0500 (EST)
    
    

    On Fri, 28 Nov 2003, Dawes, Rogan (ZA - Johannesburg) wrote:

    > Hi,
    >
    > I just wanted to pick the list's brain with regards to dynamic routing on a
    > firewall.
    >
    > Is it a good idea to allow a firewall to participate in dynamic routing? My
    > first thoughts are that it sounds like a really dangerous thing - you
    > certainly don't want to have routes changing so that a DMZ moves from one
    > interface to a different one, for instance.
    >

    That's a part of it, the other piece of it is that dynamic routing
    protocols are complex animals- and complexity leads to bugs.

    > What mechanisms do the various firewalls (mostly interested in Pix and FW-1)
    > have to sanity-check routing updates that they receive?

    I've never allowed a firewall to do dynamic routing, so I can't directly
    answer that- but BGP is really the only routing protocol I'd want to place
    into a hostile environment, and then I'd want the implementation to be
    bullet-proof, so I'd put in routers, and leave firewalling to the
    firewalls and routing to the routes...

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Chris Ditri: "[fw-wiz] Linux Bridge/Firewall"