[fw-wiz] RE: Dynamic routing on a firewall

From: Joe Cupano (joec_at_idsi.net)
Date: 11/29/03

  • Next message: Raston Warrior: "[fw-wiz] Request for review"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Sat, 29 Nov 2003 16:04:55 -0500
    
    

    Depends on your definition of a firewall. If you view it as a
    security device that enforces policy with granularity to the
    application layer then I would say YES to controlling routing
    on the firewall. If your firewall is OS based you can port tools
    such as GateD, Zebra, etc to make the routing decisions. Think
    of them as application-level proxies running on the box. In
    my time we used to run GateD but me thinks they went commercial
    (NetxHop technologies.)

    Ever since the commoditization of firewalls to network-level devices
    by the introduction of stateful packet filtering technology, the
    approach has been "hardened routers" peering through firewalls
    exchanging routing updates. This may be fine and dandy if your
    company controls the routers on both ends and all the infra
    in-between. Still somewhere in the food chain you are accepting
    routing updates from a foreign entity. How much validation
    of the update are you doing at the contol point(s) and assuring
    you are avoiding the scenario you suggest (learn Party B's routes
    via Party A) and is the first control points inside or outside
    your firewall.

    NOTE: If you want the gory details on my rationale about how the
    introduction of stateful packet filtering technology commodotized
    firewalls, read my message (RE: [cisspforum] Is What's old
    what's new again ? ) on CISSPforum. I can forward to you if you
    do not have access. Know I do not view stateful packet filtering
    technology itself as the problem but how it's introduction led
    people to chose to implement that technology as their ONLY
    perimeter security solution - ie no layered security.

    Regards,

    - Joe Cupano

    joec@idsi.net

    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.544 / Virus Database: 338 - Release Date: 11/25/2003
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Raston Warrior: "[fw-wiz] Request for review"

    Relevant Pages

    • [REVS] Bypassing Client Application Protection Techniques
      ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
      (Securiteam)
    • Re: Recycler security issues on IIS server
      ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
      (microsoft.public.inetserver.iis.security)
    • Why hasnt Symantec addressed nastier Messenger spoofs
      ... Norton / Symantec has been silent on whether Norton Internet Security ... DSL firewall will stop these kinds of pop-ups. ... major ISPs and broadband systems. ...
      (comp.security.misc)
    • Re:RE : suggestions on a good firewall
      ... Subject: RE: suggestions on a good firewall ... CheckPoint does! ... with a url-filtering server. ... IT Technical Security Officer ...
      (Security-Basics)
    • Re: What is the Pattern here ?
      ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
      (comp.security.firewalls)