Re: [fw-wiz] OSPF on Firewall
From: Paul Robertson (proberts_at_patriot.net)
Date: 12/17/03
- Previous message: Melson, Paul: "RE: [fw-wiz] OSPF on Firewall"
- In reply to: Shimon Silberschlag: "[fw-wiz] OSPF on Firewall"
- Next in thread: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] OSPF on Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Shimon Silberschlag <shimons@bll.co.il> Date: Wed, 17 Dec 2003 16:34:32 -0500 (EST)
On Wed, 17 Dec 2003, Shimon Silberschlag wrote:
> Lets say that I have two routers (on an internal network) that talk OSPF
> between them.
>
> Now I have to insert a firewall in-between the two routers.
>
> I am led to believe (by the Communications people I work with) that there is
> no other option but to install OSPF on the firewall, which doesn't make me
> feel easy about the solution.
>
> Is it true that there is no other way around this problem?
There are several options:
1. Forward the OSPF traffic in bridge mode with MAC address, protocol
and/or other criteria.
2. Forward the OSPF traffic in IP mode with source and destination limits
*and* ensure the routers filter inbound OSPF on their external interfaces
so that there's a containment boundary.
3. Do static routing between the routers, and deal with routing changes
by maintaining the tables out of band (may be a really good idea,
depending on what the firewall is enforcing.)
4. Run a dynamic routing protocol on the firewall and have the routers
export their routes (be careful that the firewall *exports* those routes
to each router, and *does NOT* use the routing information itself. Note
that the protocol doesn't have to be OSPF, you can do anything that'll
import to and export from OSPF, and have the routers do the conversion
(good for larting stubborn datacomm folks- make 'em implement BGP with
filtering and all the good bells and whistles on.)
5. Carry routing in a tunnel and bypass the firewall (may be very bad,
depending on what the firewall's enforcing.)
6. Take over the routers as a part of the "security infrastructure" and
enforce policy with their configuration.
There are probably other ways to deal with it- note that dynamic routing
information is pretty important stuff, and it really shouldn't transit a
trust zone without a *really* *really* good reason, and what routes you'll
accept from where is important (hence the hammer for BGP, where that stuff
is easy to do and easy to implement.) If they can't do static routing
(which would be my preference,) I'd be looking pretty hard at why.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Melson, Paul: "RE: [fw-wiz] OSPF on Firewall"
- In reply to: Shimon Silberschlag: "[fw-wiz] OSPF on Firewall"
- Next in thread: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] OSPF on Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
