RE: [fw-wiz] OSPF on Firewall

From: Carroll, Shawn (SCarroll_at_chittenden.com)
Date: 12/17/03

  • Next message: Adam Shostack: "Re: [fw-wiz] You'll never get fired for recommending IBM - sorry - Microsoft" 
    To: "Shimon Silberschlag" <shimons@bll.co.il>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 17 Dec 2003 17:03:15 -0500

    First I would analyze, or be confident of, my need to run a routing protocol between the two routers. If you need a boundary, why specifically wouldn't default or static routing be desirable? Is there multiple paths between these two? Do the networks reachable on either side change often enough for a dynamic routing protocol to be a good solution?

    Second, if there's machines, subnets, or TCP/IP ports that need to be excluded or allowed, why wouldn't access lists applied to an interface of the existing routers be sufficient, even desireable?

    My hunch is that if you back up one step and ask what it is you're trying to do, the best answer won't be to stick a firewall in the middle of two OSPF routers in the same area. (feel free to reply on- or off-list with specifics about topology and goals)

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Shimon
    > Silberschlag
    > Sent: Wednesday, December 17, 2003 3:02 AM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] OSPF on Firewall
    >
    >
    > Lets say that I have two routers (on an internal network)
    > that talk OSPF
    > between them.
    >
    > Now I have to insert a firewall in-between the two routers.
    >
    > I am led to believe (by the Communications people I work
    > with) that there is
    > no other option but to install OSPF on the firewall, which
    > doesn't make me
    > feel easy about the solution.
    >
    > Is it true that there is no other way around this problem?
    >
    > TIA,
    >
    > Shimon Silberschlag
    >
    > +972-3-9351572
    > +972-51-207130
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Adam Shostack: "Re: [fw-wiz] You'll never get fired for recommending IBM - sorry - Microsoft"

    Relevant Pages

    • several vulnerabilities present in Belkin wireless routers
      ... several vulnerabilities present in Belkin wireless routers ... - default telnet backdoor ... different Belkin wireless routers. ... NOT accessible through the administrative web interface. ...
      (Bugtraq)
    • EIGRP weird problem - receiving UPDATES but not HELLOs. Stumped.
      ... routers, but do not receive any HELLOs. ... Last clearing of "show interface" counters never ... input packets with dribble condition detected ... passive-interface IDS-Sensor2/0 ...
      (comp.dcom.sys.cisco)
    • Re: Point to Point T1
      ... with a WIC T1 interface card in both of them. ... serial0 interfaces between the routers, but I cannot see through to ... above that I would like to DHCP over them, but now I am just going to ... serial interface address) ...
      (comp.dcom.sys.cisco)
    • Re: problems pinging between FastEthernet and Ethernet interfaces
      ... I'm having some problems with a link between two Cisco routers. ... Ethernet interface. ... routing protocol will not matter. ... The best thing is to post the config of the relevant interfaces. ...
      (comp.dcom.sys.cisco)
    • IP Stack no activated.
      ... I'm trying to connect two routers via a serial ... but the IP stack on the interface cannot even open. ... Serial1/0 is up, line protocol is up ... output buffer failures, ...
      (comp.dcom.sys.cisco)