RE: [fw-wiz] OSPF on Firewall
From: Wes Noonan (mailinglists_at_wjnconsulting.com)
Date: 12/17/03
- Previous message: Wes Noonan: "RE: [fw-wiz] Security dumming down - the king's clothes"
- In reply to: Shimon Silberschlag: "[fw-wiz] OSPF on Firewall"
- Next in thread: Sloane, David: "RE: [fw-wiz] OSPF on Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Shimon Silberschlag'" <shimons@bll.co.il>, <firewall-wizards@honor.icsalabs.com> Date: Wed, 17 Dec 2003 15:45:22 -0600
Depending on the firewall in question, this is correct. The key is whether
your firewall supports multicast/broadcast traffic to pass. For example, the
PIX doesn't.
You *can* install OSFP on the firewall if you want to, just make sure that
you harden it accordingly. If you are using OSPF authentication on a purely
internal network and preventing it from running on any external interfaces I
actually see very little downside in this, but that is just me. I like
simplicity of the solution. Plus, being a Cisco guy, this is what I have to
do with their firewalls anyway.
The other alternative is to treat your routing traffic just like any other
traffic (with above caveat noted). Basically create ACLs to permit the
traffic and then create whatever internal associations that will allow the
traffic to be passed by the firewall.
Here is an example of how to pass BGP (I know you wanted OSPF, but the PIX
won't do that) through a PIX firewall:
http://www.cisco.com/en/US/tech/tk365/tk80/technologies_configuration_exampl
e09186a008009487d.shtml
Good luck.
Wes Noonan
mailinglists@wjnconsulting.com
http://www.wjnconsulting.com
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com [mailto:firewall-wizards-
> admin@honor.icsalabs.com] On Behalf Of Shimon Silberschlag
> Sent: Wednesday, December 17, 2003 02:02
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] OSPF on Firewall
>
> Lets say that I have two routers (on an internal network) that talk OSPF
> between them.
>
> Now I have to insert a firewall in-between the two routers.
>
> I am led to believe (by the Communications people I work with) that there
> is
> no other option but to install OSPF on the firewall, which doesn't make me
> feel easy about the solution.
>
> Is it true that there is no other way around this problem?
>
> TIA,
>
> Shimon Silberschlag
>
> +972-3-9351572
> +972-51-207130
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Wes Noonan: "RE: [fw-wiz] Security dumming down - the king's clothes"
- In reply to: Shimon Silberschlag: "[fw-wiz] OSPF on Firewall"
- Next in thread: Sloane, David: "RE: [fw-wiz] OSPF on Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
