Firewall Wizards mailing list archives

RE: Dynamic routing on a firewall

From: "Joe Cupano" <joec () idsi net>
Date: Sat, 29 Nov 2003 16:04:55 -0500


Depends on your definition of a firewall. If you view it as a
security device that enforces policy with granularity to the
application layer then I would say YES to controlling routing
on the firewall. If your firewall is OS based you can port tools
such as GateD, Zebra, etc to make the routing decisions. Think
of them as application-level proxies running on the box. In
my time we used to run GateD but me thinks they went commercial
(NetxHop technologies.)

Ever since the commoditization of firewalls to network-level devices
by the introduction of stateful packet filtering technology, the
approach has been "hardened routers" peering through firewalls 
exchanging routing updates. This may be fine and dandy if your
company controls the routers on both ends and all the infra
in-between. Still somewhere in the food chain you are accepting
routing updates from a foreign entity. How much validation
of the update are you doing at the contol point(s) and assuring
you are avoiding the scenario you suggest (learn Party B's routes
via Party A) and is the first control points inside or outside 
your firewall.

NOTE: If you want the gory details on my rationale about how the
introduction of stateful packet filtering technology commodotized
firewalls, read  my message (RE: [cisspforum] Is What's old
what's new again ? ) on CISSPforum. I can forward to you if you 
do not have access.  Know I do not view stateful packet filtering
technology itself as the problem but how it's introduction led
people to chose to implement that technology as their ONLY
perimeter security solution - ie no layered security.

Regards,

- Joe Cupano

joec () idsi net
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.544 / Virus Database: 338 - Release Date: 11/25/2003

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Dynamic routing on a firewall Dawes, Rogan (ZA - Johannesburg) (Dec 01)
- <Possible follow-ups>
- RE: Dynamic routing on a firewall Joe Cupano (Dec 02)