Firewall Wizards mailing list archives
RE: Dynamic routing on a firewall
From: "Joe Cupano" <joec () idsi net>
Date: Sat, 29 Nov 2003 16:04:55 -0500
Depends on your definition of a firewall. If you view it as a security device that enforces policy with granularity to the application layer then I would say YES to controlling routing on the firewall. If your firewall is OS based you can port tools such as GateD, Zebra, etc to make the routing decisions. Think of them as application-level proxies running on the box. In my time we used to run GateD but me thinks they went commercial (NetxHop technologies.) Ever since the commoditization of firewalls to network-level devices by the introduction of stateful packet filtering technology, the approach has been "hardened routers" peering through firewalls exchanging routing updates. This may be fine and dandy if your company controls the routers on both ends and all the infra in-between. Still somewhere in the food chain you are accepting routing updates from a foreign entity. How much validation of the update are you doing at the contol point(s) and assuring you are avoiding the scenario you suggest (learn Party B's routes via Party A) and is the first control points inside or outside your firewall. NOTE: If you want the gory details on my rationale about how the introduction of stateful packet filtering technology commodotized firewalls, read my message (RE: [cisspforum] Is What's old what's new again ? ) on CISSPforum. I can forward to you if you do not have access. Know I do not view stateful packet filtering technology itself as the problem but how it's introduction led people to chose to implement that technology as their ONLY perimeter security solution - ie no layered security. Regards, - Joe Cupano joec () idsi net --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.544 / Virus Database: 338 - Release Date: 11/25/2003 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Dynamic routing on a firewall Dawes, Rogan (ZA - Johannesburg) (Dec 01)
- <Possible follow-ups>
- RE: Dynamic routing on a firewall Joe Cupano (Dec 02)