|
Firewall Wizards
mailing list archives
Re: Dynamic routing on a firewall
From: Bill Van Emburg <bve () quadrix com>
Date: Fri, 28 Nov 2003 14:09:15 -0500
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
To: firewall-wizards () honor icsalabs com
Date: Fri, 28 Nov 2003 11:38:32 +0200
Subject: [fw-wiz] Dynamic routing on a firewall
[...]
Is it a good idea to allow a firewall to participate in dynamic routing? My
first thoughts are that it sounds like a really dangerous thing - you
certainly don't want to have routes changing so that a DMZ moves from one
interface to a different one, for instance.
[...]
Leaving out the question of how A gets the packets to B eventually, to
complete the connection, is this a realistic scenario? How can one protect
against something like this, using the abovementioned firewalls, if one
still chooses to use dynamic routing?
Well, in general, you can control what types of routing updates you'll
accept from which parties. For example, with BGP, you can set ACLs that
control which routing updates you'll accept. It is, however, protocol
and implementation-dependant. I don't have specific answers for you for
FW-1 and PIX, because I have moved away from using those FWs, but I seem
to recall the means existing in both cases. (With FW-1, you may have to
put something onto the box manually -- I don't recall the feature being
available from within FW-1s software.)
--
-- Bill Van Emburg
Quadrix Solutions, Inc.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- Dynamic routing on a firewall Dawes, Rogan (ZA - Johannesburg) (Nov 28)
- <Possible follow-ups>
- Re: Dynamic routing on a firewall Bill Van Emburg (Nov 28)
|
Intro
