One standard solution is to use BGP between the routers, and permit the TCP
port through the firewall.
For the several folks who have expressed the opinion "why on earth would
you want to do that!?", I have a standard example. You have leased lines to
a partner company. For BCP reasons, you have them installed in multiple
diverse geographic locations. You need to automatically use the backup
circuit if the primary is down, or if the building the primary is in blows
up. In order to handle the "building blows up" case, you really need to
advertise dynamic routes internally. The easiest way to do this is to have
the router (VPN endpoint, whatever) advertise the route, via the firewall,
to the internal network. Yes, you want to do route filtering on the
internal router (or the firewall), as the external router is exposed to
attack.
Of course, doing this requires one of:
- a firewall that can do remote state sharing
- a stateless firewall
- forced symmetric routes, and an acceptance that existing connections will
die when a failure occurs.
--
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 01 2004
Intro
