[nsp] OSPF x firewall

hcb at gettcomm.com hcb at gettcomm.com
Fri Dec 19 10:20:27 EST 2003 

Quoting BERKANE Mourad <mourad.berkane.prestataire at cegetel.fr>:

> 
> Thanks for your point Russel.
> 
> As oli said it won't work unless doing something really dirty:
> 
> - Can't a Firewall change a IP TTL value?
> - Can't IP source of LSA packets change by a firewall?
> - Can't a Tunneling of Multicast packets between 2 FW interfaces be
> possible?
> 
> Nothing standard, ok this look dirty :-) and may be not possible with all
> firewall vendors.
> 
> A clean solution could be changing routing design (to static) or including
> firewall feature internally to the routers (ACL).

Good points, but even more important is getting a clear statement of the 
security policy (i.e., the top management view) and the security threats 
against which the enterprise wants protection.  I've heard many people suggest 
they want firewalls in the middle of the routing system, as in this case, but I 
can't say that I ever found a situation where doing so was really a good idea. 
It often does make sense to have separate routing systems on each side of the 
firewall, with static/default routes to the local firewall interface.  

More often than not, the "open" side of the firewall does not have a very 
complicated routing environment, and it's actually a bad idea to have dynamic 
routing in a place where it can be hacked.

Routing protocols like OSPF, as others have mentioned in this thread, assume 
that they are sending messages to link-local routers and are variously designed 
so they can't cross subnets, either by OSPF setting TTL=1 or ISIS running 
directly over the data link problem.

We still haven't heard enough about the problem that needs to be solved, at a 
higher level of requirements abstraction than "I need a firewall in the middle 
of OSPF."  Among other questions is whether the issue is security of the 
routing system is the issue, and good authentication the solution, or why there 
can't be different subnets on both sides of the firewall,
> 
> 
> -----Message d'origine-----
> De: Russell Heilling [mailto:russell at ccie.org.uk]
> Date: vendredi 19 décembre 2003 15:20
> À: BERKANE Mourad
> Cc: 'Thales'; 'cisco-nsp at puck.nether.net'
> Objet: Re: [nsp] OSPF x firewall
> 
> 
> On Fri, Dec 19, 2003 at 02:08:16PM +0100, BERKANE Mourad wrote:
> > 
> > Hello,
> > 
> > A Firewall or a Cisco ACL operate in the forwarding plane, not in the
> > control one.
> > Your firewall needn't to be ospf aware, you just need to allow routing
> > exchange between backbone area routers.
> 
> I have to disagree with this...  OSPF hellos and LSA are link local
> (i.e. TTL=1) multicast packets.  It should be possible to pass these 
> through the firewall if it is operating in a transparent bridging mode, 
> but in most firewall implementations the firewall itself will act as a 
> gateway rather than a bridge, and therefore TTL=1 packets will not be 
> passed between the inside and outside (assuming the firewall itself has 
> support for multicast forwarding of some form...).
> 
> Cheerz,
> 
> Russell
>  
> > Have fun/
> > Mourad
> > 
> > -----Message d'origine-----
> > De: Thales [mailto:thalesrx at terra.com.br]
> > Date: vendredi 19 d?cembre 2003 01:05
> > ?: cisco-nsp at puck.nether.net
> > Objet: [nsp] OSPF x firewall
> > 
> > 
> > Folks, 
> > 
> > I have a area 0 with 2 routers running OSPF. Now , i need put a firewall
> in
> > the midle. is it possible maintain this structure without change nothing
> and
> > without need enable OSPF in the firewall ? Does Someome know  a tip or a
> > trick ? The subnet will be different. 
> > 
> > Thanks in advance
> > 
> > Thales Azevedo
> > Rio de Janeiro - Brazil
> > 
> > 
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.520 / Virus Database: 318 - Release Date: 18/09/03
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> -- 
> Russell Heilling
> http://www.ccie.org.uk/
> PGP: finger russellh at bela.homeunix.net
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list