[nsp] OSPF x firewall

hcb at gettcomm.com hcb at gettcomm.com
Fri Dec 19 21:07:19 EST 2003 

Quoting Thales <thalesrx at terra.com.br>:

> First ,
> 
>   Thanks a lot by yours advice. Our problem is to put a firewall between the
> core switch ( 6509 ) and a router that attends our clients ( 7513 ) . We
> need protect us against these traffic. Then the topology is:
> 
> our bulding---6509---- firewal---7513--- internal wan
> 
> There are many others routers in our lan. Because this i need a dynamic
> routing between 6509 and 7513 ( there are over 300 routes ). Now , after you
> have said, i am thinking use EIGRP between them. What about this idea ?
> should be a problem to announce theses routes through the firewall ?

I still don't understand why you need to connect the routing systems on either 
side of the firewall -- if the sides don't trust one another, why tell one 
another about their routing structure?  Firewalls aren't perfect, and the more 
information a hacker has about a network, the better chance the hacker has to 
break in.

What's the addressing structure?  Is it possible for the client side to default 
to the core? Is there connection either to the Internet or _between_ customer 
networks on the customer side?  If not, default would seem to be all you need.

If you absolutely had to send routing updates through a firewall, I'd construct 
a tunnel with access lists at both ends, lists that permit only routing 
protocol messages.  

Alternatively, I might run independent routing domains on either side.  Part of 
the problem is that I don't understand what traffic has to flow from side to 
side.  There may be valid host-based solutions that are easier and more secure 
than breaching a firewall, such as maintaining a copy of data on the customer 
side.

I'll have to admit that I haven't yet found an environment where the firewall 
had to be transparent (i.e., in the middle of a subnet).  It's a fairly basic 
idea that the firewall sits between two (e.g., DMZ and perimeter) or more 
subnets.
> 
> Thanks in advance
> 
> Thales Azevedo
> Rio de Janeiro
>   Brazil
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.520 / Virus Database: 318 - Release Date: 18/09/03
> 
>

More information about the cisco-nsp mailing list