[nsp] OSPF x firewall
Mussie
mussieg at comcast.net
Fri Jan 2 16:07:22 EST 2004
Gert,
I agree with your assessment; once you tunnel (encapsulated) traffic between
the routers transiting the firewall, the packets will not be subjected to
security scrutiny. The suggested solution works well if the two areas share
the same security level. For example, if site-A and site-B share the same
security level and they are only reachable thru untrusted network such as
the internet. I have also seen newly merged-organizations using this scheme
to interconnect their islands of networks during their integration process.
Mussie G.
-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de]
Sent: Friday, January 02, 2004 2:52 PM
To: Mussie
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] OSPF x firewall
Hi,
On Fri, Jan 02, 2004 at 10:45:16AM -0500, Mussie wrote:
> I believe Jim has suggested this before. If you wish to interconnect two
> routers via OSPF across the firewall the best option might be to create
> tunnel interface and use GRE or IPnIP as an encapsulation. The only thing
> you need on the firewall is to allow Protocol 47 [GRE] or protocol-4
> [IP-in-IP] from the respective router interfaces (which ever one is source
> interface for your tunnel).
As has also been mentioned before: what good is speaking dynamic
routing protocols through a device if that device doesn't know the
routes in question? The firewall needs to know which IPs are "inside"
and "outside" as well - so if you're routing around it, you won't gain
anything (except if you send the packets through the OSPF tunnel as
well - in that case, you've effectively removed the firewall).
The whole initial setup is flawed and should be re-thought.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list