[nsp] OSPF x firewall

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Fri Jan 2 16:55:46 EST 2004


ditto


~v/r
Del Hudson
61CS/SCBN - LAAFB NCC
Network Architecture & Engineering Group
delbert.hudson at losangeles.af.mil



-----Original Message-----
From: Mussie [mailto:mussieg at comcast.net]
Sent: Friday, January 02, 2004 1:07 PM
To: 'Gert Doering'
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] OSPF x firewall


Gert, 
I agree with your assessment; once you tunnel (encapsulated) traffic between
the routers transiting the firewall, the packets will not be subjected to
security scrutiny.  The suggested solution works well if the two areas share
the same security level.  For example, if site-A and site-B share the same
security level and they are only reachable thru untrusted network such as
the internet. I have also seen newly merged-organizations using this scheme
to interconnect their islands of networks during their integration process. 

Mussie G.


-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de] 
Sent: Friday, January 02, 2004 2:52 PM
To: Mussie
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] OSPF x firewall

Hi,

On Fri, Jan 02, 2004 at 10:45:16AM -0500, Mussie wrote:
> I believe Jim has suggested this before.  If you wish to interconnect two
> routers via OSPF across the firewall the best option might be to create
> tunnel interface and use GRE or IPnIP as an encapsulation.  The only thing
> you need on the firewall is to allow Protocol 47 [GRE] or protocol-4
> [IP-in-IP] from the respective router interfaces (which ever one is source
> interface for your tunnel). 

As has also been mentioned before: what good is speaking dynamic
routing protocols through a device if that device doesn't know the
routes in question?  The firewall needs to know which IPs are "inside"
and "outside" as well - so if you're routing around it, you won't gain
anything (except if you send the packets through the OSPF tunnel as
well - in that case, you've effectively removed the firewall).

The whole initial setup is flawed and should be re-thought.

gert

-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list