On Wed, 3 Feb 1999, Dave Wreski wrote:
> Hi all. I have a question about allowing routing protocols to go thru the
> firewall.
Routing protocols do not pass through the firewall per se'. They have to
be received by the underlying OS (which acts like a router), processed and
then forwarded. Of course this means that the OS must include support for
the routing protocol in question (RIP, OSPF, etc.).
> Specifically, someone asked me about GRE, the Generic Routing
> Encapsulation protocol. Apparently this is used to encapsulate one
> protocol into another.
I sure someone will correct me if I'm wrong ;), but GRE is not really a
true routing protocol in the strict sense of the term. It is used
specifically to relay update information across a tunnel (like a VPN), not
to all networks in general. For example PPTP uses GRE.
> To me, this could lead to allowing data types thru the firewall where we
> wouldn't normally allow.
Typically you need to open more than GRE to create a VPN/tunnel but
essentially you are correct. You may have a security policy that states
that inbound FTP sessions are not allowed, but if someone comes in on a
VPN your firewall may note be able to deal with this encapsulated traffic.
The way around this is to terminate the tunnel using a product which
allows you to filter what services are allowed to be passed, something
that MS's PPTP implementation does not really let you do.
> Also, it has been stated that unless we allow this GRE thru the firewall,
> we would have to allow only one port thru the firewall. Otherwise, a
> whole number of ports would have to be opened.
Here's a trick, open GRE and when their inbound connection does not work
hold them to "only opening a single port". ;)
This depends on what services you are looking to support. If your security
policy states that only inbound POP-3 is to be allowed, you are only
looking at a single port. If however you want to give inbound users full
run of your network, then yes you may be looking at multiple port numbers.
Happy hunting,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
