Dave, >I've been monitoring/researching threads re: OSPF neighbors >separated by a firewall. I've worked and worked on this, and have given up >on the notion (BTW, it boils down to hellos [both multicast and unicast] >being sent with a TTL of 1, *not* simply opening the right ports/protocols). >Too many people that have never touched a sniffer keep commenting on this >OSPF issue.
Good stuff. I'd agree with your assessment. >For security reasons, I don't like the idea of tunneling OSPF through the >firewall (via GRE or whatever), because there's no way for the firewall to >apply policy to the tunnel traffic (if the tunnel were maliciously used to >pass non-OSPF traffic, the firewall would be oblivious). Your words imply that you view Firewalls as the only security mechanism or policy enforcement point in your network. That could be (in your case). Tunneling is a viable option for lots of scenarios. Policy enforcement and route pruning can be done elsewhere (on devices other than Firewalls). >Many contributors out there seem to feel that passing routing info across a >firewall is a "bad thing." A firewall *is* a router (and by virtue, it has >an obligation to participate in enterprise routing), but let's consider >real-life needs, such as bringing B2B connections through your firewall (a >"good thing"). If I have frame and VPN routers sitting on an isolated leg >of the firewall, I *certainly* need to know about those routes as they pop >up and down (static = "bad thing"). Although I do not terminate VPN >connections *on* my firewalls, the firewall should be able to inject those >routes into your routing environment, as well. A Firewall is not necessarily a router (But boy if it was you'd make lots of folks where I work happy). It's a policy enforcement point between two networks and a packet forwarder. It's not necessarily a router as not all forwarders perform all routing functions. I'm certain several Firewall manufacturers are cringing at your assertion that Firewalls have an obligation to participate in enterprise routing. I believe that much of the "bad thing" tag comes from the fact that in many environments security policies are enforced differently at different sites. Do you want every computer in a branch to know about all the routes to other branches as well as the entire HQ network? Well, maybe you do and maybe your security policies are up to securing that data. >Now, I'm now trying to locate an OSPF product that can be installed *on* the >firewall. Good luck. If you are ever looking for a hammer that also has a Phillips head screw driver built in; let me know. I know a place where you can buy those. Liberty for All, Brian At 12:01 PM 6/12/2002 -0700, [EMAIL PROTECTED] wrote: >Message: 1 >From: "Dave Row" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: OSPF *on* Check Point FW-1 >Date: Wed, 12 Jun 2002 11:06:43 -0400 > >Howdy, folks. I've been monitoring/researching threads re: OSPF neighbors >separated by a firewall. I've worked and worked on this, and have given up >on the notion (BTW, it boils down to hellos [both multicast and unicast] >being sent with a TTL of 1, *not* simply opening the right ports/protocols). >Too many people that have never touched a sniffer keep commenting on this >OSPF issue. Onward... > >For security reasons, I don't like the idea of tunneling OSPF through the >firewall (via GRE or whatever), because there's no way for the firewall to >apply policy to the tunnel traffic (if the tunnel were maliciously used to >pass non-OSPF traffic, the firewall would be oblivious). > >Many contributors out there seem to feel that passing routing info across a >firewall is a "bad thing." A firewall *is* a router (and by virtue, it has >an obligation to participate in enterprise routing), but let's consider >real-life needs, such as bringing B2B connections through your firewall (a >"good thing"). If I have frame and VPN routers sitting on an isolated leg >of the firewall, I *certainly* need to know about those routes as they pop >up and down (static = "bad thing"). Although I do not terminate VPN >connections *on* my firewalls, the firewall should be able to inject those >routes into your routing environment, as well. > >Now, I'm now trying to locate an OSPF product that can be installed *on* the >firewall. The Nokia implementation natively supports several routing >protocols, but I'm running v4.1 SP5 on NT Enterprise. I'm not concerned >about the security implications, because it's easy enough to block OSPF >on/from interfaces, hosts, nets, etc. GateD *sounded* cool, until I learned >that it's only available on Unix (comments withheld, so please point your >flame throwers elsewhere). > >So, does anyone out there have a recommendation for (or any successes with) >an OSPF module that can be installed under NT/2000? Much appreciated. > > >Dave Row >CCNA, MCSE, CCSA >Senior Network Analyst _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
