OSPF on or through a firewall

Unanswered Question
Feb 3rd, 2009


I have a requirement to dynamically learn routes on one side of a firewall pair and send them to the inside. I have suggested running one OSPF process on the outside and redistribute specific routes into another ospf process on the inside. The firewall team have come back with a request to run OSPF "through" the firewall (dynamic protocols, security concerns blah blah). I have a config that should work to allow neighboring between 2 routers on different ASA interfaces.

My question is what is the general concensus on Firewalls and OSPF. What exactly are the concerns running OSPF on the Firewall and are there any benefits to running this config where we peer through the firewall ?

Any time previously when I have suggested a dynamic protocol on firewalls the security teams snap back with the "security concerns" get out.

Thanks for any replies, Stephen.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JORGE RODRIGUEZ Tue, 02/03/2009 - 15:40

Stephen, Im sure there have been OSPF vulnerabilities and probably still are, you can actually do a search in either google or Cisco and you will find some useful OSPF exploit reports to learn from.

You can use OSPF in firewall based on your design needs , however, generally it is recommended to use MD5 for and/or explicily allow ospf neighbors sources by access lists. OSPF MD5 is efectively secure when used in firewalls... that's my opinion.


cisco24x7 Tue, 02/03/2009 - 16:07

I am one of those "security" guys who would

NOT let people running OSPF on either

on the firewalls. The firewall should

function as firewalls and nothing else.

Here are some alternative solutions:

- run OSPF through the firewall via GRE

tunnel. That way firewalls do not have

to run dynamic routing protocols,

- run ebgp through the firewalls. You

will better routing control.

Easy right?

StevieOliver_2 Wed, 02/04/2009 - 00:18

With the greatest respect that's the kind of answer I am talking about. Why should the firewall not run a dynamic routing protocol exactly ? I know the alternative ways to avoid running OSPF on the firewall but why shouldn't I run it. It is a mature part of PIX/ASA software. Cisco and other vendors firewalls are capable of running it so why shouldn't I take advantage of the feature ? I would not run the firewall as an ABR between areas or even as an internal router in one area. I would run 2 instances of OSPF on it and redistribute specific routes between the processes. There must be specific reasons why not to run OSPF on the firewall rather than just that the firewall should only firewall.


JORGE RODRIGUEZ Wed, 02/04/2009 - 05:14

I am one of those "security" guys who would NOT let people running OSPF on either on the firewalls. The firewall should function as firewalls and nothing else.

Hi David,

You know Im always looking for new learnings, from a security design perspective I would like to see a doc/link that can show us why OSPF and/or any dynamic routing protocol should be forbiden of use in firewalls. Firewall should do what is meant to do but this is not what I want to hear, I need more deep understanding.


cisco24x7 Wed, 02/04/2009 - 18:24

There are people who are experts with

both R&S and Security but most the people

are either specialized in R&S or Security

but not both.

Firewalls are security devices. They are

not designed for dynamic routing

purposes. They can do the job but they

are not designed for it. The more

applications you put on the firewalls,

the more complex it becomes and the

vulnerability increases. When everything

is going great, there are no problems.

When issues arise, it will require R&S

experts to get on the firewalls which

most security folks do not want. As a

rule of thumb, you do not want a R&S guy

to touch a security device just as you

do not want a security guy to touch

complex BGP or complex STP stuffs.

When you separate things like that, it

makes thing much easier to troubleshoot

when issues arise.

You can look at it this way. Firewall can

also terminate VPN in addition to functioning

as a firewall; however, most environments

separate these into two different devices.

StevieOliver_2 Thu, 02/05/2009 - 00:16


That's what I suspected and it is not meant as a criticism. It is a skill set issue mainly.

That substantiates the statement that Firewalls should firewall and routers should route because the people that maintain them have specialised skills in each independent area. However, as I said, when someone makes a statement such as "running dynamic protocols on a firewall is a security risk" without substantiating it with exactly what the risk is then the statement is open to being questioned.

From my point of view if you run 2 OSPF processes, one on each side of the firewall, and redistribute specific routes between those processes, then this is a reasonable request to be implemented.

I do like the solution of running GBP or OSPF transparently through the firewall and it only has to deal with passing the protocol traffic but some customers do ask specifically to run dynamic routing on the firewall and you can't get away with unsubstantiated statements such as "it's a security risk"

Thanks for the replies, Stephen.



This Discussion