02-03-2009 12:37 PM - edited 03-11-2019 07:45 AM
Hi
I have a requirement to dynamically learn routes on one side of a firewall pair and send them to the inside. I have suggested running one OSPF process on the outside and redistribute specific routes into another ospf process on the inside. The firewall team have come back with a request to run OSPF "through" the firewall (dynamic protocols, security concerns blah blah). I have a config that should work to allow neighboring between 2 routers on different ASA interfaces.
My question is what is the general concensus on Firewalls and OSPF. What exactly are the concerns running OSPF on the Firewall and are there any benefits to running this config where we peer through the firewall ?
Any time previously when I have suggested a dynamic protocol on firewalls the security teams snap back with the "security concerns" get out.
Thanks for any replies, Stephen.
02-03-2009 03:40 PM
Stephen, Im sure there have been OSPF vulnerabilities and probably still are, you can actually do a search in either google or Cisco and you will find some useful OSPF exploit reports to learn from.
You can use OSPF in firewall based on your design needs , however, generally it is recommended to use MD5 for and/or explicily allow ospf neighbors sources by access lists. OSPF MD5 is efectively secure when used in firewalls... that's my opinion.
Regards
02-03-2009 04:07 PM
I am one of those "security" guys who would
NOT let people running OSPF on either
on the firewalls. The firewall should
function as firewalls and nothing else.
Here are some alternative solutions:
- run OSPF through the firewall via GRE
tunnel. That way firewalls do not have
to run dynamic routing protocols,
- run ebgp through the firewalls. You
will better routing control.
Easy right?
02-04-2009 12:18 AM
With the greatest respect that's the kind of answer I am talking about. Why should the firewall not run a dynamic routing protocol exactly ? I know the alternative ways to avoid running OSPF on the firewall but why shouldn't I run it. It is a mature part of PIX/ASA software. Cisco and other vendors firewalls are capable of running it so why shouldn't I take advantage of the feature ? I would not run the firewall as an ABR between areas or even as an internal router in one area. I would run 2 instances of OSPF on it and redistribute specific routes between the processes. There must be specific reasons why not to run OSPF on the firewall rather than just that the firewall should only firewall.
Stephen.
02-04-2009 05:14 AM
I am one of those "security" guys who would NOT let people running OSPF on either on the firewalls. The firewall should function as firewalls and nothing else.
Hi David,
You know Im always looking for new learnings, from a security design perspective I would like to see a doc/link that can show us why OSPF and/or any dynamic routing protocol should be forbiden of use in firewalls. Firewall should do what is meant to do but this is not what I want to hear, I need more deep understanding.
Regards
02-04-2009 06:24 PM
There are people who are experts with
both R&S and Security but most the people
are either specialized in R&S or Security
but not both.
Firewalls are security devices. They are
not designed for dynamic routing
purposes. They can do the job but they
are not designed for it. The more
applications you put on the firewalls,
the more complex it becomes and the
vulnerability increases. When everything
is going great, there are no problems.
When issues arise, it will require R&S
experts to get on the firewalls which
most security folks do not want. As a
rule of thumb, you do not want a R&S guy
to touch a security device just as you
do not want a security guy to touch
complex BGP or complex STP stuffs.
When you separate things like that, it
makes thing much easier to troubleshoot
when issues arise.
You can look at it this way. Firewall can
also terminate VPN in addition to functioning
as a firewall; however, most environments
separate these into two different devices.
02-04-2009 07:20 PM
Very logical way of puting it.
02-05-2009 12:16 AM
Thanks.
That's what I suspected and it is not meant as a criticism. It is a skill set issue mainly.
That substantiates the statement that Firewalls should firewall and routers should route because the people that maintain them have specialised skills in each independent area. However, as I said, when someone makes a statement such as "running dynamic protocols on a firewall is a security risk" without substantiating it with exactly what the risk is then the statement is open to being questioned.
From my point of view if you run 2 OSPF processes, one on each side of the firewall, and redistribute specific routes between those processes, then this is a reasonable request to be implemented.
I do like the solution of running GBP or OSPF transparently through the firewall and it only has to deal with passing the protocol traffic but some customers do ask specifically to run dynamic routing on the firewall and you can't get away with unsubstantiated statements such as "it's a security risk"
Thanks for the replies, Stephen.
Stephen.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: