route selection

Unanswered Question
Apr 27th, 2009

Pls. find attached diagram. my question is, I am not the one managing the FW, and most of the traffic pass through the FW from R1 to R2 to FW. what will happen if i put a route from R2 that will pass through R3 to reach other network will this be ok? even though I already have a route to other network to pass through the FW? which one will be use? thanks

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 04/27/2009 - 23:11

Hello Oliver,

firewalls are very sensitive to asymmetric routing and they usually don't allow flows if they see only the packets in one direction.

Said this, if the static route that you add is comparable to the one already existing to the FW R2 will try to load balance traffic on the two static routes: some flows (defined by IP SA and IP DA) will be sent out link to FW and others will be sent to R3.

Now, on the return path the same problem happens on R3:

without no change traffic will probably go to the FW with the possible problems described above.

From a security point of view the link between R2 and R3 should not be present at all, because it provides a potential bypass of the FW.

I would contact the FW admin and ask to change the FW config to allow the traffic you need.

Bypassing the FW is not a good idea should an attack be performed against your network and someone later investigate it will find this weakness.

As I wrote above that link between R2 and R3 should not exist for a clean security design.

Hope to help

Giuseppe

Actions

This Discussion