On Feb 02, 1997 at 02:44:51AM, toon @
> We now have some problems that people would like to solve by letting
> RIP packets or ICMP Redirect packets to be handled by the firewall.
> I do not feel comfortable with this.
> Can someone give me some security arguments?
The issue that comes to my mind is that you can use these facilities to
convince the firewall that a route to a particular host goes in a false
direction. Consequently, this allows you to set up "in the middle"
For example, the firewall tries to talk to host X. Host X is on network
Y. The bad guy has convinced the firewall that network Y is out on an
untrusted network, when it's really on a trusted network. The bad guy has
an opportunity to convince the firewall that the network is in the wrong
direction because there is a process on the firewall listening for just
such information. Presumably, the firewall wouldn't listen to updates
from the untrusted network. Still, you're adding complication that doesn't
need to be there.
In any case, if the bad guy can convince the firewall that network Y is on
the untrusted network, then the firewall will send information that is
supposed to be on the trusted network to the untrusted network.
I think that mjr describes this as a complete failure of the firewall.
This is the risk of allowing dynamic routing on a firewall.
With respect to that risk, it's definitely a tradeoff. Is the benefit
that is gained by allowing dynamic routes on the firewall worth the risk
of a complete failure? Can you diminish the risk of failure by putting
several layers in place to ensure that the firewall will never listen to
routing updates from the untrusted network?
If you ask me, the risk is pretty great and I wouldn't build a firewall
with this sort of thing enabled.
Mark Horn <mhorn @
PGP Public Key available from: http://www.es.net/hypertext/pgp.html
PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1
Description: PGP signature