At 12:12 PM 5/6/97 +0200, Eric Deschamps wrote:
>I am not sure that a firewall should deal with routing at all (and with other
>stuff as well). I like the idea of building a perimeter defense with a
>firewall doing only filtering (with states engines) and having some proxies
>for specific applications.
A firewall is effectively a router. The vulnerability that makes people
antsy is the protocols used to update the routing tables. Most rout update
protocols are subject to being fed misinformation resulting in incorrect
routs, potentially making IP spoofing attacks easier. The solution of
most firewallers is static routs.
OSPF has a password option to help avoid getting routing areas mixed up -
but it's sent with the updates in the clear.
If you encrypt the link between 2 firewalls you can safely send routing
info. Just watch the overhead from updates that are too frequent.
My opinion only counts with those who want it.