 | ||
 Configuring routing protocol on FW | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-09-18 | |||
| |||
 Configuring routing protocol on FW Hi, Why one should not configure dynamic routing protocols on FW? What is the harm? Can anyone please justify this statement with links to some sites (cisco, SANS, Checkpoint) which support this? Reg. YT  |
| 2007-09-18 | |||
| |||
| Re: Configuring routing protocol on FW Quote:
1. Many firewall problems are actually routing problems in disguise, so putting your dynamic routing on the same box as your Security Gateway makes it far more difficult to debug either of them. 2. By using dynamic routing, your Security Gateway has to trust the routing information updates it receives from other routers. This is a security risk; better to hard code them in as static routes. |
| 2007-09-19 | |||
| |||
| Re: Configuring routing protocol on FW I don't think you will find anything useful on Cisco site about why not to use Dynamic routing in firewalls as this is one of the selling points that Cisco use with there firewalls about how easy to add to a dynamic routing system. With regards to Dynamic Routing on the Firewall, I would not place on any firewall that is an Internet Gateway, I would consider placing only on firewalls that are internal, or used with an MPLS cloud to encrypt your traffic over the MPLS network. I know some places that actually place the default gateway on there Internet Firewall to point inwards so you have to have specific routes pointing to the Internet to be able to make a connection to it. Search with Google on Firewall Best Practices and it has links to cisco and sans regarding firewall best practices, there may be something in the docs that it references that is suitable. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
