Routing Protocols on Firewalls from a Design Standpoint

What routing protocols, if any, do you feel it's okay to use on firewalls, from a design standpoint?

With the extra load it's going to put on firewalls, which do you feel it's okay to use, if any?

Find more posts tagged with

Comments

tech-airman

darkerosxx wrote:

What routing protocols, if any, do you feel it's okay to use on firewalls, from a design standpoint?

With the extra load it's going to put on firewalls, which do you feel it's okay to use, if any?

darkerosxx,

It depends. Are you talking about IOS firewalls on routers/L3Switches or routers/L3Switches in conjunction with a firewall device?

GT-Rob

Quite often I see just static and default routes on FWs. I think you have to take security into consideration as well when talking about this subject (as in, the device advertising its networks).

Also depends on the placement. Usually FW traffic is either in one end and out the other, or vice versa. No point in really trying to figure out where to send something when there is only 1 direction left to send it.

networker050184

GT-Rob wrote:

Also depends on the placement. Usually FW traffic is either in one end and out the other, or vice versa. No point in really trying to figure out where to send something when there is only 1 direction left to send it.

Agreed. I haven't seen a situation that has warranted routing protocols on a dedicated firewall when a few static routes will do.

I say leave the routing to the router and the security to the firewall. The less overhead and unnecessary services running the faster each box will be able to do its primary function.

dtlokee

IT really can vary, if the firewall is at the edge of your network then it's pretty easy to use static routing, but when it's in the middle of the network that is a different story.

Other considerations include failover designs (VPN backup to a WAN link), and when firewalls are used to load balance incomming RA VPN sessions and you're using RRI. In these cases it will typically be necessary to use dynamic routing protocols.

darkerosxx

So my next question is if you're using dynamic routing protocols everywhere else, should you use them on firewalls?

I've read about the security issues, but I'm wondering about efficiency, really.

GT-Rob

You can mix static and dynamic routing protocols no problem. Again, its going to depend where the FW is placed, but I 'usually' only ever see static routes on dedicated FWs.

malcybood

static routes are usually deployed on perimiter firewalls and public facing devices such as VPN concentrators in my experience.

Static routes configured on the firewall to route traffic to the core LAN switch. The LAN core switch would run a dynamic routing protocol such as OSPF etc between corporate LAN/WAN VLANs (i.e. server VLAN, voice VLAN, WAN VLAN etc) & networks configured on the LAN core switch.

Remember you would also need static routes configured on the core LAN switch to route traffic back to the networks which hang off the firewall i.e. internet gateway, DMZs etc.

dtlokee

If you are using NAT on the firewall then it becomes the edge of the routing domain and doesn't need you to configure dynamic routing accross it, static routes should be fine. Should you use a dynamic routing protocol on the firewall? Most likely not but in cases where there are multiple internet connections it may be used to provide an alternate path to another firewall if one should fail. This could be a BGP configuration (not from the ASA), dynamic routing, or dynamic routing combined with floating static routes.

darkerosxx

Thanks for the help, guys.

We were discussing this at work and the two questions came up about using OSPF on an edge firewall: the performance/efficiency issue and the security issue.

We use OSPF everywhere else and the claim was that's the reason it should be on the firewall, because we want to have as few static routes as possible. My claim was that from an efficiency standpoint, the CCDA design material I've been studying seems to claim it could cause performance issues and that's not really the way you want to build your infrastructure. You don't want to put extra services on boxes that don't require it and in places where it's not required, especially not because it looks nice. I'm pulling that from the general theory, so it may be wrong/right. I'm not really sure, as I haven't seen it in practice.