Top
Browse > Home / Cisco, Design / Why use two routing processes in a firewall ?

Why Use Two Routing Processes in a Firewall ?

10 March, 2008 by Greg Ferro      Print Posting

In a recent post on Two OSPF Processes on an ASA firewall Christian asked why you would want to do this. Here is one case of a design that needs secure routing :

A common problem in Enterprise networking is that B2B connectivity is reasonably common and for larger organisations a big problem. You can have hundreds of external connections. In times past, we tried to have multiple firewall clusters to handle B2B, partner and other types of connectivity, but this has caused security issues and networking problems when the the Enterprise network core is very large.

More importantly however, we are now deploying a lot of hardware, software and tools to secure, monitor and respond to all our external connections and these technologies (note 3) cost a really serious amount of money. Having only one firewall cluster can be a means to reduce the cost and to improve security by needing to control only a single point into the network. The difficulty is that by bringing all service flows in to a single place, you lose the separation of data flows.

Consider a firewall cluster as shown in the diagram below. Note that the firewall would be a HA pair but looks like a single unit.

twoospfpro1.png

The first to note is that the default route to the Internet is required for external access. The second area is a pair of redundant VPN concentrators that are hosting permanent IPsec connections. The third area is the leased line connections using Frame Relay, ATM or even ISDN.

VPN Concentrators

If you are using IOS as VPN concentrators, then you do not necessarily have automatic failover. (Note 1). So you might deploy two C7200 using HSRP, then configure Reverse Route Injection to inject the routes associated with each VPN tunnel. This then allows the firewall to forward traffic for an inbound VPN tunnel to the correct next hop in the event that a unit has failed. (Note 2). By redistributing the static routes generated by the RRI, you are then able to inject the VPN routes on to the firewall.

Leased Line

For permanent services, partners often connect over Frame Relay but require an ISDN connection as a backup. The firewall needs to have routes to advise which is the next hop for the external source in the event of failover. OSPF routing from the Frame Relay and ISDN headends will allow for correct routing of packets.

Routing Security

So why not have a single process ? Because a user connected on the VPN would see routes in the Leased Line Network. By separating the routing process we can ensure that there is a service separation ( and this concept is approximately in line with common security practice). The possibility that a VPN connected organisation could access the frame relay network is very real.

By separating the VPN connection from the Leased Line connections, we have created quite distinct security zones on a single infrastructure.

CCIE Candidates might like to give some thought to making the OSPF more secure by restricting the routes in OSPF Process 2 ? Could you use a stub area or a totally stubby area to restrict routes ? Obviously OSPF authentication and encryption is mandatory. What about static definition of OSPF neighbors ?

Some things to note

You should note that a modern Enterprise firewall cluster would have more equipment than this. There are no proxy servers, application firewalls, IDS/IPS, content filtering, web scanning, virus scanning etc shown in the diagram. These are usually commissioned where the diagram shows “internal”.

For larger Enterprise networks, BGP peering is necessary to determine the next hop, Cisco ASA does not address this very well at well. However Juniper does.

Conclusion

This is a complicated topic and if you are reading about firewall design you will probably have a load of questions. Hopefully I have covered (for at least one design) why you would two OSPF processes. Leave a comment and I will do my best to answer.

Addendum

Note 1: Later versions of IOS do support stateful failover of IPSec termination points, but not all Enterprises are able to use latest version of IOS.

Note 2: This got a whole lot easier when HRSP tracking was implemented but note that outbound VPN routing can be a problem in this design.

Note 3: Consider the following virus scanning, IDS / IPS servers and taps, logging (bandwidth for seconding those logs), security procedures and approvals and so on

Please rate this post :    Why ?
Rating: 0.0/10 (0 votes cast)
Share:
  • Reddit
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • StumbleUpon
  • TwitThis
  • LinkedIn
Filed Under: Cisco, Design
Tagged: , ,

Comments

One Response to “Why Use Two Routing Processes in a Firewall ?”

  1. Christian on March 14th, 2008 1:46 pm

    Greg -

    Makes much sense now! Thanks for taking the time out to write a detailed post about this! :)

Feel free to leave a comment...
and oh, if you want a pic to show with your comment, go get a gravatar!





Bottom