Why Use Two Routing Processes in a Firewall ?

March 10, 2008 by Greg Ferro · 1 Comment

Hi! If you are new here, you might want to subscribe to the RSS feed to here more from me.

VPN Concentrators
Leased Line
Routing Security
Some things to note
Conclusion
Addendum
Comments (1)

A common problem in Enterprise networking is that B2B connectivity is reasonably common and for larger organisations a big problem. You can have hundreds of external connections. In times past, we tried to have multiple firewall clusters to handle B2B, partner and other types of connectivity, but this has caused security issues and networking problems when the the Enterprise network core is very large.

More importantly however, we are now deploying a lot of hardware, software and tools to secure, monitor and respond to all our external connections and these technologies (note 3) cost a really serious amount of money. Having only one firewall cluster can be a means to reduce the cost and to improve security by needing to control only a single point into the network. The difficulty is that by bringing all service flows in to a single place, you lose the separation of data flows.

Consider a firewall cluster as shown in the diagram below. Note that the firewall would be a HA pair but looks like a single unit.

The first to note is that the default route to the Internet is required for external access. The second area is a pair of redundant VPN concentrators that are hosting permanent IPsec connections. The third area is the leased line connections using Frame Relay, ATM or even ISDN.

VPN Concentrators

If you are using IOS as VPN concentrators, then you do not necessarily have automatic failover. (Note 1). So you might deploy two C7200 using HSRP, then configure Reverse Route Injection to inject the routes associated with each VPN tunnel. This then allows the firewall to forward traffic for an inbound VPN tunnel to the correct next hop in the event that a unit has failed. (Note 2). By redistributing the static routes generated by the RRI, you are then able to inject the VPN routes on to the firewall.

Leased Line

For permanent services, partners often connect over Frame Relay but require an ISDN connection as a backup. The firewall needs to have routes to advise which is the next hop for the external source in the event of failover. OSPF routing from the Frame Relay and ISDN headends will allow for correct routing of packets.

Routing Security

So why not have a single process ? Because a user connected on the VPN would see routes in the Leased Line Network. By separating the routing process we can ensure that there is a service separation ( and this concept is approximately in line with common security practice). The possibility that a VPN connected organisation could access the frame relay network is very real.

By separating the VPN connection from the Leased Line connections, we have created quite distinct security zones on a single infrastructure.

CCIE Candidates might like to give some thought to making the OSPF more secure by restricting the routes in OSPF Process 2 ? Could you use a stub area or a totally stubby area to restrict routes ? Obviously OSPF authentication and encryption is mandatory. What about static definition of OSPF neighbors ?

Some things to note

You should note that a modern Enterprise firewall cluster would have more equipment than this. There are no proxy servers, application firewalls, IDS/IPS, content filtering, web scanning, virus scanning etc shown in the diagram. These are usually commissioned where the diagram shows “internal”.

For larger Enterprise networks, BGP peering is necessary to determine the next hop, Cisco ASA does not address this very well at well. However Juniper does.

Conclusion

This is a complicated topic and if you are reading about firewall design you will probably have a load of questions. Hopefully I have covered (for at least one design) why you would two OSPF processes. Leave a comment and I will do my best to answer.

Addendum

Note 1: Later versions of IOS do support stateful failover of IPSec termination points, but not all Enterprises are able to use latest version of IOS.

Note 2: This got a whole lot easier when HRSP tracking was implemented but note that outbound VPN routing can be a problem in this design.

Note 3: Consider the following virus scanning, IDS / IPS servers and taps, logging (bandwidth for seconding those logs), security procedures and approvals and so on

Table of Contents

VPN Concentrators
Leased Line
Routing Security
Some things to note
Conclusion
Addendum
Comments (1)

Please rate this post:

Why Rate Posts?

$1 Star - It\\\'s Crud$ $2 Stars - It\\\'s Tosh$ $3 Stars - Something\\\'s missing$ 4 Stars - Needs works

(No Ratings Yet)

Loading ...

Filed under Cisco, Design · Tagged with Cisco, Security

Probably Related Posts on the Same Topic

Cisco ASA Supports Two OSPF Processes

Sometimes, thinking too much stops you from checking the basics. I have often wished that the Cisco ASA supported more than one routing process like the Juniper Netscreen does (which does this brilliantly). Why didn’t I look for this sooner ?-

Read the full article

Blessay: Designing Enterprise DMZ and Multilayer Firewall Clusters

In modern Enterprise networks, you typically have many clusters of firewalls protecting assets in your network. Since we use two or more layers of firewalls, we can put our DMZ for intermediate security zones in different places in our network. Lets gather together the different options and consider the merits or not, and sometimes how they ‘self-build’.

Read the full article

Blessay:Firewalls Are Like Noses:Everyone’s Got One.

The thing about firewalls is that all networks have them. Once, firewall expertise was rare and a special job focus. Now, firewalls are like noses — everyone’s got one.

Read the full article

Single Internet Connection but HA Infrastructure — Using Bridging Instead of Routing

The customer had decided to build a hosting platform, but could only arrange for a single internet connection to that site due to location. However, all other hardware was duplicated for high availability. After considering the options the following diagram was prepared showing the first pass at the design. This was the Internet Connection (100Mb Ethernet) connected to the router, then connected to a switch, which was interconnected by trunk to a second switch. The first layer of firewalls is then connected.

Read the full article

Comments

One Response to “Why Use Two Routing Processes in a Firewall ?”

Christian says:

14 March 2008 at 13:46

Greg -

Makes much sense now! Thanks for taking the time out to write a detailed post about this!

Reply

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

A Random Selection of Other Fine Posts (or Not)

Satyam Fraud — Shakes Foundation of Cloud Computing ?

How to Make a Network Cable — wikiHow

Mediatemple Causing Intermittent Site Outages

Cisco IOS Order of Operation — Updated, Again

Musing:There Is Hope for the World After All