Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: null routes and VPN's

Re: null routes and VPN's

From: Lord Sporkton <lordsporkton_at_gmail.com>
Date: Tue, 20 May 2008 14:22:09 -0700

2008/5/20 Kerry Milestone <km4_at_sanger.ac.uk>:
> Hello,
>
> is it a wise idea to put a default route on the inside (trusted) side of a
> firewall with a high metric for when a VPN drops. Essentially, blackholing
> all traffic until the VPN comes back and the default route is again the end
> of the VPN?
>
> Assuming there is a rule on the outside which allows only VPN traffic from
> the other end (point to point and only traffic allowed through the VPN)
> should both ends of the VPN have null routes for when its down ( for traffic
> within the VLAN for this VPN)?
>
> What would be the implementation side affects, something along the lines of
> once the VPN is up its a matter of timeout on the routing protocol (say
> OSPF) to propagate the default route? Should a modernish firewall do this
> automagically anyway??
>
> Cheers,
> Kerry.
>
>
>
> --
> The Wellcome Trust Sanger Institute is operated by Genome Research Limited,
> a charity registered in England with number 1021457 and a company registered
> in England with number 2742969, whose registered office is 215 Euston Road,
> London, NW1 2BE. _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

I had a little trouble understanding your question, however i will say this.

There should be high weight black hole route for any given gateway, be
that gateway a default route, a lan interface, or a vpn, this is good
for many reasons.
1) it keeps down loop traffic, and reduces routing load in an already
compromised situation.
2) if used for a vpn it keeps you from spewing private traffic out an
unprotected or public link

i have only seen a few implementations where a vpn could use a black hole route
if your using an ipsec tunnel you dont have a real route to blackhole,
all you have is an interesting traffic filter
if your using a gre tunnel this might work
if your using mpls(or its siblings) this might work but im not sure if
its more trouble than its worth

just my 2cents 

-- 
-Lawrence
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on May 27 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]