January 10th, 2006, 04:15 AM
Just wondering what it is about dynamic routing that Cisco as well as a lot of experts dont like in PIX firewalls? I've read the reason for preferring static to dynamic is that static is more secure and cant be easily fooled. Can anyone elaborate on this and explain to me in more detail why it is that static is preferred to dynamic?
Thanks in advance
January 10th, 2006, 07:18 AM
Let me first say that neither will increase the security of your network greatly, though static is preferred.
That said, dynamic is considered a little less secure because if someone does manage to connect to your network, all they have to do is request an IP address and your dhcp server will happily give it out.
If someone connected to your static network, they'd have to guess the range of the ip addresses in order to use your network.
Now, in a cleverly designed network, an intruder would never be able to guess a valid ip address because the network admin filtered the MAC addresses to correspond to IP addresses. That makes it a lot harder for the intruder to guess the MAC address AND the IP corresponding to that MAC.
Unfortunately, there are a lot of network admins that think turning off the DHCP server _alone_ will increase security. But a quick google search could show you some of the more popular routers and their default IP addresses, router passwords, etc. This is why it's wise to change your networks address, submask, and filter filter filter as much as possible.
Of course, I'm not a Cisco (or any other kind of) expert... just my $0.02
Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
-- Homer S.
January 10th, 2006, 09:29 AM
Iron-Kurton: Valiant effort, however the question was regarding routes not addresses ... hopefully the rest of my post will clear that up a little bit.
As we all know... (or hopefully all know)... Traffic is routed across the internet. Due to lack of creativity, this information is routed by routers....
Depending on the type of network, you could have more than one route.. You could have multiple interfaces on the router (physical or virtual)... When you send data, in the most simplistic of setup, your PC will pass the packet on to the router... The router is going to look at the destination address and must now determine which interface to send the packet out... This is done by looking at the route table. Windows users that want to see a simple route table...type 'route print' at your command prompt... for example this is the route table on my desktop:
The router will look through the routes in it's table, starting with the longest mask (biggest number) and continue on until a match is reached... When a match is found, the packet is sent out the interface associated with that route in the table (For more information on routing, check out this cisco link - http://www.cisco.com/en/US/tech/tk36...80094823.shtml.
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
192.168.60.0 255.255.255.0 192.168.60.1 192.168.60.1 20
192.168.60.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.60.255 255.255.255.255 192.168.60.1 192.168.60.1 20
192.168.254.0 255.255.255.0 192.168.254.1 192.168.254.1 20
192.168.254.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.254.255 255.255.255.255 192.168.254.1 192.168.254.1 20
22.214.171.124 240.0.0.0 192.168.1.100 192.168.1.100 20
126.96.36.199 240.0.0.0 192.168.60.1 192.168.60.1 20
188.8.131.52 240.0.0.0 192.168.254.1 192.168.254.1 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
255.255.255.255 255.255.255.255 192.168.60.1 192.168.60.1 1
255.255.255.255 255.255.255.255 192.168.254.1 192.168.254.1 1
Default Gateway: 192.168.1.1
Now... on with routes...
There are a few types of routes... We'll go with 4 basics instead of breaking it down..
We have Directly Connected Routes, Dynamic Routes, Static Routes and lastly a Default Gateway.
A metric (Administrative Distance) is used to give these routes priority (Directly Connected Route will always take priority with a metric of 0 on a Cisco Router)... Static Routes wil be 1 and Dyamic Routes will vary based on the routing protocol used (for more information see the above link).. Your Default Gateway (or Gateway of Last Resort) is going to be used last if no route was found.
So let's say you have three routers...
Router A - Router B - Router C
S0/0 of Router A is connected to S0/0 of Router B
S0/1 of Router B is connected to S0/1 of Router C
Router A would know of itself and Router B (Because it's directly connected) but nothing beyond that... so if I'm connected to Router A and I send a packet to a host on Router C... If there's no Default Gateway set... then Router A doesn't know how to handle the packet.. So there are two ways for Router A to learn about Router C.... One is a static route... You go into Router A and manually configure it to send everything destined for Router C out S0/0. The same would have to be done on Router C (to tell it how to get to router A (using it's S0/1 port)). This is not a very cost effective method of managing your network... especially if you have a large network.. The cost is one of man power to configure routes, to make changes when you change your network... everything has to be done by hand.. one typo and things will break.
That leads us to dynamic routes... There are several protocols... each one handles the exchange of routing information differently... I'm definately not going to get into that... It took us 10 hours a week for 4 months to cover them in depth (and that was after the basic understanding had been presented)... Research them if you are interested.... they include RIP, RIP Version 2, IGRP, EIGRP, OSPF, IS-IS and BGP... Anyone with a linksys can go in and play with your gateway settings and see that you can have the router send RIP updates... Other than that.. .I think you'd seldom find a network that still uses RIP these days... So now that we have a routing protocol... how do we use it.... To simplify this.... I'll say one thing... You share the routes you learn with your neighbours... Depending on the protocol you could share just your directly connected neighbours, or you could share everything on behalf of the rest of the routers... This could get fairly advanced and indepth to continue with it.
Now on to the original question (since we've covered background and I've confused everyone that's new to this)...
Dynamic is always the prefered choice.... that being said.. it has to be qualified... If you have a certain host you want accessed (one on a large network) you may use a static route for that... Also.... Dynamic is the prefered choice if you're using a modern routing protocol that allows for authentication of some sort... With RIP anyone could very easily inject a fake route into the routing table and cause havoc... Also you have to say that Dynamic is the prefered choice on a router.
Now you asked about the PIX.... the PIX is not a router... it's essentially a computer... Some of them will even show you the same screen you'd see if you watched your Linux server power up... Since they are not routers, they don't run the Cisco IOS and are not privy to knowledge of various routing protocols... If I remember we were using the 515 and it was Static or Dynamic.. but I'm pretty sure the only Dynamic protocol it would support was RIP... as I said before you could easily inject a fake route into the PIX because RIP trusts everything it sees.
Quite often your PIX is going to be at your perimeter... you don't exactly want fake routes placed on your perimeter.... this could prove to be very dangerous... Your PIX is also going to have limited connections... The inside interface will most likely go to a 6550, 3550 or something smaller if you have a small network.. The outside is going to go to either a perimeter router or directly to your internet connection. And the DMZ will most likely be a switch ... 2950 or 3550... prolly not very big... This means the routes are going to be limited and since you're dealing with DMZ traffic and internet traffic... they most likely won't be changing very often... For that reason static is usually better on a PIX firewall..
Now a cisco guru can come along and pick that apart but it's 4:30 and I can't sleep... so that's the solution I'm posting..
PS.... thread renamed to make it more distinctive..
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
January 10th, 2006, 09:55 PM
Thanks a lot HTRegz for that very concise answer, really appreciate it. Iron-Kruton my query was about dynamic routing in pix firewalls but thanks anyways for your help, very much appreciated.