[134594] in North American Network Operators' Group
Re: asymmetric routes/security concerns/Fortinet
daemon@ATHENA.MIT.EDU (Anthony Pardini)
Fri Jan 7 14:46:42 2011
In-Reply-To: <DDDFE07B-1F70-4CB8-A470-8189ACBFDCBA@oicr.on.ca>
Date: Fri, 7 Jan 2011 13:45:51 -0600
From: Anthony Pardini <tony@pardini.org>
To: Greg Whynott <Greg.Whynott@oicr.on.ca>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
You can allow asymmetric traffic on the Fortinet, but you lose some
functionality. Firewalls aren't routers and pretty much all of them
behave in the similar manner.
On Fri, Jan 7, 2011 at 11:40 AM, Greg Whynott <Greg.Whynott@oicr.on.ca> wro=
te:
>
>
> Hello,
>
> we have multiple internet connections of which one is a research network =
where many medical institutions and universities are also connected to thre=
w out the country. =A0This research network (ORION) also has internet acces=
s but is not meant to be used as a primary path to the internet by its cust=
omers. =A0 =A0 Connected to the ORION network are many sites we exchange em=
ail with daily who also have multiple internet connections. =A0 One of thes=
e sites is not reachable by us. =A0 After investigating, =A0it was discover=
ed this site is dropping our connections as the path back to use would use =
a different interface on the firewall ( a Fortinet device) than that which =
it arrived upon.
>
> The admins at this university claim this is by design and for security re=
asons.. =A0 My response was the entire internet is asymmetrical and while t=
his may of been a legitimate concern in the 90's, =A0I don't think its a re=
al concern anymore if things are set up correctly. =A0They suggested we add=
static routes to our equipment to address this=85 =A0This seems like a bad=
idea and I am not comfortable adjusting my routing table to address one si=
te's issues on the internet due to their (not ours) routing/security polici=
es.
>
> am I correct here? =A0any comments on this would be greatly appreciated a=
s I'll be called into a meeting to discuss this further (they are digging i=
n their heals in on this, =A0and higher ups are getting involved now). =A0I=
'd like to arm myself with a few perspectives.
>
> thanks very much for your time again,
>
> greg
>
>
>
>
>
> --
>
> This message and any attachments may contain confidential and/or privileg=
ed information for the sole use of the intended recipient. Any review or di=
stribution by anyone other than the person for whom it was originally inten=
ded is strictly prohibited. If you have received this message in error, ple=
ase contact the sender and delete all copies. Opinions, conclusions or othe=
r information contained in this message may not be that of the organization=
.
>
>
