[134647] in North American Network Operators' Group
Re: asymmetric routes/security concerns/Fortinet
daemon@ATHENA.MIT.EDU (Tarig Ahmed)
Sat Jan 8 14:02:11 2011
From: Tarig Ahmed <tariq198487@hotmail.com>
To: Anthony Pardini <tony@pardini.org>
In-Reply-To: <AANLkTin9TUY_2CObUUVqo=PibaJGx3+21sQ+sXbfBsUe@mail.gmail.com>
Date: Sat, 8 Jan 2011 22:01:00 +0300
Cc: "nanog@nanog.org list" <nanog@nanog.org>,
Greg Whynott <Greg.Whynott@oicr.on.ca>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Tarig Yassin Ahmed
On Jan 7, 2011, at 10:45 PM, Anthony Pardini <tony@pardini.org> wrote:
> You can allow asymmetric traffic on the Fortinet, but you lose some
> functionality. Firewalls aren't routers and pretty much all of them
> behave in the similar manner.
>
Hi
I think u can solve this issue only by adding router between the =20
firewall and the Internet.
in multihoming metwork, Internet connections should be connect to =20
routers then afterthat come the the firewall to avoid such problems.
Thanks
> On Fri, Jan 7, 2011 at 11:40 AM, Greg Whynott =20
> <Greg.Whynott@oicr.on.ca> wrote:
>>
>>
>> Hello,
>>
>> we have multiple internet connections of which one is a research =20
>> network where many medical institutions and universities are also =20
>> connected to threw out the country. This research network (ORION) =20=
>> also has internet access but is not meant to be used as a primary =20
>> path to the internet by its customers. Connected to the ORION =20
>> network are many sites we exchange email with daily who also have =20
>> multiple internet connections. One of these sites is not =20
>> reachable by us. After investigating, it was discovered this =20
>> site is dropping our connections as the path back to use would use =20=
>> a different interface on the firewall ( a Fortinet device) than =20
>> that which it arrived upon.
>>
>> The admins at this university claim this is by design and for =20
>> security reasons.. My response was the entire internet is =20
>> asymmetrical and while this may of been a legitimate concern in the =20=
>> 90's, I don't think its a real concern anymore if things are set =20
>> up correctly. They suggested we add static routes to our equipment =20=
>> to address this=E2=80=A6 This seems like a bad idea and I am not =
comforta=20
>> ble adjusting my routing table to address one site's issues on the=20
>> internet due to their (not ours) routing/security policies.
>>
>> am I correct here? any comments on this would be greatly =20
>> appreciated as I'll be called into a meeting to discuss this =20
>> further (they are digging in their heals in on this, and higher =20
>> ups are getting involved now). I'd like to arm myself with a few =20
>> perspectives.
>>
>> thanks very much for your time again,
>>
>> greg
>>
>>
>>
>>
>>
>> --
>>
>> This message and any attachments may contain confidential and/or =20
>> privileged information for the sole use of the intended recipient. =20=
>> Any review or distribution by anyone other than the person for whom =20=
>> it was originally intended is strictly prohibited. If you have =20
>> received this message in error, please contact the sender and =20
>> delete all copies. Opinions, conclusions or other information =20
>> contained in this message may not be that of the organization.
>>
>>
>
>
