At 9:17 AM -0800 3/29/01, [EMAIL PROTECTED] made some very
interesting points:
>Murat,
>
>My comment is don't do this. It violates a very fundamental
>principal of network security, "keep your untrusted and your trusted
>networks physically separated".
In the classified world with RED/BLACK isolation criteria, devices
handling RED (i.e., cleartext of classified traffic) are physically
separated from BLACK (carrying ciphertext or unclassified traffic).
This may be enforced either by putting the devices too far apart to
patch between with patchcords allowed into the crypto area, or by
using physically different connectors on RED and BLACK so that you
CANNOT plug red into black (without a Really Big hammer).
> There should also be no way for
>an untrusted network to bypass your firewall, which there is in this
>design.
Kent, I'd be interested in your opinion about an approach I've
increasingly used. Do you consider it evil?
Traffic comes onto the DMZ from an external screening router. If it
is destined for anything not on the DMZ, the options include:
-- for IPsec transport mode and other encrypted traffic, send to
a router with basic filtering (e.g., verify reverse path and drop
traffic with source addresses and your internal network) and traffic
policing (to prevent flooding), and let it into the network. A firewall
not participating in the end-to-end encryption can't do anything with
the packet -- why load up the firewall with conduits?
-- for traffic using SSL proxies, send to an appropriate gateway, which
MAY be the firewall. Same thing for IPsec tunnel mode security
gateways.
-- for cleartext traffic requesting access to servers, run through
conventional firewalling.
Of course, load balancing and failover makes this even more complex,
but let's start with security
>
>There are lots of issues with this setup, but the most basic is that
>you would need to bring untrusted traffic into the router, forward it
>to the PIX, have the PIX forward it back to the same router and then
>to the remote sites. Depending on how many LAN interfaces your
>router has, you could probably make this happen, but its just not a
>good idea.
>
>If for any reason something in your configuration isn't setup
>correctly, packets from the Internet could reach other remote sites
>on your FR network without going through the firewall. In a good
>perimeter design, this should not be possible.
>
>I realize that this was probably setup this way to save money, but
>how much money would it cost the company to have their entire
>network compromised?
>
>If cost is the primary concern, save the money on the PIX, use a
>cheaper FW solution and get a separate physical line for your
>Internet connection and a separate router.
>
>HTH,
>Kent
>
>On 29 Mar 2001, at 10:19, Murat Kirmaci wrote:
>
>> Hello Everybody,
>> I would like to learn if I have got a Cisco router connected to frame
>> relay network and over this frame relay network there are connections
>> to their remote offices and another pvc to the INTERNET (not a
>> seperate leased line), in addition to this also I have to insert a PIX
>> firewall into this structure.
>>
>> I would be pleased to get your comments about this type of networks.
> > should I do NAT in the router? If yes then How will I insert the PIX?
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
