Wondering if firewalls could work in our special topology:
here are the constraints & info:
* We have a large private network where all PVCs point to the same "head
office" if you want (the underlying ATM network is run by a telco)
* all the local networks of every physical site are given a subnet of a
class A 10.x.x.x adress space
* by default the routers that constitute the VPN do not have access-lists or
security (and possibly will not be able to - due to the telco)
* We would like to consider managing the inter-site (i.e. the communication
needs between various local networks) security in a centralized manner
* The risk associated with a inter-site "leak" is not great since the data
stored in the sites is not that confidential but:
* For legal reasons, the sites are responsible for there own data and would
like some kind of say as to whom enters their network
* It is possible for us to get all the inter-site trafic re-routed to the
lan of the "head office" (by default the inter-site traffic never goes on
the
head office lan but is routed without security within the routers)
I have read a bit in this mailing list and gone searching (at the corporate
firewall sites) for a while, all I have read about firewalls is for securing
a local network from a distant network (or parts of a local network). In
our situation it would be allowing only part of a wan to communicate with
another part of a wan.
I know a simple but $$$ solution would be to put as many firewalls as there
are sites (between the wan link and the local nets). Is there a less
painful alternative ?
In the beginning, we would be looking at a "network layer" solution (even
though less secure) since there are 200 sites and I would not want too many
specific rules to completely slow down the link to our "head office".
Could a firewall be used in such a situation ? (or am I completely on the
wrong track ?)
Any suggestions ?
Thanks for any help or insight.
Jean-Pierre Cordeau
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
