Hi all,
(warning, Frame Relay talk ahead)
When using a frame relay pvc to the internet (through a frame network, to a
providers internet backbone
routers), what is the most common way to protect the WAN?
The scenario is this - 10 node star WAN on frame relay with one pvc to the
internet at the host location providing access to all
remote locations. Now, if all pvcs use the same circuit (say a T1), then
you obviously have a security problem
at the lone router the circuit is terminated on. One solution i know is
common is to channelize the T1, get a
2 port csu/dsu, run one port to the router working as the WAN host, and one
port to another router w/ the FW off of it.
Problem is, the extra cost involved in having 2 routers and an external
csu/dsu AND you are ineffeciently locking your bitrate
for the internet pvc to whatever channels you give it on the T1.
Another solution that might work is to use a single router/csu with 2
ethernet ports and route all traffic FROM the internet pvc to a FW on
one of the eth ports. the other port of the FW would go to a switch on the
LAN. The default gateway for the internal machines would be
the FW internal port, which would check the traffic and drop it onto the
router to be dropped on the internet pvc. now, the other eth port on
the router would be for trusted traffic from the WAN pvcs. of course, you
would use access lists to keep internet users from spoofing
internal addresses and thereby avoiding the trip through the FW. it might
look like this-
FRAME
CLOUD
|
T1
|
router---FW
| |
LAN-----switch
some problems with this little scenario is you are totally relying on
routing and
that router to provide security, if the router goes, someone can eliminate
traffic through the FW.
anyone have any other workable solutions that have been implemented, not
just a dream like
my above scenario? just looking for some expertise on something i know lots
of people run into.
Thanks,
Zach
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
