RE: Firewall-1 and Frame relay interfaces

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

The customer is in complete control of the frame relay infrastructure - they
have leased pipes from the local telco, and have put in their own frame
relay switches etc on each end. The customer is a Network provider for their
clients.

So the threat is really *unauthorised* access from one client to the other.

In this scenario, to my understanding, the Nokia should be able to protect
the various users of the Frame Relay network from each other.

In fact, after further discussion with the technical person concerned, it
appears that we had a misunderstanding. 

He was under the impression that I was planning to use point to multipoint
PVCs, with just a single PVC over the X.21 electrical connection. In this
case, the Frame Relay switch would direct the frames to the relevant party,
and not to the Firewall itself. Similar in concept to a firewall on an
ethernet segment, protecting two hosts on the same segment from each other.
Clearly not functional.

My intent is to have individual PVCs to the Nokia (admittedly over the same
electrical X.21 connection), at which point the Nokia sees each as an
individual interface, and controls traffic between them. The tech has
confirmed that this will work.

Thanks to all for your responses.

Rogan


-----Original Message-----
From: Ryan Russell [mailto:ryan () securityfocus com]
Sent: 05 June 2001 05:23
To: Dawes, Rogan (ZA - Johannesburg)
Cc: 'firewall-wizards () nfr com'
Subject: Re: [fw-wiz] Firewall-1 and Frame relay interfaces


On Mon, 4 Jun 2001, Dawes, Rogan (ZA - Johannesburg) wrote:

> I am trying to help a customer design a firewall solution for a frame
relay
> network. They operate their own Frame Relay switches, and would like to
have
> a way to securely allow traffic to cross PVCs.
>
> One solution that was proposed involved a number of individual routers
with
> Frame Relay interfaces, connected to the switch (one for each PVC). Those
> routers each have an Ethernet interface, which connects to a Firewall-1
with
> 2 or more Quad Fast Ethernets (we're talking about 8 or more PVC's to be
> connected/controlled)

What is the threat that they are trying to protect against?  Usually with
frame, it's worry that the frame provider will have a malicious employee,
or screw up the config, making the frame network no longer private.  The
solution to that is to VPN across the frame links.

What you're talking about implies that there is no trust between the
various frame endpoints, though.  Some sort of partner network, perhaps?

If that is indeed what you want, then if the firewalling features of your
router won't cut it, a Nokia isn't a bad router for a firewall...

I don't know the answer to your in-and-out routing question.

                                Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards