Firewall Wizards mailing list archives
RE: Firewall-1 and Frame relay interfaces
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Wed, 6 Jun 2001 13:09:47 +0200
The customer is in complete control of the frame relay infrastructure - they have leased pipes from the local telco, and have put in their own frame relay switches etc on each end. The customer is a Network provider for their clients. So the threat is really *unauthorised* access from one client to the other. In this scenario, to my understanding, the Nokia should be able to protect the various users of the Frame Relay network from each other. In fact, after further discussion with the technical person concerned, it appears that we had a misunderstanding. He was under the impression that I was planning to use point to multipoint PVCs, with just a single PVC over the X.21 electrical connection. In this case, the Frame Relay switch would direct the frames to the relevant party, and not to the Firewall itself. Similar in concept to a firewall on an ethernet segment, protecting two hosts on the same segment from each other. Clearly not functional. My intent is to have individual PVCs to the Nokia (admittedly over the same electrical X.21 connection), at which point the Nokia sees each as an individual interface, and controls traffic between them. The tech has confirmed that this will work. Thanks to all for your responses. Rogan -----Original Message----- From: Ryan Russell [mailto:ryan () securityfocus com] Sent: 05 June 2001 05:23 To: Dawes, Rogan (ZA - Johannesburg) Cc: 'firewall-wizards () nfr com' Subject: Re: [fw-wiz] Firewall-1 and Frame relay interfaces On Mon, 4 Jun 2001, Dawes, Rogan (ZA - Johannesburg) wrote:
I am trying to help a customer design a firewall solution for a frame
relay
network. They operate their own Frame Relay switches, and would like to
have
a way to securely allow traffic to cross PVCs. One solution that was proposed involved a number of individual routers
with
Frame Relay interfaces, connected to the switch (one for each PVC). Those routers each have an Ethernet interface, which connects to a Firewall-1
with
2 or more Quad Fast Ethernets (we're talking about 8 or more PVC's to be connected/controlled)
What is the threat that they are trying to protect against? Usually with frame, it's worry that the frame provider will have a malicious employee, or screw up the config, making the frame network no longer private. The solution to that is to VPN across the frame links. What you're talking about implies that there is no trust between the various frame endpoints, though. Some sort of partner network, perhaps? If that is indeed what you want, then if the firewalling features of your router won't cut it, a Nokia isn't a bad router for a firewall... I don't know the answer to your in-and-out routing question. Ryan _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall-1 and Frame relay interfaces Dawes, Rogan (ZA - Johannesburg) (Jun 04)
- Re: Firewall-1 and Frame relay interfaces Crist Clark (Jun 05)
- Re: Firewall-1 and Frame relay interfaces Ryan Russell (Jun 05)
- <Possible follow-ups>
- RE: Firewall-1 and Frame relay interfaces Dawes, Rogan (ZA - Johannesburg) (Jun 06)