Hi everybody,
Recently i'm looking into some of the network security design issue which i need second opinion from you guys. One of my customer has a network that runs on the FR cloud with about 13 remote sites link up to their enterprise router in the HQ. Each of the link are running a T1 and share a sigle E1 link into the HQ with partially mesh environment with OSPF. Probably you can look at the diagram below for better understanding:-
R1 R2 R3 R4 R.. Remote sites
| | | | |
| | | | | T1 link
\ | | | /
\ | | | /
( Frame Relay ) _____________Internet
| E1 link
R0 R0 - HQ router
| R1 - Remote router site 1
HQ R2 - Remote router site 2
|
| LAN
---------------------------------------------------
The FR provider already built their PVCs from all the remote sites to the HQ and another PVC from the HQ to the
Internet. The HQ enterprise router can support multiple IP address configuration onto the same physical SYNC and Ethernet interface. I've been ask what is the best way to protect the network environment with FW-1. Sensitive information flow from the remote sites to the HQ must be protected so as the treat from Internet. By the way the FW-1 is also required to provide NAT to the remote sites and the HQ LAN. The customer to utilise the E1 link both for the remote links so as the Internet link. I understand that this is not a very good idea especially for security point of view. Hope to hear from you'll soon. All your comments are highly appreciated.
Many thanz
Cheers
kent
|
|
