>The FR provider already built their PVCs from all the remote sites to =
>the HQ and another PVC from the HQ to the=20
>Internet. The HQ enterprise router can support multiple IP address =
>configuration onto the same physical SYNC and Ethernet interface. I've =
>been ask what is the best way to protect the network environment with =
>FW-1. Sensitive information flow from the remote sites to the HQ must be
=
>protected so as the treat from Internet. By the way the FW-1 is also =
>required to provide NAT to the remote sites and the HQ LAN. The customer
=
>to utilise the E1 link both for the remote links so as the Internet =
>link. I understand that this is not a very good idea especially for =
>security point of view. Hope to hear from you'll soon. All your comments
=
>are highly appreciated.
Disclaimer: I am not very familiar with FW-1.
You will need to apply access-lists, both input and output, on the
Internet PVC's sub-interface. This input list should, as always, deny
incoming packets with a source IP address that is internal to your
network; deny IP spoofing. You also need to make sure that all incoming
packets have a destination for FW-1 ONLY, all other packets should be
denied.
*very* simple example:
access-list 101 deny ip <internal network> <wildcard mask> any
access-list 101 permit ip any host <FW-1 address>
<implicit deny>
The output list should make sure that outgoing traffic is only allowed
from FW-1. This should also be taken care of by making sure you use a
static route to the ISP on the Internet PVC and the default route on the
router, if you need one, points to FW-1, NOT the PVC sub-interface
(otherwise packets are routed around FW-1, instead of through it). This
gets a little tricky however, because FW-1 needs to have the *real*
default route to the Internet link. < If anyone has done this please
speak up; I haven't, and don't know for sure how to do it >. Just make
sure that only FW-1 knows the *true* route, and everyone else must go
through it to get out.
access-list 102 permit ip host <FW-1 address> any
<implicit deny>
You could further protect the other sites, and the HQ network, by
applying output filters on all other interfaces that only allow packets
from FW-1 and the other internal networks.
The only problem I see is with the default route issue. Does anyone have
any suggestions??
Good Luck,
Rick
____________________________________________
Rick Hicks
Network Specialist
Hussmann Corporation
RHicks @
Hussmann .
com
http://www.hussmann.com
|
|
