Firewalls: Re: Security Design Issue

Firewalls
(February 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Security Design Issue
From:	Adam Safier <asafier @ csc . com>
Organization:	Computer Sciences Corp.
Date:	Thu, 06 Feb 1997 12:17:58 -0800
To:	Firewalls @ GreatCircle . COM
Cc:	firewalls-digest @ GreatCircle . COM
References:	<199702060900 . BAA29725 @ miles . greatcircle . com>
Reply-to:	asafier @ csc . com

- Use the FW-1 enterprise package.
- Put a dual homed Firewall-1 module (M) with DES or better encryption
at each site.
- Put the Firewall-1 management workstation (S) on an internal LAN in a
physically secure location.
- Encrypt all links between modules.  Your traffic from the Management
workstation to the modules is also encrypted. 

A while back a co-worker who once designed Frame Relay switches for a
major carrier told me the words security and Frame Relay were
oxymorons.  If the data is valuable and sensetive you will need
encryption devices at all sites.

> Date: Thu, 6 Feb 1997 10:12:18 +-800
> From: KENNETH PHANG <kent @
 dataprep .
 com .
 my>
> Subject: Security Design Issue
> 
                   M       M       M       M       M
                   |       |       |       |       |
>                 R1      R2      R3      R4       R.. Remote sites
>                  |       |       |       |       |
>                  |       |       |       |       | T1 link
>                   \      |       |       |      /
>                     \    |       |       |     /
>                          (  Frame Relay ) _____________Internet
>                                  |
>                                  |    E1 link
>                                  R0                      R0 - HQ router
                                   |          S - FW-1 Management
workstation
                                   M          M - FW-1 module
>                                  |                       R1 - Remote router site 1
>                                 HQ                       R2 - Remote router site 2
>                                  |
>                                  |      LAN
>                 -----------S----------------------------------------
> 
> .... I've =
> been ask what is the best way to protect the network environment with =
> FW-1. Sensitive information flow from the remote sites to the HQ must be =
> protected so as the treat from Internet. By the way the FW-1 is also =
> required to provide NAT to the remote sites and the HQ LAN. The customer =
> to utilise the E1 link both for the remote links so as the Internet =
> link. I understand that this is not a very good idea especially for =
> security point of view. Hope to hear from you'll soon. All your comments =
> are highly appreciated.=20


-- 
Adam Safier                  asafier @
 csc .
 com		http://www.csc.com
CSC-SED-Infosec              (301) 794-1349		(301) 552-3272 (fax)

Curious Cat Question:  
How does DIX Ethernet know the packet length?
802.3 Ethernet has a length field but DIX has a type and no length
field.

Technology Abuse: 1) Netscape Frames on a 14" screen.
                  2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM.

The above are my own opinions.
I'm proud to live in a country where I'm free to express them!

Indexed By Date	Previous:	Re: Guantlet on Solaris: Installation question. From: Habeeb Qadri <habeeb @ Synopsys . COM>
Indexed By Date	Next:	http proxy problems / gauntlet -Reply From: Bob Allison <ballison @ scitexdpi . com>
Indexed By Thread	Previous:	RE: Security Design Issue From: "Hicks, Rick" <RHicks @ hussmann . com>
Indexed By Thread	Next:	Email Crashed Mail Server! From: Steve Gallipeau <Steve @ hon . com>