- Use the FW-1 enterprise package.
- Put a dual homed Firewall-1 module (M) with DES or better encryption
at each site.
- Put the Firewall-1 management workstation (S) on an internal LAN in a
physically secure location.
- Encrypt all links between modules. Your traffic from the Management
workstation to the modules is also encrypted.
A while back a co-worker who once designed Frame Relay switches for a
major carrier told me the words security and Frame Relay were
oxymorons. If the data is valuable and sensetive you will need
encryption devices at all sites.
> Date: Thu, 6 Feb 1997 10:12:18 +-800
> From: KENNETH PHANG <kent @
> Subject: Security Design Issue
M M M M M
| | | | |
> R1 R2 R3 R4 R.. Remote sites
> | | | | |
> | | | | | T1 link
> \ | | | /
> \ | | | /
> ( Frame Relay ) _____________Internet
> | E1 link
> R0 R0 - HQ router
| S - FW-1 Management
M M - FW-1 module
> | R1 - Remote router site 1
> HQ R2 - Remote router site 2
> | LAN
> .... I've =
> been ask what is the best way to protect the network environment with =
> FW-1. Sensitive information flow from the remote sites to the HQ must be =
> protected so as the treat from Internet. By the way the FW-1 is also =
> required to provide NAT to the remote sites and the HQ LAN. The customer =
> to utilise the E1 link both for the remote links so as the Internet =
> link. I understand that this is not a very good idea especially for =
> security point of view. Hope to hear from you'll soon. All your comments =
> are highly appreciated.=20
Adam Safier asafier @
CSC-SED-Infosec (301) 794-1349 (301) 552-3272 (fax)
Curious Cat Question:
How does DIX Ethernet know the packet length?
802.3 Ethernet has a length field but DIX has a type and no length
Technology Abuse: 1) Netscape Frames on a 14" screen.
2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM.
The above are my own opinions.
I'm proud to live in a country where I'm free to express them!