Re: A router, a firewall, and 2 PVCs

[Ryan Russell <ryan () securityfocus com>]

> Traffic comes to the router and then to my Firewall-1 box.
> Currently the branch site is defined as being external to the firewall.
> We would like to define them as being internal to the firewall and
> provide them Internet access.  I think PVCs are isolated from each other
> assuming no hack at the Frame provider?s site.
>
> Assuming we are stuck with the one Frame Relay connection:
> Is this totally wrong?
> Are the two PVC?s sufficiently separate that I can consider traffic on
> one to be internal and traffic on the other to be external?
> It seems that if the one router is configured correctly this should
> work.
>
> I realize we have one point of attack and/or failure at the router but
> at this point I am short on options.

Assuming you trust your router to be secure, and your frame providers,
etc..

How many LAN interfaces on your router?  You'll need at least two for this
setup.  It's possible to use policy-based routing on Cisco (and probably
other) routers to force traffic coming in on one PVC to exit on a
particular LAN interface, and vice-versa.  This more or less gives you two
logical routers.  

                                Ryan