Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Firewall-1 and Frame relay interfaces

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 4 Jun 2001 16:01:38 +0200 
Hi Folks,

I am trying to help a customer design a firewall solution for a frame relay
network. They operate their own Frame Relay switches, and would like to have
a way to securely allow traffic to cross PVCs.

One solution that was proposed involved a number of individual routers with
Frame Relay interfaces, connected to the switch (one for each PVC). Those
routers each have an Ethernet interface, which connects to a Firewall-1 with
2 or more Quad Fast Ethernets (we're talking about 8 or more PVC's to be
connected/controlled)

To me, this solution appears to be unnecessarily complex, and expensive, to
boot.

I was thinking that it would be a lot simpler to have a firewall device
(Nokia or Sun) with a frame relay interface. The individual PVCs would
connect to the firewall over the single (electrical) connection, but the
firewall would treat them as separate interfaces. Then the firewall can
control any traffic between interfaces. This seems to remove an enormous
amount of complexity (routers, QFE's, etc), with no downside.

However, I have been informed that the Nokia boxen (and Sun, it seems) will
do the routing first, and if the packet is to go out of the same interface,
will transmit it immediately out the interface without it passing through
the firewall rulebase.  To me though, the different frame relay PVC's are
different interfaces!

Can anyone confirm or deny this?  I would hate to have to go with the
complex solution for nothing.

Thanks

Rogan
--
In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythe () alum mit edu>
--
Tel: +27(11)806-6216     Fax: +27(11)806-5202     Cell: +27(82)784-9498
--
NOTE:  This e-mail message and its attachments is subject to the 
       disclaimers as published at: 
       http://www.deloitte.co.za/disc.htm#emaildisc
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: