The WAN access module is an often overlooked aspect of the perimeter, because the remote connection is part of the overall protected network. Most WAN connections are in the form of leased lines such as T1 and T3 lines, packet-switched networks such as frame relay, and cell -switched networks such as ATM. Figure 11-8 depicts a hardened WAN module.
At the core of the security for the WAN module is the implementation of firewalls to provide security to the enterprise network from the remote location. In Figure 11-8, the firewalls are external to the routers; however, the filtering capabilities could easily be bundled into the routers themselves through the use of firewall feature sets, ACLs, and CBAC for Cisco-based equipment.
Redundancy is provided through the use of technologies such as Hot Standby Router Protocol (HSRP) for fault tolerance. For businesses that are particularly concerned with security, IPsec can be implemented on the routers at each end of the WAN connection to provide data integrity and security over the public or private service provider network.
In addition, like all of our perimeter modules, NIDS/NIPS are implemented behind the firewall to monitor and analyze the traffic traversing the module to the internal network.