WAN Module in Medium-Sized Networks
The inclusion of the WAN module in the medium-sized network design is feasible only if there is a requirement to connect to a remote site using a private circuit such as Frame Relay or ATM.The design of a WAN module includes only one device, a Cisco IOS Firewall router, which provides routing, access-control, and QoS mechanisms to remote locations.The WAN module and its associated components is shown in Figure 15-6.
Figure 15-6. Medium-Sized Network WAN Module

Mitigating Threats in the WAN Module
The expected threats on the WAN module and the mitigation actions to counter them are outlined in Table 15-8.
Threat | Threat Mitigation |
---|---|
IP spoofing | Mitigated by using Layer 3 filtering on the router |
Unauthorized access | Mitigated by using simple access control on the router, which can limit the types of protocols to which branches have access |
Figure 15-7. Medium-Sized Network WAN Module Threat-Mitigation Roles

Design Guidelines
The level of security placed within the WAN module depends on the level of trust at the remote sites and the ISP that is supplying the WAN connectivity. ACLs on the interfaces of the router can be used to control the flow of traffic both inbound and outbound among the remote sites and the medium-sized network.
Design Alternatives
The following are possible design alternatives to the WAN module previously discussed:
- To provide an additional level of security and information privacy, you can use IPSec VPNs across the WAN link.
- You can use a Cisco IOS Firewall router as the WAN router so that you can use its firewall features to provide an additional level of security. This stateful firewall provides enhanced access control when compared to the basic access control discussed previously.
