Re: cost of frame relay snooping

[C Matthew Curtin <cmcurtin () research megasoft com>]

> > > > > "Jyri" == Jyri Kaljundi <jk () stallion ee> writes:

Jyri> Do any of you think about this when you decide if a frame relay
Jyri> connection should buy VPN encryption software or not?

The issues regarding frame relay security are different from those of
using the Internet as the conduit for VPNs.  When someone offers frame
relay service as a "more secure" alternative, he might very well be
right, for a certain classification of attacker.

When deciding whether (and/or how) to encrypt that frame relay
connection end-to-end, it's useful to return back to the basic
principles of security.  What's your policy?  What's your threat
model?  What's the danger of someone sniffing the traffic? How much
damage could a sniffer cause?  How much does it cost to encrypt the
line?

Of course, asking questions like this is always a good idea,
regardless of what you're planning to do to your network.

Now, the difficulty that an attacker will have in snooping your VPN
link will vary, based on a number of factors.  Typically, frame relay
connections are provided to a site, router and all, from the service
provider.  The router is managed by the provider.  One typically can't
just hang any device on the network and start listening in.

When getting into specifics, the ease with which someone can snoop
will vary depending on how the provider manages their network, what
the topology of the network is, etc.

My advice would be to have a discussion with an engineer from the
provider who can answer topology questions and talk about security
issues with you.  Don't let 'em snow you with answers like "we take
precautions"--find out what they do, and how it makes life difficult
for an attacker.

-- 
Matt Curtin  Chief Scientist Megasoft Online  cmcurtin () research megasoft com
http://www.research.megasoft.com/people/cmcurtin/    I speak only for myself
Keywords:  Crypto Security Privacy   Unix Internet Perl Java   Death-to-spam