Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ATM Switches

From: Ed Lopez <edlope () CISCO COM>
Date: Tue, 10 Oct 2000 09:46:34 -0400
Richard,

I'm going to make an assumption that you already have a significant internal
ATM backbone infrastructure if you have an ASX-1200.  This implies that
there is an NSAP addressing scheme in place, even if it is the factory
default addressing scheme provided by the switches.  My questions are then
centered around the NNI border between your ATM environment and your
providers.  Are you planning on having a formal P-NNI or IISP border with
appropriate NSAP filters to prevent SVCs from being signalled between your
environments?  Unfortunately, I often see cases where insufficient to no
mechanisms are put into place to prevent outsiders from setting up SVCs into
internal ATM environments.  Particularly in cases where the infrastructure
is LANE based (opening the environment to LE-ARP spoofing), the ability for
would-be intruders to use SVCs in an attack are significant.  Another form
of an SVC signaling attack would be to request strict QoS scheduling of
resources, such as a CBR, which if granted by your ATM switches could
strangle your network.

You say you are getting a 6Mbps link, which I assume is terminating on an
OC-3 or DS-3.  How is this being guaranteed?  Do you have an ABR or CBR
circuit, or is the provider just throttling on a UBR?  Keep in mind that you
are paying a cell tax, and from an IP layer standpoint your actual
throughput will be in the vicinity of 4.5-5Mbps.

Do you have an explicit clocking source on your ATM network?  In any case
keep in mind that connecting one of your ATM switches to your provider may
result in clocking issues.

Personally, I would recommend that you terminate the PVC on a UNI device as
opposed to an ATM switch.  On the face it doesn't appear that your intention
is to set up an NNI border, so terminating the PVC on a UNI device avoids a
large number of the problems I've stated.

Ed

**************************************************************
Ed Lopez - Consulting SE          Phone:  (703)484-5933
Cisco Systems - Federal Area      Fax:    (703)484-5599
Advanced Technology Team          Pager:  (800)365-4578
13635 Dulles Technology Drive     Email:  edlope () cisco com
Herndon, VA 20171

                "Empowering the Internet Generation"
**************************************************************


-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
Richard Ginski
Sent: Monday, October 09, 2000 1:55 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: ATM Switches


Hi list,

We are in the design process of upgrading our Internet
connectivity from dual T-1 to ATM. In that process we are
contemplating using an existing ATM switch (implemented for our
internal network) by way of separate channels (pvc's) on separate
ports for a new 6 meg ATM connection for the Internet. The
equipment to accomplish this is a Fore Systems 1200 ATM Switch. I
am being told that this is okay as far as security is concerned,
but my gut feeling tells me that there is something wrong with
this picture. The entry point from the pvc would still hit our
security infrastructure, firewall,  IDS etc. It would really help
if I could receive input from the group on this. Especially from
the ATM switch experts out there. I really could use some
specifics as to why this is okay or a bad idea. Thanks in advance.
Previous By Date Next
Previous By Thread Next

Current thread: