Vulnerability Development mailing list archives
Re: ATM Switches
From: Ed Lopez <edlope () CISCO COM>
Date: Tue, 10 Oct 2000 09:46:34 -0400
Richard, I'm going to make an assumption that you already have a significant internal ATM backbone infrastructure if you have an ASX-1200. This implies that there is an NSAP addressing scheme in place, even if it is the factory default addressing scheme provided by the switches. My questions are then centered around the NNI border between your ATM environment and your providers. Are you planning on having a formal P-NNI or IISP border with appropriate NSAP filters to prevent SVCs from being signalled between your environments? Unfortunately, I often see cases where insufficient to no mechanisms are put into place to prevent outsiders from setting up SVCs into internal ATM environments. Particularly in cases where the infrastructure is LANE based (opening the environment to LE-ARP spoofing), the ability for would-be intruders to use SVCs in an attack are significant. Another form of an SVC signaling attack would be to request strict QoS scheduling of resources, such as a CBR, which if granted by your ATM switches could strangle your network. You say you are getting a 6Mbps link, which I assume is terminating on an OC-3 or DS-3. How is this being guaranteed? Do you have an ABR or CBR circuit, or is the provider just throttling on a UBR? Keep in mind that you are paying a cell tax, and from an IP layer standpoint your actual throughput will be in the vicinity of 4.5-5Mbps. Do you have an explicit clocking source on your ATM network? In any case keep in mind that connecting one of your ATM switches to your provider may result in clocking issues. Personally, I would recommend that you terminate the PVC on a UNI device as opposed to an ATM switch. On the face it doesn't appear that your intention is to set up an NNI border, so terminating the PVC on a UNI device avoids a large number of the problems I've stated. Ed ************************************************************** Ed Lopez - Consulting SE Phone: (703)484-5933 Cisco Systems - Federal Area Fax: (703)484-5599 Advanced Technology Team Pager: (800)365-4578 13635 Dulles Technology Drive Email: edlope () cisco com Herndon, VA 20171 "Empowering the Internet Generation" **************************************************************
-----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Richard Ginski Sent: Monday, October 09, 2000 1:55 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: ATM Switches Hi list, We are in the design process of upgrading our Internet connectivity from dual T-1 to ATM. In that process we are contemplating using an existing ATM switch (implemented for our internal network) by way of separate channels (pvc's) on separate ports for a new 6 meg ATM connection for the Internet. The equipment to accomplish this is a Fore Systems 1200 ATM Switch. I am being told that this is okay as far as security is concerned, but my gut feeling tells me that there is something wrong with this picture. The entry point from the pvc would still hit our security infrastructure, firewall, IDS etc. It would really help if I could receive input from the group on this. Especially from the ATM switch experts out there. I really could use some specifics as to why this is okay or a bad idea. Thanks in advance.
Current thread:
- Re: ATM Switches Richard Ginski (Oct 09)
- Re: ATM Switches Ed Lopez (Oct 10)