Firewall Wizards mailing list archives

Re: securing X.25 connection

From: Frank Willoughby <frankw () in net>
Date: Mon, 03 Aug 1998 19:44:26 -0500

At 11:24 AM 7/30/98 +0800, g wrote:

Hi,

I have a requirement to connect our internal system (IP based) to a data
feed  through a X.25 connection. Any advise on how to secure this X.25
connection?


I used to have to secure X.25 connections frequently as an Information
Security Officer in a previous life.  There are several levels of security 
which are required to secure X.25 connections.

1  Establish an External Access Policy
2  Determine which DTEs will talk to which other DTEs
3  Determine who we trust and who we don't
4  Establish a Closed User Group (Benutzerbetriebsklasse - in Germany)
    This is where the Telecom provider will permit only authorized
    DTEs to talk to each other - everyone else is excluded.
5  Encrypt point-to-point using a encrypting routers or a decent VPN 
    package (few are worth a hoot)
6  Put in a firewall at each end
7  Enable auditing (& logging) at the PAD and at the firewall
8  Document everything
9  Test everything *thoroughly*
10 Have a competent security ISO review all of the above *before* 
   implementation

The above is a good starting point.  Obviously, there are many
additional things we can do (network design, use X.25 features, 
etc.), but this will quickly digress from the charter of this 
list.

Note:
One could, theoretically, omit steps 5 & 6.  I wouldn't because
it means extending your circle of trust to an external entity.  
Omiting steps 5 & 6 assumes you trust your Telecomm provider to 
provide you with adequate security.  (ROTFL)  Personally, I haven't 
seen one that hasn't been cracked yet.  As always, YMMV.

FWIW, since you advertised to the entire planet (on which many 
hackers reside) what you are about to do, I would *strongly* 
recommend getting somebody competent to check & recheck what 
you are prosing to do (Item # 10).  Cleaning up after a hacker
has taken you out can be a real bear to deal with (I know, 
because I have had to help customers out of problems like this.)

Good Luck!

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Fixed Price Contracts - Expert Information Security Officers - Knowledge
Transfer
Phone: (317) 573-0800     Fax: (317) 573-0817

Current thread:

securing X.25 connection g (Aug 02)
- Re: securing X.25 connection Ted Doty (Aug 03)
  - Re: securing X.25 connection Adam Shostack (Aug 09)
- Re: securing X.25 connection Vanja Hrustic (Aug 03)
  - Re: securing X.25 connection Ted Doty (Aug 03)
- Re: securing X.25 connection Bennett Todd (Aug 03)
- Re: securing X.25 connection Frank Willoughby (Aug 03)
- <Possible follow-ups>
- Re: securing X.25 connection ark (Aug 03)