Re: ATM PVC as security barrier

[Shoten <shoten () STARPOWER NET>]

Your assumption (about how traffic inside a VPN cannot interact with the
routers it passes through and the devices that may happen to see it while
encrypted) is correct.  I am not aware of methods, however, by which someone
may break out of a PVC, but my gut reaction is to agree with you that a VPN
is more secure.  The downside of this is if you implement IDS, you will need
to put the sensors in places where they will see the traffic either before
encryption or after decryption.

And, er, one other thing...you might want to set up something akin to a
hotmail account and post from that instead of your company email account.
I'm not entirely sure that everyone who sees these postings is a good guy :)



> Our network engineer proposed ATM PVC's as a means to route Internet
traffic
> across our corporate backbone. Obviously, the best approach is to carry
the
> Internet traffic on totally separate channels. However, we have to
> distribute Internet access to far flung sites on our corporate owned
> network, and network engineering does not want to pay for independent
> communication channels. They insist on using the existing corporate
network
> infrastructure because it is already there. I proposed VPN's as more
secure
> than PVCs. Any other alternatives?  I am looking for feedback on using
PVC's
> versus VPN's as a security barrier between our corporate network and the
> Internet. Note I am proposing that VPN's provide security in the reverse
> direction than how they are typically used. Rather than protecting traffic
> inside the VPN transversing an insecure network, I am proposing that a VPN
> can protect a corporate network from the insecure Internet traffic
confined
> within the VPN. Is this a valid assumption? Note: both ends of the VPN
> terminate at a firewall that we control. Comments?