Re: ATM PVC as security barrier

[Kurt Seifried <bugtraq () SEIFRIED ORG>]

> Our network engineer proposed ATM PVC's as a means to route Internet traffic
> across our corporate backbone. Obviously, the best approach is to carry the
> Internet traffic on totally separate channels. However, we have to
> distribute Internet access to far flung sites on our corporate owned
> network, and network engineering does not want to pay for independent
> communication channels. They insist on using the existing corporate network
> infrastructure because it is already there. I proposed VPN's as more secure
> than PVCs. Any other alternatives?  I am looking for feedback on using PVC's
> versus VPN's as a security barrier between our corporate network and the
> Internet. Note I am proposing that VPN's provide security in the reverse
> direction than how they are typically used. Rather than protecting traffic
> inside the VPN transversing an insecure network, I am proposing that a VPN
> can protect a corporate network from the insecure Internet traffic confined
> within the VPN. Is this a valid assumption? Note: both ends of the VPN
> terminate at a firewall that we control. Comments?

Most attackers won't be able to get into ATM (or frame relay, etc) PVC's
simply because not to many people know the technology all that well. OTOH if
someone breaks into a site they can then get at other nodes on the network.
Also because it may be "shared" there is potential problems with less secure
people on the same networks as you are. I would not rely on it for all my
security, using IPSec or something would be a very good idea (TM). Multiple
layers of security are usually a good idea.

Kurt Seifried, seifried () securityportal com
Securityportal - your focal point for security on the 'net