OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ATM Switches
From: Ed Lopez (edlopeCISCO.COM)
Date: Tue Oct 10 2000 - 08:46:34 CDT

Richard,

I'm going to make an assumption that you already have a significant internal
ATM backbone infrastructure if you have an ASX-1200. This implies that
there is an NSAP addressing scheme in place, even if it is the factory
default addressing scheme provided by the switches. My questions are then
centered around the NNI border between your ATM environment and your
providers. Are you planning on having a formal P-NNI or IISP border with
appropriate NSAP filters to prevent SVCs from being signalled between your
environments? Unfortunately, I often see cases where insufficient to no
mechanisms are put into place to prevent outsiders from setting up SVCs into
internal ATM environments. Particularly in cases where the infrastructure
is LANE based (opening the environment to LE-ARP spoofing), the ability for
would-be intruders to use SVCs in an attack are significant. Another form
of an SVC signaling attack would be to request strict QoS scheduling of
resources, such as a CBR, which if granted by your ATM switches could
strangle your network.

You say you are getting a 6Mbps link, which I assume is terminating on an
OC-3 or DS-3. How is this being guaranteed? Do you have an ABR or CBR
circuit, or is the provider just throttling on a UBR? Keep in mind that you
are paying a cell tax, and from an IP layer standpoint your actual
throughput will be in the vicinity of 4.5-5Mbps.

Do you have an explicit clocking source on your ATM network? In any case
keep in mind that connecting one of your ATM switches to your provider may
result in clocking issues.

Personally, I would recommend that you terminate the PVC on a UNI device as
opposed to an ATM switch. On the face it doesn't appear that your intention
is to set up an NNI border, so terminating the PVC on a UNI device avoids a
large number of the problems I've stated.

Ed

**************************************************************
Ed Lopez - Consulting SE Phone: (703)484-5933
Cisco Systems - Federal Area Fax: (703)484-5599
Advanced Technology Team Pager: (800)365-4578
13635 Dulles Technology Drive Email: edlopecisco.com
Herndon, VA 20171

                "Empowering the Internet Generation"
**************************************************************

> -----Original Message-----
> From: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]On Behalf Of
> Richard Ginski
> Sent: Monday, October 09, 2000 1:55 PM
> To: VULN-DEVSECURITYFOCUS.COM
> Subject: Re: ATM Switches
>
>
> Hi list,
>
> We are in the design process of upgrading our Internet
> connectivity from dual T-1 to ATM. In that process we are
> contemplating using an existing ATM switch (implemented for our
> internal network) by way of separate channels (pvc's) on separate
> ports for a new 6 meg ATM connection for the Internet. The
> equipment to accomplish this is a Fore Systems 1200 ATM Switch. I
> am being told that this is okay as far as security is concerned,
> but my gut feeling tells me that there is something wrong with
> this picture. The entry point from the pvc would still hit our
> security infrastructure, firewall, IDS etc. It would really help
> if I could receive input from the group on this. Especially from
> the ATM switch experts out there. I really could use some
> specifics as to why this is okay or a bad idea. Thanks in advance.
>