I don't know who asked the question, Urban A Haas or Jeff Hayes, but here's
my view:
Packets traversing the Internet pass through many networks, all presumably
managed by careful, security conscious network managers (remember, your
packets are passing through small, medium, and large ISPs, not through weird
nets and subnets filled with hackers. Your ISP's primary concern is to give
good, reliable service (or at least it should be). At the other end of your
connection (ie--the web server or ftp server), the packets are traversing an
individual corporate, university, or government net where someone could
certainly hack your connection if they were of a mind to. Bear in mind,
however, that the destination network is the one *you* selected when you
requested the URL. If it's your server and other people's clients (ie--web
browsers) that you're concerned about, then put the server between your
firewall and the Internet, not inside your secure network.
In any event, the packets are riding over various fiber optic cables and
microwave links belong to the various telephone companies whose circuits are
actually carrying the Internet traffic. Here in the U.S., the backbone
rides on MCI T3 circuits (45 mbps), soon to be upgraded to OC3 circuits (155
mbps). If there were "bad guys" at MCI (or any of the other telcos in the
actual connection you're using), they could sniff your packets, and perhaps
find ways to attack your network.
On the other hand, if you have a private network (ie--an Intranet) which
uses Frame Relay for connectivity, your routers are linked directly to AT&T,
MCI, Sprint, or whoever is providing Frame Relay. Once again, inside the
telco network, your packets are riding on fiber optic or microwave high
speed links (which are providing thousands of simultaneous connections for
telephone calls, data circuits, *and* Frame Relay. The packets hit several
FR switches inside the telco network, and exit on a dedicated link to your
distant router. Your packets never touch the Internet.
If your concern is that "bad guys" live at the telco, then it really doesn't
make any difference whether you use Frame Relay or dedicated links (leased
lines). The best solution for you is to encrypt your data through a secure
tunnel, so that no one will be able to read the contents of the packets. At
this point, most corporate and government network managers aren't quite
spooked enough to take on this level of security for internal traffic
(except of course for DoD, NSA, the IRS, and other sensitive gov't
organizations). People are primarily concerned with traffic sent through
the Internet, because one really has no control over where each packet goes
and what level of protection various ISPs really provide.
In the not too distant future, IPv6 will permit all IP packets to have
encrypted payloads (see RFC1825) on a connection-by-connection basis, using
industry standard techniques. Many vendors will have products out in early
1997.
Long answer to short question. Hope it helps.
Jerry Mendes, Principal Consultant
DataComm Insights
150 Seminary Drive
Mill Valley, CA 94941
USA
(415) 381-5500
mendes @
garnet .
berkeley .
edu
At 09:57 AM 8/19/96 ES, Urban A Haas/TSG wrote:
>Premise: All public data service offerings have security holes: if you
>don't own the real estate or the copper/fiber, consider it untrusted.
>
>Request: Everyone believes the Internet to be an unsecure network, however,
>most people believe frame relay to be quite secure. I don't believe this is
>accurate. I believe frame relay is every bit as unsecure as the Internet.
> I would like to understand the security concerns applicable to frame relay?
> White papers, press reports, opinions, etc. are welcomed.
>
>jeff .
hayes @
network .
com
>
>
>
>
>
|
|
