Firewalls: Re: Holes In Frame Relay

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Holes In Frame Relay
From:	Jerry Mendes <mendes @ garnet . berkeley . edu>
Date:	Sun, 25 Aug 1996 00:54:40 -0700
To:	Rick Smith <smith @ sctc . com>
Cc:	firewalls @ greatcircle . com, smith @ sctc . com

Rick:

I don't think any of the "household" name frame relay providers (MCI,
Sprint, AT&T, Bell Atlantic, et al) present any significant risk from
Internet attacks "tunneling" through the frame relay infrastructure.  You do
have the basic physical architecture correct.  Each user site has (usually)
one physical link from a router (or a frame relay aware computer) into the
cloud, and the cloud certainly links some corporate networks to ISPs.  This
is the major advantage and economy from using frame relay....one network
"fits all".

However, the carrier/telco operations staff *must* explicitly build each
logical connection through the cloud.  It's not a free-for-all once you're
inside their network.  Each site is specifically linked to a number of other
sites my logical connections called Permanent Virtual Circuits....the
customer designs the logical connections based on connectivity needs, and
the carrier/telco operations people define them.  One cannot hack (so far as
I know) through ordinary connections into the cloud, redefining PVCs at
will.  The technology is just not designed to permit this.  Leading vendors
of the technology are Cascade Communications, Siemens/Stromberg Carlson,
Newbridge, Stratacom (now owned by Cisco), and AT&T Network Systems (now
Lucent Technology).  All strong players, not silly enough to design their
administrative systems with availability through ordinary customer connections.

Rather, one would have to gain access to the carrier/telco's internal
administrative network in order to do the hack.  Not impossible, I'm sure,
but it's certainly more secure than most people are aware.  Hope this helps.

Jerry Mendes, Principal Consultant
DataComm Insights, Mill Valley, CA
mendes @
 garnet .
 berkeley .
 edu

(415) 381-5500

At 05:02 PM 8/23/96 -0500, Rick Smith wrote:

>I haven't looked at this lately, but the last time I spoke to someone
>here is what I found -- a typical frame relay site will get a single
>connection from their phone company that hooks to the other sites in
>their frame relay "cloud" and also to the Internet. They then hook
>this single connection to an IP router. Voila. All of the traffic from
>their remote sites is immediately mixed with traffic from the Internet
>at a level *below* the IP stack. Hosts on the Internet can probably
>masquerade as hosts on the enterprise's frame relay network.
>
>I would expect that a decent router that supports frame relay can deal
>with this but I've never had to do it myself. Comments?
>
>Rick.
>smith @
 sctc .
 com
>
>

Follow-Ups:

Re: Holes In Frame Relay
From: Adam Shostack <adam @ homeport . org>

Indexed By Date	Previous:	Re: Should we firewall frame relay connections? From: C Matthew Curtin <cmcurtin @ research . megasoft . com>
Indexed By Date	Next:	Re: Firewall Encryption Standard From: Jerry Mendes <mendes @ garnet . berkeley . edu>
Indexed By Thread	Previous:	Re: Should we firewall frame relay connections? From: Adam Shostack <adam @ homeport . org>
Indexed By Thread	Next:	Re: Holes In Frame Relay From: Adam Shostack <adam @ homeport . org>