Firewalls: Re: Holes In Frame Relay

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Holes In Frame Relay
From:	Adam Shostack <adam @ homeport . org>
Date:	Mon, 26 Aug 1996 08:20:10 -0500 (EST)
To:	mendes @ garnet . berkeley . edu (Jerry Mendes)
Cc:	smith @ sctc . com, firewalls @ GreatCircle . COM
In-reply-to:	<2 . 2 . 32 . 19960825075440 . 00766390 @ garnet . berkeley . edu> from "Jerry Mendes" at Aug 25, 96 00:54:40 am

Jerry Mendes wrote:
| Rick:
| 
| I don't think any of the "household" name frame relay providers (MCI,
| Sprint, AT&T, Bell Atlantic, et al) present any significant risk from
| Internet attacks "tunneling" through the frame relay infrastructure.  You do
| have the basic physical architecture correct.  Each user site has (usually)
| one physical link from a router (or a frame relay aware computer) into the
| cloud, and the cloud certainly links some corporate networks to ISPs.  This
| is the major advantage and economy from using frame relay....one network
| "fits all".

	Jerry,

	I'm glad to hear that you don't think that the 'major' frame
relay providers provide a point of risk to my networks.  Could you
tell me what estimates of value you're using, and what level of
professionalism on the part of the attackers?

	I consider the telcos to be in a great position here; they
have security by assertion, and few people are going to challenge them
on it.  Lets consider what it takes to prove telco negligence or
incompitence was involved in a network security breach.  First, you
must announce to the world that you've been breached.  Otherwise, how
would you know that the telco was at fault?  Next, you need to publish
your logs so that its clear the telco was involved.  Third, you need
to publish the rest of your logs, so you can demonstrate that you are
confident in them until time T.  Next, you need to have your firewall
subjected to hostile, and possibly public audit when the telco claims
that your firewall was junk, and it wasn't their fault.  I find it
unlikely that we'll hear many authenticated claims of a breach through
FR.

	That is, of course, assuming that your logging mechanisms
catch the problem.  If you don't have a bastion or monitoring host
right on the FR connection (because you assume its safe), you'll never
catch the attack.

| However, the carrier/telco operations staff *must* explicitly build each
| logical connection through the cloud.  It's not a free-for-all once you're

Or someone with operations privledge.

| Rather, one would have to gain access to the carrier/telco's internal
| administrative network in order to do the hack.  Not impossible, I'm sure,
| but it's certainly more secure than most people are aware.  Hope this helps.

I don't build security that depends on other people when I can help
it.  With encrypting routers and firewalls available, I can avoid
trusting FR, for a few thousand per site connected.

I think its worth the peace of mind.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

Follow-Ups:

Re: Holes In Frame Relay
From: Robert Hanson <roberth @ cet . com>

References:

Re: Holes In Frame Relay
From: Jerry Mendes <mendes @ garnet . berkeley . edu>

Indexed By Date	Previous:	Sniff IP address From: "Mohd. Faisal Abang" <faisal @ sains . com . my>
Indexed By Date	Next:	Re: Should we firewall frame relay connections? From: Adam Shostack <adam @ homeport . org>
Indexed By Thread	Previous:	Re: Holes In Frame Relay From: Jerry Mendes <mendes @ garnet . berkeley . edu>
Indexed By Thread	Next:	Re: Holes In Frame Relay From: Robert Hanson <roberth @ cet . com>