Firewalls: Frame Relay Security

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Frame Relay Security
From:	arager @ mcgraw-hill . com
Date:	Wed, 28 Aug 96 09:44:15 edt
To:	firewalls @ greatcircle . com

     Hello all,
     
     I do not know how secure Frame Relay is as far as the provider 
     switching is concerned, but I do have a couple of related comments 
     concerning F/R and firewalls.
     
     1 - I do not believe F/R is bulletproof.....If field techs can change 
     switch configs....so can a smart hacker.  If he can change PVCs or 
     DLCI maps, then he can do most anything he wants.  He can make himself 
     one of your 'trusted' DLCIs, He can add himself to a group mode PVC, 
     or he can cut you out of the PVC and redirect traffic intended for you 
     to someone else (like himself)
     
     2 - As pointed out in an earlier post, Frame Relay implementations can 
     compromise security.  Consider the following example:
     
     [branch office]----PVC1-------------[your router]
              |
               \---------PVC2-------------[internet]
     
     
     In the above diagram you have established a PVC [PVC1] with your 
     'trusted' branch office or business partner.  Without your knowledge 
     this branch or business partner decides to cut costs and use the same 
     comm line for internet connectivity.  They have their provider create 
     a PVC [PVC2] from their DLCI to an internet provider.  Even if they 
     set their router up properly [they're cutting costs...remember] you 
     are still at risk.  If someone from the Internet breaks into the 
     branch/business partner router, they also have access to everything 
     the router connects to....including your router.  Router security is 
     no where near as strong as firewalls.....routers normally have a 
     telnet or SNMP based config interface...and inexperienced network 
     techs may have left default usernames/passwords/community names.  The 
     point is, you don't always know where other nodes in your F/R network 
     are also connected to.
     
     [this also applies to other WAN comm technologies.....you may have a 
     point-point connect with another office...but what else are they 
     connected to?]
     
     
     I would recommend some form of firewall to isolate frame relay 
     networks.  Treat it like an internet connection. I think there are 
     some very real risks......and if your data is valuable, you should 
     have some level of paranoia.
     
     
     
     Anton Rager
     arager @
 McGraw-Hill .
 com

Indexed By Date	Previous:	Re: Fwd: Hacking From: Rabid Wombat <wombat @ mcfeely . bsfs . org>
Indexed By Date	Next:	Win NT PPTP vs. VPN From: Christopher Klaus <cklaus @ iss . net>
Indexed By Thread	Previous:	Re: Netbios on IP TCP or UDP? From: "Frederik H. Andersen" <fha @ dde . dk>
Indexed By Thread	Next:	RE: Frame Relay Security From: Russ <Russ . Cooper @ RC . Toronto . on . ca>