I'm not necessarily disagreeing with your assertions, but they are just
that, assertions. How can he add himself to a group mode PVC, or make
himself one of your "trusted" DLCIs. How can he redirect PVC traffic
intended for me?
In point #1, all of these things are the same types of things that could
be done if any transport medium were compromised at the Telco. What's
the difference between that and someone connecting to the management
port on a Telco router and monitoring all your traffic from there? Or
adding an extra port to a Telco router during "normal maintenance
windows", thereby introducing a new connection point in your link which
could be used to do the same Bad Thing.
I'll tell you one difference, if someone did these things to a leased
line, you'd have absolutely no way of determining it. If someone fiddled
with FR DLCIs or PVCs, it would be viewable throughout your router
network, as the new DLCI or PVCs would be seen. Supposedly being able to
spoof a DLCI and its associated PVCs sounds too much like speculation
for me to delve into. I've not doubt that its probably possible, but I
have no idea how I'd ever protect myself against such action.
In point #2, you describe one of my first tenants of security (and
probably most peoples). Obviously a foreign network is untrusted unless
you have satisfied your security policy. The fact that FR is used to
connect to this site, IMO, doesn't increase the level of risk of a
branch office making an additional "private" connection to an untrusted
network. To me, this means it has no place in this discussion of the
risks of Frame Relay. All branch offices could do this with any type of
connection to the main office, so its something that has to be
considered before the risks of FR are considered.
How a Telco manages their network is a concern for every Firewall
administrator who owns a WAN. The Internet doesn't come into it at this
point. First you've got to satisfy yourself that the Telco can secure
their equipment from prey. In the post that described the technicians
making changes to the Telco network, they did so via modem. Maybe that
Telco is completely secure against access from the Internet, but very
poorly (or so it sounded) secured from hacking via modem. Just because I
can hack in through a modem does not mean I can hack in via the
Internet, as we all know already.
>So, unless you've got some more information, your statement "If field techs
can change switch configs....so can a smart hacker." is in reference to
telephone phreaks, not Internet hackers. This doesn't make that Telco
any more secure overall, but it does reflect on your feelings about the
security of FR, I believe. In addition, you forget that changes had to
be made at two locations for the connections to become active. As in my
case, the Telco could make changes which did nothing on my network until
I enabled them in my routers. So an Internet hacker would not only have
to break into the Telco's network, but mine too, unless they are using
the spoof you mentioned but didn't describe.
A possibly plausible scenario might be something like this;
Hacker breaches Telco's admin network, modifies one of my DLCIs such
that it is now logically connected to one of his physical connections
Hacker modifies his router to become my router that was associated with
the modified DLCI
Hacker is now on my network
...but please, this is making a whole lot of assumptions about what the
Hacker is able to do, and the information that is available to the
Hacker. For example, my Telco could not see anything above the FR level,
so they never saw my IP routing information. How would the Hacker know
what to set up his router as?
Of course, all of this will happen without Telco's alarm systems going
off; a DLCI goes down, then gets modified, then another one goes down,
gets modified, then the first one comes up and then the second one, and
in the process the physical mappings to lines are changed, gee, I think
they'd notice. My Telco used to call me within 10 minutes of an outage,
of course, I knew right away thanks to the wonder of pagers.
Bottom line, if you don't trust FR then you can't trust leased lines
either. A Firewall at each end of every WAN connection. Certainly would
be industrial strength, but wouldn't it be easier to just set each site
up with its own Internet connection and use VPN between the sites across
the Internet? I think this is how we are going, but its not necessarily
because I don't trust FR or leased lines.