> -----Original Message-----
> From: Jose Nazario [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 10, 2001 1:21 PM
> To: Ben Nagy
> Cc: 'Alfred R. Collins'; [EMAIL PROTECTED]
> Subject: RE: ATM PVC as security barrier
>
>
> i gave this some thought today. i have some experience with
> ATM, and hence
> PVCs, and experience with IPSec VPNs.
>
> ben's right in that there are issues about the endpoints.
> but, he misses
> some points, i thikn.
>
> first, the computational overhead of a VPN is pretty low, in my
> experience.[...]
Yeah, I should never have mentioned the CPU thing - even if the hardware
were specc'ed appropriately I don't see the VPN solution adding security
"value"
> however, some ATM equipment we had in production could be abused to a
> point such that it would start shoving cells over the
> broadcast interface
> (the BUS), and everyone could see some cells.
Not FORE (Marconi) gear I hope! ;)
This sounds like a repeat of the VLAN effect - something that's not designed
for security being used as a security solution. Maybe we should be saying
"use a separate channel, end of story"?
[...]
> if you are going to go with PVCs, add some encryption to add
> defense in
> depth. no sense not to.
OK, all I'm saying is that encryption adds nothing here. It's untrusted
traffic, so confidentiality isn't an issue. VPNs don't make it any more
likely that traffic will stay where it should.
[...]
> just some of my perspective, which i hope makes sense. i respect ben's
> opinions a lot
You're hardly clueless yourself, you know.
> but i sort of disagree with him based on my
> experience.
Disagree away! I write too much stuff - some of it is bound to be crazy.
[...]
> ____________________________
> jose nazario
> [EMAIL PROTECTED]
My take:
I think that in security terms we need firewall to send stuff in the right
direction and we need some ACL stuff somewhere to stop the firewall talking
to anything but the outside of inner firewalls if the outer firewall falls
over.
Assuming that BOTH these mechanisms fail (firewall r00ted, ACLs bypassed)
then the PVC solution is the only one that might restrict the traffic. The
PVCs may ALSO fail, but at least they're a line of defence - the VPNs fall
over with the firewall.
(This is actually quite an interesting subject!)
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
