RE: Frame Relay Security
There should not be different levels of encryption for traffic depending on whether its frame or Internet transient. Your traffic is open to compromise on the Internet or in a providers frame cloud. From a security viewpoint neither one is more secure than the other. It really boils down to acceptable risk vs. cost. Just remember, you can never eliminate risk. There are always holes in your security. Any individual who is asking themselves should I use DES/3DES on a frame connection should stop and look to see if they have a modem bank behind their firewall. Your security is only a strong as the weakest link. -Original Message- From: Brian Lodwick [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 07, 2001 8:35 PM To: [EMAIL PROTECTED] Subject: Re: Frame Relay Security Group, Which then I believe should obviously lead into the discussion- if VPN's are today's PVC's then would it be appropriate to say that traffic transported over the public internet with such a protocol as IPSec is just as safe? and how do you know your enemies aren't working for that frame provider -if they are using single DES they had better hope not. Are there protocols now capable of providing enough security encryption for extremely sensitive traffic to transit the public internet? Brian From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Frame Relay Security Date: Sun, 7 Jan 2001 13:37:09 -0500 I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin Is a dedicated line secure enough for unencrypted transfer of financial or sensitive information? Answer: It depends. People often assume that frame is somehow shared when "dedicated lines" are not. From Chapter 5 of my _WAN Survival Guide_, All too many users have an intuitive belief that if they were to pull on the London end of a London to New York circuit, wires would wiggle in Manhattan. The reality, of course, is that any network of complexity beyond a very simple LAN involves one or more layers of virtualization onto real media. At the OSI lower layers, virtualization usually involves multiplexing, but various name and address mapping functions provide virtual structure as one moves up the protocol stack. Typically, frame PVCs and T1's run over exactly the same media from the customer site to the telco end office. Once at the end office, they are multiplexed. T1 is far too slow for economical data transmission between modern telco offices. Both the T1 and the frame circuits typically will be multiplexed onto facilities at least at DS-3, and usually OC-12 to OC-192. So much beyond the local loop, there really isn't much difference between frame and dedicated. Interpretations in the US HIPAA legislation for medical data tend to allow unencrypted traffic to flow over dedicated and frame, but not the public Internet. The Federal Reserve, however, tends to want end-to-end encryption regardless of the media, historically single DES. Military traffic would be bulk encrypted and possibly end-to-end encrypted as well. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Frame Relay Security
Jim, just to be contrary, how can a single provider, or even multiple provider frame clouds be compromised as easily as internet traffic? What are some of the specifics of danger of compromise of any private network versus the internet? Those bad people can't, for example, do DDoS attacks against your private network, except via the internet connection. It is that same internet connection that is the source of major compromises of corporate networks nationwide. What are some of the specific security issues you see on private networks, as compared to public networks? Chuck Just being contrary, in the hopes of learning something :- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Brown Sent: Monday, January 08, 2001 8:47 AM To: 'Brian Lodwick'; [EMAIL PROTECTED] Subject:RE: Frame Relay Security There should not be different levels of encryption for traffic depending on whether its frame or Internet transient. Your traffic is open to compromise on the Internet or in a providers frame cloud. From a security viewpoint neither one is more secure than the other. It really boils down to acceptable risk vs. cost. Just remember, you can never eliminate risk. There are always holes in your security. Any individual who is asking themselves should I use DES/3DES on a frame connection should stop and look to see if they have a modem bank behind their firewall. Your security is only a strong as the weakest link. -Original Message- From: Brian Lodwick [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 07, 2001 8:35 PM To: [EMAIL PROTECTED] Subject: Re: Frame Relay Security Group, Which then I believe should obviously lead into the discussion- if VPN's are today's PVC's then would it be appropriate to say that traffic transported over the public internet with such a protocol as IPSec is just as safe? and how do you know your enemies aren't working for that frame provider -if they are using single DES they had better hope not. Are there protocols now capable of providing enough security encryption for extremely sensitive traffic to transit the public internet? Brian From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Frame Relay Security Date: Sun, 7 Jan 2001 13:37:09 -0500 I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin Is a dedicated line secure enough for unencrypted transfer of financial or sensitive information? Answer: It depends. People often assume that frame is somehow shared when "dedicated lines" are not. From Chapter 5 of my _WAN Survival Guide_, All too many users have an intuitive belief that if they were to pull on the London end of a London to New York circuit, wires would wiggle in Manhattan. The reality, of course, is that any network of complexity beyond a very simple LAN involves one or more layers of virtualization onto real media. At the OSI lower layers, virtualization usually involves multiplexing, but various name and address mapping functions provide virtual structure as one moves up the protocol stack. Typically, frame PVCs and T1's run over exactly the same media from the customer site to the telco end office. Once at the end office, they are multiplexed. T1 is far too slow for economical data transmission between modern telco offices. Both the T1 and the frame circuits typically will be multiplexed onto facilities at least at DS-3, and usually OC-12 to OC-192. So much beyond the local loop, there really isn't much difference between frame and dedicated. Interpretations in the US HIPAA legislation for medical data tend to allow unencrypted traffic to flow over dedicated and frame, but not the public Internet. The Federal Reserve, however, tends to want end-to-end encryption regardless of the media, historically single DES. Military traffic would be bulk encrypted and possibly end-to-end encrypted as well. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _
Re: Frame Relay Security
Once, while working at a very popular network auction web site, I ran into a security advisor that said Frame Relay was not secure and we should not allow critical information to pass over those connections. The VP of Technology, at the time, said "we have more important things to worry about than someone spending hours on end trying to hack a Frame Switch just to see if our traffic happens to be on it". Just thought I would add that little tidbit to the conversation. -j Chuck Larrieu wrote: Jim, just to be contrary, how can a single provider, or even multiple provider frame clouds be compromised as easily as internet traffic? What are some of the specifics of danger of compromise of any private network versus the internet? Those bad people can't, for example, do DDoS attacks against your private network, except via the internet connection. It is that same internet connection that is the source of major compromises of corporate networks nationwide. What are some of the specific security issues you see on private networks, as compared to public networks? Chuck Just being contrary, in the hopes of learning something :- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Brown Sent: Monday, January 08, 2001 8:47 AM To: 'Brian Lodwick'; [EMAIL PROTECTED] Subject: RE: Frame Relay Security There should not be different levels of encryption for traffic depending on whether its frame or Internet transient. Your traffic is open to compromise on the Internet or in a providers frame cloud. From a security viewpoint neither one is more secure than the other. It really boils down to acceptable risk vs. cost. Just remember, you can never eliminate risk. There are always holes in your security. Any individual who is asking themselves should I use DES/3DES on a frame connection should stop and look to see if they have a modem bank behind their firewall. Your security is only a strong as the weakest link. -Original Message- From: Brian Lodwick [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 07, 2001 8:35 PM To: [EMAIL PROTECTED] Subject: Re: Frame Relay Security Group, Which then I believe should obviously lead into the discussion- if VPN's are today's PVC's then would it be appropriate to say that traffic transported over the public internet with such a protocol as IPSec is just as safe? and how do you know your enemies aren't working for that frame provider -if they are using single DES they had better hope not. Are there protocols now capable of providing enough security encryption for extremely sensitive traffic to transit the public internet? Brian From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Frame Relay Security Date: Sun, 7 Jan 2001 13:37:09 -0500 I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin Is a dedicated line secure enough for unencrypted transfer of financial or sensitive information? Answer: It depends. People often assume that frame is somehow shared when "dedicated lines" are not. From Chapter 5 of my _WAN Survival Guide_, All too many users have an intuitive belief that if they were to pull on the London end of a London to New York circuit, wires would wiggle in Manhattan. The reality, of course, is that any network of complexity beyond a very simple LAN involves one or more layers of virtualization onto real media. At the OSI lower layers, virtualization usually involves multiplexing, but various name and address mapping functions provide virtual structure as one moves up the protocol stack. Typically, frame PVCs and T1's run over exactly the same media from the customer site to the telco end office. Once at the end office, they are multiplexed. T1 is far too slow for economical data transmission between modern telco offices. Both the T1 and the frame circuits typically will be multiplexed onto facilities at least at DS-3, and usually OC-12 to OC-192. So much beyond the local loop, there really isn't much difference between frame and dedicated. Interpretations in the US HIPAA legislation for medical data tend to allow unencrypted traffic to flow over dedicated and frame, but not the public Internet. The Federal Reserve, however, tends to want end-to-end encryption regardless of the media, historically single DES. Military traffic would be bulk encrypted and possibly end-to-end encrypted as well. _ FAQ, list archives, and subscription info: http://www.groupstud
RE: Frame Relay Security
Hi all, A front gate keeps cattle of the lawn. A front door keeps welcome strangers from entering my house. A lock on the bedroom door may protect me a night. Something stronger would be needed to ensure my wife was safe. I guess what I am trying to say is the greater your level of risk the stronger your security must be. Knowing that data crosses public networks has one being a little more careful about what is sent there. Private networks accross or between countries become a problem as all the data at the point it leaves the carrier is multiplexed between switches. There is usually no distinction between the type of data being sent (Although some carriers may provide special services this would probably not occur between countries). Often there is no way for the carrier to tell what type of data is being sent. (if they could it might present a security risk). It should not be the carriers responsibility to look after the security of an individuals data but to make the best effort to ensure it gets to the right person. This is no different to sending a parcel in the mail. It is strange though that throughout all my studies and my networking career statistics seem to point that the greatest risk is from within. Usually because this is where most feel security is not required. This stuff goes round and around. It seems to me that the security of data is ultimately the responsibitly of the end devices. I thought that is why end to end encryption was developed. Just some views. Teunis, Hobart, Tasmania Australia On Monday, January 08, 2001 at 04:24:11 PM, Chuck Larrieu wrote: Jim, just to be contrary, how can a single provider, or even multiple provider frame clouds be compromised as easily as internet traffic? What are some of the specifics of danger of compromise of any private network versus the internet? Those bad people can't, for example, do DDoS attacks against your private network, except via the internet connection. It is that same internet connection that is the source of major compromises of corporate networks nationwide. What are some of the specific security issues you see on private networks, as compared to public networks? Chuck Just being contrary, in the hopes of learning something :- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Brown Sent: Monday, January 08, 2001 8:47 AM To: 'Brian Lodwick'; [EMAIL PROTECTED] Subject: RE: Frame Relay Security There should not be different levels of encryption for traffic depending on whether its frame or Internet transient. Your traffic is open to compromise on the Internet or in a providers frame cloud. From a security viewpoint neither one is more secure than the other. It really boils down to acceptable risk vs. cost. Just remember, you can never eliminate risk. There are always holes in your security. Any individual who is asking themselves should I use DES/3DES on a frame connection should stop and look to see if they have a modem bank behind their firewall. Your security is only a strong as the weakest link. -Original Message- From: Brian Lodwick [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 07, 2001 8:35 PM To: [EMAIL PROTECTED] Subject: Re: Frame Relay Security Group, Which then I believe should obviously lead into the discussion- if VPN's are today's PVC's then would it be appropriate to say that traffic transported over the public internet with such a protocol as IPSec is just as safe? and how do you know your enemies aren't working for that frame provider -if they are using single DES they had better hope not. Are there protocols now capable of providing enough security encryption for extremely sensitive traffic to transit the public internet? Brian From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Frame Relay Security Date: Sun, 7 Jan 2001 13:37:09 -0500 I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin Is a dedicated line secure enough for unencrypted transfer of financial or sensitive information? Answer: It depends. People often assume that frame is somehow shared when "dedicated lines" are not. From Chapter 5 of my _WAN Survival Guide_, All too many users have an intuitive belief that if they were to pull on the London end of a London to New York circuit, wires would wiggle in Manhattan. The reality, of course, is that any network of complexity beyond a very simple LAN involves one or more layers of virtualization onto real
Frame Relay Security
I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Frame Relay Security
Here is a document that may help answer your question. http://www.cisco.com/warp/public/cc/so/neso/wnso/power/chzsp_wp.htm "Kevin Welch" [EMAIL PROTECTED] wrote in message 015f01c078cc$c64bece0$2a002a0a@sjc102498">news:015f01c078cc$c64bece0$2a002a0a@sjc102498... I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Frame Relay Security
Most Frame relay connections go through some telco/frame provider and some bigger organizations have their own frame infrastructure. I'm not aware of any security measures at the frame layer. As for securing the information, you can encrypt at layer 3. Most financial software these days has encryption in the software of some sort. This is the best spot to do it. Lets say the router just encrypts then between the PC and the router the data will be unsecure (unless application encrypts) and someone can pick it up with a sniffer. Another example is SSL and HTTPS which are done at the application level. As with anything, if it's sensative - protect it at the source. --- Kevin Welch [EMAIL PROTECTED] wrote: I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Frame Relay Security
I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin Is a dedicated line secure enough for unencrypted transfer of financial or sensitive information? Answer: It depends. People often assume that frame is somehow shared when "dedicated lines" are not. From Chapter 5 of my _WAN Survival Guide_, All too many users have an intuitive belief that if they were to pull on the London end of a London to New York circuit, wires would wiggle in Manhattan. The reality, of course, is that any network of complexity beyond a very simple LAN involves one or more layers of virtualization onto real media. At the OSI lower layers, virtualization usually involves multiplexing, but various name and address mapping functions provide virtual structure as one moves up the protocol stack. Typically, frame PVCs and T1's run over exactly the same media from the customer site to the telco end office. Once at the end office, they are multiplexed. T1 is far too slow for economical data transmission between modern telco offices. Both the T1 and the frame circuits typically will be multiplexed onto facilities at least at DS-3, and usually OC-12 to OC-192. So much beyond the local loop, there really isn't much difference between frame and dedicated. Interpretations in the US HIPAA legislation for medical data tend to allow unencrypted traffic to flow over dedicated and frame, but not the public Internet. The Federal Reserve, however, tends to want end-to-end encryption regardless of the media, historically single DES. Military traffic would be bulk encrypted and possibly end-to-end encrypted as well. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Frame Relay Security
Kevin: No matter the solution, if it's not encrypted it's not secure. In your situation you might also consider certificate-based router authentication. Kathy "Katyusha" M. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Welch Sent: Sunday, January 07, 2001 12:11 PM To: [EMAIL PROTECTED] Subject: Frame Relay Security I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Frame Relay Security
Hi, Once the data gets from your physical link into the Telco end it is usually re-multiplexed into other physical links to go onto the next site. This may go on for a number of times depending on where the logical link goes. For example, a trace route may indicate 6 hops to a site to get to the site may require going through 20 physical links. You message get remixed (multiplexed) on each physical link. That has been my understanding. Teunis Hobart, Tasmania Australia On Sunday, January 07, 2001 at 01:37:09 PM, Howard C. Berkowitz wrote: I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin Is a dedicated line secure enough for unencrypted transfer of financial or sensitive information? Answer: It depends. People often assume that frame is somehow shared when "dedicated lines" are not. From Chapter 5 of my _WAN Survival Guide_, All too many users have an intuitive belief that if they were to pull on the London end of a London to New York circuit, wires would wiggle in Manhattan. The reality, of course, is that any network of complexity beyond a very simple LAN involves one or more layers of virtualization onto real media. At the OSI lower layers, virtualization usually involves multiplexing, but various name and address mapping functions provide virtual structure as one moves up the protocol stack. Typically, frame PVCs and T1's run over exactly the same media from the customer site to the telco end office. Once at the end office, they are multiplexed. T1 is far too slow for economical data transmission between modern telco offices. Both the T1 and the frame circuits typically will be multiplexed onto facilities at least at DS-3, and usually OC-12 to OC-192. So much beyond the local loop, there really isn't much difference between frame and dedicated. Interpretations in the US HIPAA legislation for medical data tend to allow unencrypted traffic to flow over dedicated and frame, but not the public Internet. The Federal Reserve, however, tends to want end-to-end encryption regardless of the media, historically single DES. Military traffic would be bulk encrypted and possibly end-to-end encrypted as well. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- www.tasmail.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
