> Our network engineer proposed ATM PVC's as a means to route Internet traffic > across our corporate backbone. Obviously, the best approach is to carry the > Internet traffic on totally separate channels. However, we have to > distribute Internet access to far flung sites on our corporate owned > network, and network engineering does not want to pay for independent > communication channels. [snip] Using PVC's accross an ATM cloud is a very secure way to separate traffic, without going too far into the workings of ATM a PVC is a point to point connection within an ATM cloud (group of ATM switches). There is no sharing of this channel there is no way of intercepting/injecting ATM frames (unless you can get a box between the switches and if an attack can get that close to your infrastructure you've got bigger problems). This is opposed to ATM SVC's which can be used to set up paths dynamically and can be used to initiate 'unauthorised' channels from/to another ATM connected point. Beware of SPVC's which are different again, were are talking about a hard-routed PVC across the cloud here. The problems start when you start encapsulating IP over ATM, see http://www.cert.dfn.de/eng/team/benecke/eng_natm/eng_natm.html for problems with Classical IP (CLIP), LANE has more serious problems. It should be noted however that most of the problems come from other ATM connected hosts, so if your ATM infrastructure is secure you should be fine. I would go to your hardware vendor and ask for this specific functionality out of an ATM edge device, if they start harping on about LANE forget it, this solution NEEDS to be PVC based, unless you are completely happy with the security of your entire ATM cloud. By using VPN's you are 'mixing' traffic over the same channel, although indeed very secure there is still a chance that the encryption at some point will be broken or a flaw found in the endpoints, IMHO this is a risk that is not present in ATM PVCs. So I would say 3 advantages of using PVCs to be :- Total separation of traffic Full bandwidth management Faster (no need for crypto power) If you are confident in configuring ATM networks and understand the issues on an ATM level I believe that you can end up with a stronger separation than with VPN's. What you do with the IP traffic over the tunnel and within you network is also important, it would be no good if I could re-configure your PVC's using SNMP over a badly protected switch management port, would it. :-) regards, Nathan. All opinions mine, but if you need one you can borrow it for a while *I'd love to give my 0.02 worth - Have you got change for a dollar?* -- Computer Crime Consultants Ltd www.ccc-ltd.com
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 21:42:54 PDT