ATM Security Aspects
by Petia Todorova and Hartmut Brandt
Due to the increased usage of ATM (Asynchronous Transfer Mode)
for broadband backbones in local area and wide area networks and
the introduction of public ATM networks, existing security concepts
and protection mechanisms have to be revised. This article gives
an overview of some aspects which are currently being studied
at GMD Institute for Open Communication Systems.
Today ATM is used, on one hand, to provide bandwidth for high
quality multimedia applications (ATM to the desk) and, on the
other hand, to serve as backbone for local and wide area IP (Internet
Protocol) networks. With the adventure of signalled public ATM
networks it is now possible for companies with local networks
and telephone systems in different locations to integrate voice
and data communication and to connect their local systems through
the public ATM. The complexity of ATM and the variety of protocols
and approaches involves the danger of bypassing traditional protection
mechanisms and exposes the networks to new threats.
ATM to the desk
High quality multimedia applications like video conferencing and
video retrieval demand very high bandwidth and quality guarantees
from the network. ATM fulfills these requirements, but makes it
necessary to use native ATM applications, eg applications that
build directly on ATM and ATM signalling. Connecting these systems
to a public switched ATM network (which only makes video conferencing
useful) opens these systemes to threats from third parties. Malicious
attackers are able to establish connections to the local ATM systems
to get access to sensible information or to provide ‘denial of
service’ attacks. They may monitor and analyze traffic at intermediate
nodes.
The ATM-Forum as one of the big ATM standardisation bodies is
currently proposing an entire set of security mechanisms for ATM.
These mechanisms require changes in switch software and are partly
based on hardware (for encryption and checksumming). For this
reason these features will probably not become available in the
near future from the major ATM vendors.
ATM backbones
The main use of ATM in private companies is as high speed backbone
for IP networks. Companies which have facilities in different
locations may need to interconnect their local networks through
the public network (see figure). With the adventure of public
switched ATM networks it is now possible to connect local CLIP
(Classical IP over ATM), LANE (LAN emulation) or MPOA (Multiprotocol
over ATM) islands more economically than by leased lines. Routing
can be optimised and bandwidth resources need not to be pre-allocated.
Connecting a local IP network to a public ATM backbone involves
an entire set of new threats to the IP network. Traditional level
3 protection mechanisms (IP firewalls) can be bypassed by attackers.
Additionally, the inherent complexity of ATM protocols makes it
hard to predict possible threats. So, for example, it is possible
to establish a direct ATM connection to CLIP clients, if its address
is known. Because this connection bypasses any IP firewalls, other
mechanisms are needed to prevent these kinds of attacks.
Conclusion
The ATM security studies performed in the Center of Competence
for Advanced Network Technologies and Systems (CATS) at GMD Institute
for Open Communication Systems indicate that traditional IP security
mechansims do not apply to ATM networks. A long term solution
is the implementation of the ATM-Forum security standard, a short
term solution is the implementation of an ATM-Firewall, which
is currently done. Important topics for future work include the
implementation of user plane authentication, data integrity and
security audit and alarm reporting functions.
For more information on CATS, see http://www.fokus.gmd.de/research/cc/cats
Please contact:
Petia Todorova - GMD
Tel: +49 30 3463 7251
E-mail: todorova@fokus.gmd.de
Hartmut Brandt - GMD
Tel: +49 30 3463 7352
E-mail: brandt@fokus.gmd.de
