North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Telco's write best practices for packet switching networks
> Most ISPs have a comparable set-up wrt modems/terminal servers for > managing their network elements - same dealy, but ISPs can choose > between inband & OOB whereas the telcos can't. (Or couldn't, til > recently, when Net/Bell convergence started urging the market toward > big damn fiber switches with in-band mgmt tools.) The inband/OOB debate is always squirrely. Things like BGP/OSPF are in-band, and ISPs can't really choose an out of band way to exchange routing information. Its true that console access has a choice of accessing the management port through different paths. The router will continue to route, even if the operator can't access the console port. The telephone world thinks of the debate in terms of 260Hz and tone signalling versus SS7 control channels. If you disrupt the SS7 control channel, the telephone switch won't complete new calls even if the trunk groups still work. The management or craft ports are a different matter. Physical attacks make it more interesting. Because the telephone network uses seperate signalling channels, you can disrupt a lot of calls by destroying a relatively few control points/links. Since the Internet uses in-band control, as long as there is some physical connectivity, you can use it for both control and user traffic. Everytime Illuminet has a glitch, a dozen states have problems completing calls between ILECs and CLECs. This affects a lot of dialup access to the Internet. > So - in the world of telco, the control elements are JUST OOB. Since > you literally can't reach them inband, the OOB element mgmt can be > done through modems or a separate network which is firewalled off > from the rest of the Internet. That's what they're talking about in > your excerpt. Where it gets interesting is when the assumptions about what is "outside" or "inside" is violated. I think the Internet is actually much more secure now because its so open, we don't make assumptions about who we trust. The telephone network is built on a house of trust, and if you can get on the "inside" the world is yours. > What I find interesting is that I've heard a lot of cage rattling to > take the Internet in this direction, i.e. stop managing it in-band > where all the kiddies and the terrorists can get at it and start > managing it OOB. Hide it, shut it away, don't route it, etc. > nevermind what a pain it is to manage TWO networks... nevermind how > much flexibility you lose. (Sorry, my bias is showing.) Having a seperate network didn't stop Mitnick :-) I think some of it is "the grass is always greener on the other side of the fence." Reserving bandwidth for specific purposes tends to make your network more brittle, and less responsive to unexpected events. I try to explain it's like car pool lanes on the highway making traffic jams worse. I happen to believe you need both in-band and out-of-band control access, and you need the same level of security on both. But I tend to order my goals with availability first. Having your network down may be "secure" but it isn't very useful. > Kelly J. Cooper - Security Engineer, CISSP So why did you get the CISSP? I just received my CISSP certificate, but I needed to get it for resume padding purposes.