4 Conclusions

This article describes some vulnerabilities present in ``Classical IP over ATM'' networks and introduces a switch based configuration and extensions to the ATMARP service as a countermeasure.

The use of IP in ATM networks leads to some interesting security problems. The risks of IP spoofing attacks are still high in ATM networks and need to be addressed by appropriate security mechanisms. In addition to these well known risks ATM features some new protocols whose security implications are not yet fully understood. Some possible attacks based on ILMI and P-NNI have been introduced in sections 2.6 and 2.7.

Section 3.1 discusses methods on how to secure an ATMARP server. ATMARP is a critical service for CLIP networks that must be secured. Another important result is that the ATM switches are very important for securing `Classical IP over ATM' networks. ATM offers a ``shared control'' to network resources (see section 3). This feature is the basis for access control mechanisms in ATM switches (section 3.2.1). As an example we have shown how to setup ATM address filters for guarding the access to secure networks.

As ATM address filters are not sufficient to enforce typical security policies, firewalls will have to be used in combination with ATM address filters. The integration of a firewall into an ATM network was discussed for a gateway firewall. The concept can easily be expanded for a combination of packet screen with bastion host. This would require the configuration of three subnets (internal, external and DMZ) instead of two subnets (internal and external). The switch can enforce the separation of these three virtual subnets with the same mechanisms that have been described before.

Section 3.3 shows how switches can be used to prevent some denial of service attacks by static configuration. This is necessary unless the ATM based protocols such as P-NNI and ILMI offer some kind of authentication.

Many of the problems discussed here originate from ``Plug and Play'' configurations. Vendors tend to supply their switches with automatic configuration tools (such as ILMI) which enable easy network setups. But a secure network requires a careful manual configuration of switches, protocols, and devices (e.g. firewalls) that control access to the network.