How secure are frame relay connections? What I mean is, if I connect another company to my frame, can they hack my other frame locations?
If I set them up as strictly point-to-point, is there still a possibility of someone hacking my other locations?
Still somebody can get into the router at your end, where his frame-relay connection terminates and go on and hack from there. So you need to restrict all kinds of access by using access list on the perimeter router, and probably putting this on the outside or dmz interface of a PIX firewall (or any firewall) and configure restricted access to the inside, using access-lists or conduits on the PIX.
O.K., I can understand that but how about if I do implement some security at my head end router. Can someone at one of the other company branches hack one of my branches?
There isn't any intrinsic security with Frame Relay. Your best bet if you don't want to invest in any more equipment is probably access lists on the HQ router that allow remote sites to talk to HQ networks but not to other remote sites.
Does this imply that the only way they could talk to one another is through the head end router? Assume I set it up so that the above it true. Meaning the network is actually point-to-point. Branch to head end only. Could someone alter the branch router(s) to get them to communicate with one another? The "other" company hacking "my" company?
If there isn't a DLCI configured on the provider's network between two given branch sites, it's hard for me to imagine any direct communication being possible regardless of the branch router configs. But I'm by no means a Frame Relay expert. Access lists on the branch routers allowing traffic from HQ only probably isn't a bad idea in any case.
If you have only DLCIs between branch and hub, and no DLCI (pvc) between spokes (branches) then each branch can communicate only through the hub router. So the best place to implement security (access-list) is at the head end router.
I think the frame relay side is fairly secure but I would make sure that you have cdp disabled on the connection (no cdp enable). Also if you are using ip over this connection ensure that it is on a seperate sub net from the rest of your network. Further make sure that all routing & management protocols are blocked/disabled on the link
Not to belabor the point but, I will anyway. Couldn't I just guess what the DLCIs were and try my luck? Most DLCIs I've seen are in the 10 or 20 range.
Who's frame relay network will you be using ?
If your using a large carriers FR network i would be asking them this question as they control which circuits can talk to other circuits via their Frame Relay switching. Without changing the configuration of the Frame switch that creates the PVC's theres no way you can connect to unconfigured Frame ends.
Using your example, beacause most Carriers tend to give multiple users the same PVC numbers (ie 16) tends to say that even if you did know this PVC number, unless the underlying network tells your router where PVC 16 lies on the network you cannot connect to it.
How this all came about was that someone said that using VPN across the Internet was more secure than a FR network where "another" company was to connect to "my" network. Given the other obvious security concerns, it got me to thinking that this statement unto itself was false. I realize that if I mesh this FR network than everyone should be able to contact everyone else. But what about the case where it isn't meshed. Could someone from the "other" company fool around with their router and get to "my" other locations. Or is it all strictly controlled by the setup of the frame?
Yes. The pvc are strictly controlled by the carriers frame relay switch. Unless your B2B partner has the ablity to change the switching configuration then no they cannot setup their own PVC with your other nodes.
I really don't think what he said was actually true. The VPN is more secure from outside attack since its encrypted however it needs to be since its usually running over a public network. The Frame Relay connection however doesn't need to be encrypted since its not usually open to outside attack and is running over a private network.
So unless there are trust issues with your carried then i would tend to say that a FR connection would be more secure.
If you're worried about an attack from your B2B parner then both methods have security issues beacuse you are giving them access to your internal network so either way, once their on your network you need to protect yourself.