Telco's write best practices for packet switching networks

Sat Mar 9 00:23:57 UTC 2002

> Most ISPs have a comparable set-up wrt modems/terminal servers for
> managing their network elements - same dealy, but ISPs can choose
> between inband & OOB whereas the telcos can't.  (Or couldn't, til
> recently, when Net/Bell convergence started urging the market toward
> big damn fiber switches with in-band mgmt tools.)

The inband/OOB debate is always squirrely.  Things like BGP/OSPF
are in-band, and ISPs can't really choose an out of band way to
exchange routing information.  Its true that console access has a
choice of accessing the management port through different paths.
The router will continue to route, even if the operator can't access
the console port.

The telephone world thinks of the debate in terms of 260Hz and tone
signalling versus SS7 control channels.  If you disrupt the SS7 control
channel, the telephone switch won't complete new calls even if the
trunk groups still work.  The management or craft ports are a different
matter.

Physical attacks make it more interesting.  Because the telephone
network uses seperate signalling channels, you can disrupt a lot of
calls by destroying a relatively few control points/links.  Since
the Internet uses in-band control, as long as there is some physical
connectivity, you can use it for both control and user traffic.

Everytime Illuminet has a glitch, a dozen states have problems
completing calls between ILECs and CLECs.  This affects a lot of
dialup access to the Internet.

> So - in the world of telco, the control elements are JUST OOB.  Since
> you literally can't reach them inband, the OOB element mgmt can be
> done through modems or a separate network which is firewalled off
> from the rest of the Internet.  That's what they're talking about in
> your excerpt.

Where it gets interesting is when the assumptions about what is
"outside" or "inside" is violated.  I think the Internet is actually
much more secure now because its so open, we don't make assumptions
about who we trust.  The telephone network is built on a house of
trust, and if you can get on the "inside" the world is yours.

> What I find interesting is that I've heard a lot of cage rattling to
> take the Internet in this direction, i.e. stop managing it in-band
> where all the kiddies and the terrorists can get at it and start
> managing it OOB.  Hide it, shut it away, don't route it, etc.
> nevermind what a pain it is to manage TWO networks... nevermind how
> much flexibility you lose.  (Sorry, my bias is showing.)

Having a seperate network didn't stop Mitnick :-)  I think some of it is
"the grass is always greener on the other side of the fence."

Reserving bandwidth for specific purposes tends to make your network
more brittle, and less responsive to unexpected events.  I try to
explain it's like car pool lanes on the highway making traffic jams
worse.

I happen to believe you need both in-band and out-of-band control
access, and you need the same level of security on both.  But I
tend to order my goals with availability first.  Having your network
down may be "secure" but it isn't very useful.

> Kelly J. Cooper        -  Security Engineer, CISSP

So why did you get the CISSP?  I just received my CISSP certificate,
but I needed to get it for resume padding purposes.