Asynchronous Transfer Mode (ATM) network usually has less security exposures than TCP/IP network because it is often used in the backbone for a private or semi-private network with fiber cables as the media. The cost to break into an ATM network is higher than to a TCP/IP network. However, there are still many vulnerabilities in the ATM network, as listed below:
Information Sniffing: The attacker connects or taps into the transmission media and gain unauthorized access to the data.
ATM Based Spoofing: IP spoofing is possible in `Classical IP over ATM' (CLIP) networks. Whenever the ATM address of a server is known, an attacker can establish a direct ATM connection to that host. The attacker can now register with the IP address of a trusted host by sending a carefully crafted `InATMARP-Reply' message over this connection. After successful registration, spoofed IP packets can be sent over this connection. Moreover, due to the ``ATMARP-Cache poisoning'', the attacked server will send reply packets back to the attacker on the same ATM connection.
Denial of Service: ATM is a connection-oriented technique. A connection, which is called Virtual Circuit (VC) in ATM, is managed by a set of signals. VC is established by SETUP signals and can be disconnected by RELEASE or DROP PARTY signals. If an attacker sends RELEASE or DROP PARTY signal to any intermediate switch on the way of a VC, then the VC will be disconnected. By sending these signals frequently, the attacker can greatly disturb the communication between one user to another, therefore will damage the Quality of Service (QoS) in ATM communication. There are other methods causing Denial of Service in an ATM network, which are not discussed in details here.
Virtual Circuits (VC) Hijacking: If two end switches between a communication of an ATM network compromise, the attacker can steal a VC from another user. For example, VC1 and VC2 are two virtual channels owned by two different users U1 and U2, which is from switch A to switch B. If A and B have compromised, then A can switch VC1's cells going from A to B through VC2 and B will switch back those cells to VC1. Since switches will forward cells based on the VCI (Virtual Channel Identifier) or VPI(Virtual Path Identifier) in the cell header, A and B can just alter these fields back and forth. Switches between A and B won't notice these changes and will switch the assumed VC2's cells just like the authentic VC2's cells. In ATM network, if quality of service is guaranteed, then user 1 can gain a lot by stealing a higher quality channel which user 1 is not entitled to use.
ATM Switch Attack: An attacker might use the P-NNI protocol in order to manipulate a switch. He could inject incorrect information in the peer group database or even try to configure routing loops into the hierarchic structure. He might block the communication of whole peer groups or even redirect communication over his workstation. The blocking of a peer group is very similar to the manipulation of routers with incorrect 'ICMP-Host/Net- unreachable' messages. Attacks based on the P-NNI protocol can use replies to `HELLO' messages of a peer group leader to inject malicious information about `link states'. The peer group leader in turn will broadcast these changes to its group members. Peer group members that have updated their link state information with faked information are likely to make the wrong routing decision.
ILMI Attack: The 'Integrated Local Management Interface' (ILMI) is used at the interface between switch and workstation. The protocol is based on the `Simple Network Management Protocol' (SNMP). ILMI does not provide a mechanism for the authentication. An attacker who does not need to authenticate himself can use the ILMI to register additional ATM addresses for his workstation. By using the additional registered address the attacker can bypass address filters which have been configured at the switch. The attacker could also try to register himself with the ATM address of an offline workstation. ILMI can also be used to automatically configure the interface type of an ATM switch-port. An attacker may use ILMI to pretend that he is a switch by setting the interface type to ``NNI'' (Network to Network Interface).
Traffic Analysis: the hacker can get information by collecting and analyzing the ATM network traffic information such as the volume, timing and the communication parties of a VC, even the content of the information is encrypted. The source and destination parties can be obtained from the cell header (normally is in clear text) as well as information the routing table.
ATM Security Issues at Each ATM Plane
Each layer in the ATM reference model has its own weaknesses and must play its own role in terms of addressing security concerns:
The ATM User plane must provide security services like access control, authentication, data confidentiality and integrity. Other services like key exchange, certification infrastructure and negotiation of security options might be useful to meet the variety of the customers' requirements. Therefore they also should be supported by user plane.
The ATM Control plane can interact with the switching table, or to manage the virtual channel. Several attacks mentioned above are relative to the control plane. The key point to secure control plane is to provide authentication of signal. If the message recipient or even the third party can verify the source of this message, then denial of service attack can not happen. And Control plane authentication could also be used to provide the auditing information for accurate billing which should be immune to repudiation.
The ATM Management plane security scheme should consider the following areas: Bootstrapping security, authenticated neighbor discovery, the Interim Local Management Interface security and permanent virtual circuit security. The security recovery and security management features are mainly implemented in the management plane.
Since all data passing through the ATM layer, authentication, confidentiality and integrity are also required in the ATM layer. ATM layer security has to be implemented on ATM endpoint to ATM endpoint, border ATM switch to border ATM switch and ATM end point to switches basis.
The following table summarizes the main issues at each ATM layer:
| U ser data flows | Signaling | Management flows | |
| data and traffic flow confidentiality | disclosure of data (exchanged over one VIP/VCI connection) | disclosure of the communicating parties identities and VPI/VCI associated to the connection | disclosure of the amount of user data exchanged |
| integrity | tampered cells processing | connection release | connection release |
| overloading | useful cells processing prevent | multiple connection set ups | useful cells processing prevent |
The ATM Forum, an organization define ATM standards, has issued a few documents defining the security framework, requirements and implementation specifications. Vendors are mostly following the ATM Forum specifications in their product development and deployment. The specific technologies and solutions to address ATM security risks will be discussed in separate articles.
ATM Network Security: Vulnerabilities and Risks
Related Terms: ATM security, Virtual Circuit Hijacking, ATM Based Spoofing, ILMI Attack, Denial of Service, Information Sniffing, ATM Switch Attack
Reference Links: http://www.atmforum.com/standards/approved.html: ATM Security Specifications