sundance-communications.com/forum Forums Wiring - Telecom Carriers - Trunks & Services T1's, CSU's and DSU's General T1 Question.

At my job we have a T1 that comes in and connects directly to an eight port switch. There are four devices connected to the eight port switch. A video camera server, two separate networks, and a TimeIPS time server that is used to keep track of employees clocking in and out. My questions is, is it normal to have a T1 connected directly to a switch? I'm pretty new to the Telco/Network game but it seems like this is a serious security issue because our video camera server and TimeIPS are not protected by a router or hardware firewall. I believe who ever set this up did it that way so that each device, or network could have it's own publicly routeable IP address. Can anyone enlighten me on the subject?

Hackers, spammers, phishers, virus writers, competitors, you name it..it sounds like your company could be throwing up a huge sign for these predators. If they don't belong inside your company's network, they need to be thoroughly frustrated at the gate.

A network's equivalent to locks on the doors and windows is it's firewall. They set rules for which types of traffic are allowed, and to which machines. It examines data packets and traffic patterns to find and block intrusive attacks to your network. They also keep outsiders from trying to sneak in through unguarded ports or from even knowing the internal architecture and devices on your LAN. Believe it or not, unprotected modems can also provide a back-door for intrusive attacks to your network. I primarily work with voice PRI/T1 spans, and I administer a voice firewall platform to prevent unauthorized modem calls (inbound or outbound), phone spammers, etc.

I suggest incorporating an aggressive network security plan. I'm sure that others here will also be able to provide you with some important info and suggestions in regards to the various elements and levels to protecting your network.

Here\'s a thorough introduction to tackling the subject of network security.

Danzor

Thanks for the advice Mike. I read that article, it had a lot of good information in there. I wish I had the leverage at this company to get something changed with this network. I was just hired on as a lowly tech, but I am currently seeking a degree in Network Management. I do believe that everything should be behind a firewall of some sort to prevent nefarious intent. With that said, I was still wondering, is it a common practice to connect a T1 to a switch rather than a router, to split up the internet connection to allow for multiple IP addresses, or would it be more logical to have the T1 connect to a router and split the IP addresses up using a 1-to-1 NAT type system... Now that I think about it, is it even possible to assign a router interface more than one IP address?

A T1 cannot be connected directly to a simple hub/switch. Ethernet and T1's are totally different animals. The T1 must go to a CSU/DSU.

Now, many manufacturers produce equipment that can have a T1 and ethernet ports built into the same box. However, the CSU/DSU would also be built into the box, as well as a router.

You'll need to be a little clearer on your current configuration to get a better answer for what you have.

Is it possible you are on an MPLS network or metro-ethernet arrangement versus a T-1?

What Danzor thinks is a T-1 line is probably an Ethernet line connected at the other end to a border router. That router has an inside interface and an outside interface. The inside interface is probably Ethernet. The outside interface is either a high-speed serial interface that connects to an external csu/dsu or is a T-1-ready interface that contains an internal csu/dsu. This border router is usually provided by the internet service provider and is often locked in a closet or cabinet so clients don't mess around with it.

That is the usual setup. There are however other possibilities. One is that what you think is a switch may be a router. Another is that what you think is a switch is a layer 3 switch also known as a brouter. Another is that what you think is a switch is an internet access devicice (IAD). Or it may be a firewall or security appliance.

By the way a T-1 port is physically identical or very similar in appearance to an Ethernet port, a token-ring port, a CDDI port, and others, although electrically different.

It is good that you have curiosity about such matters. However before you start lecturing your supervisors on how things ought to be, make sure you really understand the way they are. You might want to read a good book on networking. Microsoft and Cisco both have good training books on this subject.

It's also possible that you're not noticing a router of some sort, that may not look like an ordinary router....

Data T1's generaly arrive first to some sort of device to do the media conversion. Typically, a Cisco 1720 is a low-end device that has a T1 port and an ethernet port. While the primary "visible" function is to convert the signalling, the router may also be configured for restricting and filtering the traffic. It probably isn't a firewall per-se, and probably doesn't do the NAT. (Network Address Translation, which is basically translating the numerous private IP addresses in each network to the public addresses)

What we're used to seeing today is dedicated-funtion hardware firewalls, which do NAT and all the other security stuff, like inspecting each packet for worms and viruses, or detecting patterns of attacks, and shutting them down. Devices like this are as cheap as a Netgear or Linksys model to a high-end Sonicwall.

There's also the possibility that the T1 is terminated and converted in another part of the building, like in a communications closet. The last building my company was in, we originally had a T1 terminated in our space, in a SmartJack, then into a Cisco 1720, then to a switch, where we split off a couple lines for other tenants that we shared the cost with, and then into our Netgear VPN firewall. In the last year at the building, we contracted with a service provider, which brought 2 T1's into the building, then managed their own Cisco equipment, and provided us with Ethernet, (with a theoretically higher-speed) which still made its first stop at a switch to split it up, then to the Firewall.

There also may be a server setup with MS ISA Server (Internet Security and Acceleration) which performs many of the same functions as a firewall, and some others that sometimes cause more problems than it's worth.

If any of our replies haven't quite hit the nail on the head and you're stil looking for answers, maybe you should tell us (or show us, if you could manage some pics without getting in trouble) exactly what's connected to what.

Edit - Seems The Grim Reaperand I were on the same wavelength... he probably didnt have to take a break from typing to take cre of his 14 month old.....

Also, like what nfcphoneman and rob said.

Maybe you could get back to us with the make and model of the "switch" and then we could help you do some detective work for educational purposes.

Sorry guys I should have said this before, the T1 Line comes into a white wall mount box that says Adtran on it, from the Adtran it goes into an eight port swith, I am positive that this device is a switch. I'm not sure of the model number of the Adtran.

The Adtran devce is the CSU/DSU (Channel Service Unit/Data Service Unit) that Larry (nfcphoneman) was mentioning. It serves as a bridge between the T1's transport side with a customer's network or CPE. It's functions normally include providing for loop testing, circuit monitoring and conditioning, error correction, configuring the T1's framing and coding, and to provide alarm indication signal during any signal loss.