Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!iuvax!rutgers!phri!roy From: roy@phri.UUCP (Roy Smith) Newsgroups: comp.dcom.lans Subject: Re: Ethernet security Message-ID: <3956@phri.UUCP> Date: 25 Aug 89 12:28:10 GMT References: Reply-To: roy@phri.UUCP (Roy Smith) Organization: Public Health Research Inst. (NY, NY) Lines: 44 In article sr16+@andrew.cmu.edu (Seth Benjamin Rothenberg) writes: > I expect there are ways of limiting access so that only our terminal > servers are recognized, but am not sure. It depends on what level of security you are interested in. It should be fairly straight-forward to hack your telnet daemon to only accept connections from a given set of IP source addresses (i.e. just your terminal servers) if that is really what you want to do. I'll leave it to others to debate if this is wise, sufficient, and/or a protocol violation. One thing I will point out, however, is that it is fairly easy to forge IP addresses if you have access to raw ethernet packets (like you do with Sun's NIT, or on a PC). On the other hand, there is no way you can prevent anybody with physical access to the ethernet wire to spy on every connection between your terminal servers and your host. Anybody with, for example, a Sun workstation, can run tcpdump, etherfind, or something similar and print out the data (including login names and passwords) flowing in both directions of every telnet connection to your host. I only mention Sun because their NIT interface makes it easy to get at raw ethernet packets regardless of their intended destination, but the same thing should be possible with a PC, a dedicated network monitor box, or probably other timesharing systems. It might be possible to hack up your terminal server software and your telnet deamon to use some non-standard port, but that will only confuse the issue a little bit. A dedicated spy will eventually figure out what is going on. You could get a packet filtering ethernet bridge and put your host and terminal servers on one side of the bridge and the rest of the campus ethernet on the other. This will keep local terminal traffic from being visible outside your local ethernet segment. You should be able to get a good local ethernet bridge for on the order of $10k. This doesn't, however, help you if your terminal servers are scattered about the campus. The eventual solution will be to have all network traffic encrypted, but I don't know of any terminal servers that currently support that. You would need a non-standard telnet deamon too, but presumably the terminal server vendor would be able to supply that if it existed. -- Roy Smith, Public Health Research Institute 455 First Avenue, New York, NY 10016 {att,philabs,cmcl2,rutgers,hombre}!phri!roy -or- roy@alanine.phri.nyu.edu "The connector is the network"