Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!aramis.rutgers.edu!geneva.rutgers.edu!hedrick From: hedrick@geneva.rutgers.edu (Charles Hedrick) Newsgroups: comp.dcom.lans Subject: Re: Ethernet security Message-ID: Date: 25 Aug 89 20:38:35 GMT References: <3956@phri.UUCP> Organization: Rutgers Univ., New Brunswick, N.J. Lines: 25 It's quite true that anyone on the Ethernet can watch any packet go by, given appropriate software. If you have a host or a set of hosts that you want to limit access to, I'd set up a small Ethernet just for them. Note that people can't watch Ethernets by magic. They have to have a machine on it that is under their control. I.e. either a PC or a multi-user system to which they have root access. (Roy didn't point out that the Sun software he is describing can't be run by normal users.) So if you have a small Ethernet that just goes to machines under your control, that Ethernet itself isn't a danger. Now the question becomes what happens with access to the rest of the campus. You'll need a gateway between your Ethernet and the campus network. Most gateways allow some access control. How effective control in the gateway is has to do with how your campus network is managed. You should talk to your campus networking people about it. I would bet that things could be arranged so that the risks are acceptable. Anyone who demands zero risk should go into a different business... You should be careful not to be overly concerned about the security of new technology and ignore the dangers of old technology. We've had students tap RS232 wiring. You've got exactly the same exposure with an RS232 wire as an Ethernet: anybody who taps it will see everything on it. In fact it probably requires less sophisticated equipment to watch an RS232 line than an Ethernet. This is what I mean about zero risks. Be careful that you don't demand zero risk with Ethernet, while accepting unknown risks with your old technology.