Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!apple!voder!pyramid!lstowell
From: lstowell@pyrnova.pyramid.com (Lon Stowell)
Newsgroups: comp.protocols.ibm
Subject: Re: Restricting IBM token-ring snooping
Message-ID: <131522@pyramid.pyramid.com>
Date: 23 Oct 90 23:43:07 GMT
Sender: daemon@pyramid.pyramid.com
Reply-To: lstowell@pyrnova.pyramid.com (Lon Stowell)
Organization: Pyramid Technology Corp., Mountain View, CA
Lines: 27

Line monitor devices are SUPPOSED to announce their presence on
the ring, but most don't.   Only the newer versions from
reputable manufacturers do so by actually sending the "Trace
Device Present" vector.

Most others do participate in Ring Poll and Neighbor
Notification, so the network manager, if smart enough, can spot
an unidentified station, but is not necessarily aware of any
snooping....

Some "smart" MSAU's like the Star Tek and Proteon can be set to
prohibit ANY new station from mechanically accessing the ring, which
eliminates all but the most persistent units which could tap the
data by bypassing the MSAU and the phantom drive technique
entirely....

With the new TI chipset and the available C-compiler support for
the Comm Processor, it would be child's play to create a
non-obvious snooper....if you can de-jitter the data (sorry,
couldn't resist....) sufficiently.   I cannot imagine why anyone
would do this...

Physical security of the LAN media is quite important....if you
REALLY want security, run strictly SNA protocols and use IBM's
DES Encrypted RU feature (if available yet for Token Ring..)
You can read the SNA headers, but no way will you get at the
user data......