Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!husc6!rutgers!ames!ucbcad!ucbvax!CSV.RPI.EDU!yerazuws From: yerazuws@CSV.RPI.EDU (Crah) Newsgroups: mod.protocols.tcp-ip Subject: Re: secure replacements for passwords Message-ID: <8701122344.AA05481@csv.rpi.edu> Date: Mon, 12-Jan-87 18:44:29 EST Article-I.D.: csv.8701122344.AA05481 Posted: Mon Jan 12 18:44:29 1987 Date-Received: Tue, 13-Jan-87 04:57:10 EST References: <8701111745.AA01536@ucbvax.Berkeley.EDU> Sender: molbio@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 65 Approved: tcp-ip@sri-nic.arpa Summary: How to avoid tampering....the hard way In article <8701111745.AA01536@ucbvax.Berkeley.EDU>, LYNCH@A.ISI.EDU (Dan Lynch) writes: > So, please, > some of you out there who know of some reasonable barriers to > tampering on campus LANs, give Charles some feedback on his request. > Here at RPI we have a relatively tamperproof LAN system - but it wasn't meant to be that way. For example, Professor A gets a pair of Sun 2's. One diskless Sun goes in his office up on the sixth floor, and the fileserver goes down in the basement lab. A piece of Ethernet goes in between them. Then Center for XXX gets in a flock of uVAXen and puts them on an Ethernet. Different piece of coax, of course. Then Center for YYY interconnects their MV10000 and their /780's and a couple of GPX's - on yet a third Ethernet. All of these Ethernets coexist physically in the same building, run down the same cable trays, etc. But they're all physically separate and since the watchword is cost - there are NO bridges/gateways. You see, who pays for the gateway? What "added value" is there in a gateway? Ah, you say that XXX and YYY should have gone on A's cable? Well, A already paid for that cable and it's his bandwidth and he doesn't want to clog down his diskless SUN 2 with all that DECnet traffic (which, having used a diskless Sun 2, I do not blame him at all for. I wouldn't either, if I had any way to avoid sharing that cable.) But XXX and YYY should have used the same cable? Then who pays for it? Each center has to bill out expenditures. So, financially speaking, it isn't reasonable for either party to put in some LAN that it isn't going to use. Or that might need to be upgraded because a "sharing" arrangement is overloading the LAN. Now you say "Why not at least install bridges/gateways"? Again, who pays for it? So there are no gateways. Instead, each machine has one or two RS232 lines to a data switch. At 9600 baud. You dial out and tell the data switch where to connect- and then you log in there. Meanwhile, those three Ethernets sit there, safe and protected from the "other" guy. Forgive the sarcasm and the flames, dear reader. But restricting use of a LAN (or access to bandwidth on a broadband system) may be what you want, although it pretty much negates the usefulness of the LAN in the first place. I'd personally advise against such physical protection systems where the stakes are low (How much can a college campus net intruder get for his trouble? Ten grand maybe, at best?). If the stakes were higher (like a case of national security) I'd say this is the way to go. Hang the multiple Ethernet coaxes or fiber optics along the ceiling in the middle of a patrolled hall and NOBODY is going to get to it without much pain. What it boils down to is that you can have security, or you can have a useful LAN, or you can go crazy. Those are your options. -Regrets for the depressing truth... Bill Yerazunis