Path: utzoo!mnetor!uunet!husc6!mit-eddie!ll-xn!ames!hc!hi!cyrus From: cyrus@hi.unm.edu (Tait Cyrus) Newsgroups: comp.dcom.lans Subject: Re: Security on ethernet, recent LAN mag article Message-ID: <23559@hi.unm.edu> Date: 24 Mar 88 01:59:43 GMT References: <4805@ecsvax.UUCP> Reply-To: cyrus@hi.unm.edu (Tait Cyrus) Organization: U. of New Mexico, Albuquerque Lines: 78 Keywords: ethernet,security In article <4805@ecsvax.UUCP> howell@ecsvax.UUCP (Doc A. Howell) writes: > > Did anyone read the recent LAN magazine article on ethernet security? >I am sure some did. The article addressed the use of an ethernet monitor >to spy on an ethernet to obtain passwords, look at data, and have fun in >general. Here at UNM we had to resort to this to aid us in "tracing" a user that was breaking into accounts. We had our program trigger whenever the account name (being broken into) was seen on the net. It then latched onto the connection that it saw this "key" on. From that moment till the intruder logged off we had a "script" of both directions of their conversation. This allowed us to see exactly what the intruder was doing to our systems and how they were trying to break in (allowing us to fix any UN*X security problems we had unintentionally left open.) Unfortunately, this program could just as easily watch for "keys" such as "password", "su", "login", etc (we have done this to try to show the higher ups here at UNM how insecure the net is -- we got over 200 passwords in a couple hour period). >This seems to me to be a very severe problem. With the example >given, there appears to be no way, other than encryption, to prevent >this type of problem. > > Does anyone have any ideas of how to deal with this? Is encryption >the only answer, ($$$)? No encryption is not the only answer. Dollars, though, can really help. Some other possible solutions are: 1) keep PC's OFF off of your cable so that they can't "watch" your traffic 2) restrict who has root on your systems (so they can't run these 'spy' programs on them) 3) Restrict physical access to the cable - put in conduit (preferablly pressurized thought this can be gotten around quite easily) 4) use fiber optics. This is a little harder for a person to tap, though it is still possible 5) Watch when people use their accounts. You will notice right away when a secretarial account is being used at "odd" hours of the night. Doing this will give you some idea of which accounts have be compromised. 6) force people to change their passwords often (once a month for example) so that if someone does gain unauthorized access to the cable, the passwords they see won't do them much good These are just a few steps you can take to keep people from "watching" the net. If they start to put data out on the net, then watch out because they can change machines arp tables so that packets are forced to the other sides of certain ethernet bridges (DEC DEBIT for example), send icmp redirects so that packets are forced to the other sides of gateways, step into a conversation (say of someone with root) and take over the connection, etc. To protect against an unauthorized person actively putting things on the net, an authentication routine should be used (such as Kerbose (sp?) from MIT -- I don't know much about the whats/hows/etc though) that "notices" any strangness it sees on the net. >Anyone have any reason to believe than their >networks are being spied on? Yes. I am watching (I don't like the word 'spy') our network. I am performing some statistical analysis. Not all "spying", as you put it, is bad. Some is a necessary eval. -- @__________@ W. Tait Cyrus (505) 277-0806 /| /| University of New Mexico / | / | Dept of Electrical & Computer Engineering @__|_______@ | Parallel Processing Research Group (PPRG) | | | | UNM/LANL Hypercube Project | | hc | | Albuquerque, New Mexico 87131 | @.......|..@ | / | / e-mail: @/_________@/ cyrus@hc.dspo.gov