Path: utzoo!mnetor!uunet!husc6!mailrus!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!kwe From: kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) Newsgroups: comp.dcom.lans Subject: Re: Security on ethernet, recent LAN mag article Message-ID: <20906@bu-cs.BU.EDU> Date: 25 Mar 88 00:13:27 GMT References: <4805@ecsvax.UUCP> Reply-To: kwe@buit13.bu.edu (Kent England) Followup-To: comp.dcom.lans Organization: Boston Univ. Information Tech. Dept. Lines: 63 In article <4805@ecsvax.UUCP> howell@ecsvax.UUCP (Doc A. Howell) writes: > > Did anyone read the recent LAN magazine article on ethernet security? >I am sure some did. The article addressed the use of an ethernet monitor >to spy on an ethernet to obtain passwords, look at data, and have fun in >general. This seems to me to be a very severe problem. With the example >given, there appears to be no way, other than encryption, to prevent >this type of problem. > > Does anyone have any ideas of how to deal with this? Is encryption >the only answer, ($$$)? Anyone have any reason to believe than their >networks are being spied on? Back in July of last year there was a great discussion of LAN security on the BIG-LAN BITnet list. I saved it in an archive. It started with a question of security when academic and administrative users are on the same LANs. How does one protect sensitive administrative data and systems from those impish academic hackers? Not much was said about physical security, except that some can't control physical access and some demand physical security, like network closets and conduits, as part of their standard cable distribution. Of course, physical security helps protect against accidents as well as malicious abuse. One solution: use bridges to isolate traffic and cut down on what a snooper could see. A follow-on to that would be to use a subnetted internet with routers instead of bridges. Various people commented about security holes in both approaches, although the consensus was that this was a most significant means of enhancing security. Another solution: Run parallel LANs and segregate the academic and admin machines and users (David Wasley @ UC Berkeley and John Wobus @ Syracuse U) Another solution: encrypt sensitive data and transfers. [vendors have since come out with hardware to support link level encryption on LANs, Bridge and U-B come to mind.] I said something about the threat of snoopers not being serious and Philip Prindeville from MIT posted a simple explanation of a $1.98 snooper package and opened my eyes to the ease of snooping. Quote: A year and a half ago, at my previous employer, we put a $900 PC with a $300 ethernet card and some public domain software on our ethernet. We set up the monitor to log any TCP packets on port 25. That afternoon, all the mail that had been sent was pinned to a bulletin board next to the conference room. Security took on a new sense of urgency... EOQ A very funny article but quite serious and instructive In response to my idea of a public key cryptosystem for logon and transactions MAR@ATHENA.MIT.EDU posted a notice of the MIT project Athena Kerberos authentication system. Kerberos, which is slated to be publicly released, provides for secure access control, including logon transactions. The short and simple answer is: segment and/or segregate and implement some kind of encryption [total or Kerberos(like)]. Kent England Boston University