Path: utzoo!mnetor!uunet!husc6!spdcc!kaos!romkey From: romkey@kaos.UUCP (John Romkey) Newsgroups: comp.dcom.lans Subject: Re: Security on ethernet, recent LAN mag article Message-ID: <752@kaos.UUCP> Date: 25 Mar 88 13:15:11 GMT References: <4805@ecsvax.UUCP> <20906@bu-cs.BU.EDU> Reply-To: romkey@kaos.COM (John Romkey) Organization: Chaos; Somerville, MA Lines: 44 In article <20906@bu-cs.BU.EDU> kwe@buit13.bu.edu (Kent England) writes: >I said something about the threat of snoopers not being serious and >Philip Prindeville from MIT posted a simple explanation of a $1.98 >snooper package and opened my eyes to the ease of snooping. While the software is from MIT, Philip is not. The software is a program called netwatch that I wrote as a part of the public domain PC/IP. There are also commercial versions of it available now. It's really intended for protocol and network debugging, but if you're bored, yes, it does a fine job of catching data and passwords. It actually costs about $15 from MIT. You can buy more sophisticated programs like this from FTP Software, Network General, Excelan, Hewlett-Packard and Network Research Corporation. I think that there's similar software for Sun workstations, too. >In response to my idea of a public key cryptosystem for logon and >transactions MAR@ATHENA.MIT.EDU posted a notice of the MIT project >Athena Kerberos authentication system. Kerberos, which is slated to >be publicly released, provides for secure access control, including >logon transactions. > > The short and simple answer is: segment and/or segregate and >implement some kind of encryption [total or Kerberos(like)]. As you said, Kerberos provides secure authentication - you don't end up sending a password across the net in plaintext, and you can't spoof it, but it doesn't encrypt any of your data. So with an ethernet monitor in a Kerberos system you could still pick up lots of neat data. If someone REALLY wants to get at your data, then they'll manage to tap your ethernet cable and segregating won't really help. It will only prevent the casual cracker from breaking security; it won't help you with truly malicious crackers. Physical security seems to be necessary to really be as close to 100% as is possible, especially with UNIX based systems that can easily be brought up in single user mode as 'root' if you have access to the physical computer. -- - john romkey ...harvard!spdcc!kaos!romkey romkey@kaos.uucp romkey@xx.lcs.mit.edu