Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!lll-tis!ames!mailrus!tut.cis.ohio-state.edu!rutgers!iuvax!silver!sweeny
From: sweeny@silver.bacs.indiana.edu
Newsgroups: comp.dcom.lans
Subject: Re: Security on ethernet (and DEC p
Message-ID: <24000001@silver>
Date: 31 Mar 88 21:38:00 GMT
References: <525@cunixc.columbia.edu>
Organization: Indiana University BACS, Bloomington
Lines: 24
Nf-ID: #R:cunixc.columbia.edu:-52500:silver:24000001:000:1355
Nf-From: silver.bacs.indiana.edu!sweeny    Mar 31 16:38:00 1988



Subject: Re: Security on ethernet (and DEC product announcement)
Organization: Indiana University BACS, Bloomington
 
The (hardware) device is called a DESNC, a "multiport bridge with
encryption" which nonetheless won't work with DEC's RBMS (remote bridge
management software).  It has 4 unmodified thinwire ethernet ports, a
physical key lock, a numeric pad for entering authentication keys, and a
bypass capability (so that you can turn it off if your authentication
node goes down, for instance). One reason for putting the encryption in
a board instead of the host, they say, is to avoid loading the host.
Throughput is supposed to be about 4 Mb/sec. 
 
The DESNC works together with "KDC" (key distribution center) softwarE
on a VAX somewhere (only under VMS at the moment) which is essentially a
configuration database ("are conversations between node A and node C
encrypted or freetext?") which distributes its "keys" to DESNCs on the
network.  The Idea is that there would probably be 1-2 KDC software
locii on the network, and a DESNC interface at every node that wanted to
be able to do encryption.  One additional interesting note is that the
KDC software is priced the same for all CPU types, unlike most DEC
software.  The KDC also can keep an audit trail of security events, and
has a DESNC itself.  I hope that information helps.
  Brent