Path: utzoo!mnetor!uunet!husc6!bloom-beacon!bu-cs!kwe From: kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) Newsgroups: comp.dcom.lans Subject: Re: Security on ethernet, recent LAN mag article Message-ID: <21119@bu-cs.BU.EDU> Date: 31 Mar 88 21:05:11 GMT References: <4805@ecsvax.UUCP> <4826@ecsvax.UUCP> Reply-To: kwe@buit13.bu.edu (Kent England) Followup-To: comp.dcom.lans Organization: Boston Univ. Information Tech. Dept. Lines: 42 Summary: Hardware encryption needs a reference model In article <4826@ecsvax.UUCP> howell@ecsvax.UUCP (Doc A. Howell) writes: > [in reference to physical/segmented security versus encryption] > Encryption looks to me to be the best solution, but it appears most >people are looking at this from a software standpoint. Trying to hide >passwords and such does little good when a patient person can just sit >and wait for what he wants to see go by. > > This is obviously a tough one or it would have been solved by now, I >suppose it is a matter of wait and see what happens. I think hardware is the only way to encrypt entire sessions (versus encryption of transactions like login). But wait: In article <525@cunixc.columbia.edu> alan@cunixc.columbia.edu (Alan Crosswell) writes: > DEC has very recently announced what I believe to be a LAN-bridge like > box combined with a VMS-based key server. It use a hardware DES > implementation and is supposed to encrypt data at the packet level in > one box and decrypt it at the other (totally transparent to the > hosts). It will also allow clear text passthru when one host sits > behind a decrypter but the other doesn't so you can add these things > to an existing ethernet, protecting the "important" hosts ("important" > meaning how much money you want to spend) while still allowing access > for others. It's supposed to have all kinds of configuration stuff > too so you can decide who can talk to whom. Okay, so how will this hardware based solution work? Sounds like the DEC box will encrypt packets on an individual host basis. Will it also encrypt at the session level? Will you have a secure terminal server with encryption to one or several hosts and clear access to all others? What about a workstation with a DES chip? Would you encrypt at the session level (by that I mean encrypting each telnet session individually or each virtual circuit individually) or would you encrypt at the link level for each packet sent to a secure host? I think we need a design and an RFC. I'll make my killing when the interoperability issues are a little clearer :-) Kent England Boston University