Path: utzoo!utgpu!watmath!clyde!att!cuuxb!dlm
From: dlm@cuuxb.ATT.COM (Dennis L. Mumaugh)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: An Obvious Security Problem?
Summary: passive taps are a problem
Message-ID: <2215@cuuxb.ATT.COM>
Date: 19 Nov 88 18:58:01 GMT
References: <881109143927.20402284@Csa3.LBL.Gov>
Reply-To: dlm@cuuxb.UUCP (Dennis L. Mumaugh)
Organization: ATT Data Systems Group, Lisle, Ill.
Lines: 31

In article <881109143927.20402284@Csa3.LBL.Gov> forrest@CSA3.LBL.GOV writes:
    I am a complete novice at matters relating to networking and haven't
    read the Telnet RFC so I may be missing something obvious.
   
No question is unworthy of asking.

    Assume the following network organization:
    
    
    A <------------------> M <------------------> Z
    
    (Node M is actually one or more gateways.) Couldn't a bad guy
    on   M   monitor   the  TCP/IP  traffic  looking  for  Telnet
    connections and then follow through  the  exchange  of  login
    names  and  passwords,  thereby  capturing  a  node/login and
    password pair? (I realize that  the  path  from  A  to  Z  is
    dynamic and that this might not always be possible.)

Yes.  In fact if one has a LAN sniffer one can  read  the  entire
traffic  on  the  EtherNet  Cable.  All networking schemes assume
physical secuirty of the communications media.

The DoD people have a solution: encrypt the comm-line.  There  is
a  secure  version  on  the  Internet  that does just that.  Even
better is to use end-to-end encryption  for  each  communications
circuit.  The  basic  problem  with all of this is the encryption
overhead and the key and authentication problems.

-- 
=Dennis L. Mumaugh
 Lisle, IL       ...!{att,lll-crg}!cuuxb!dlm  OR cuuxb!dlm@arpa.att.com