Path: utzoo!attcan!uunet!seismo!sundc!pitstop!sun!decwrl!ultra.dec.com!herbison
From: herbison@ultra.dec.com (B.J.)
Newsgroups: comp.dcom.lans
Subject: RE: Smart Bridge/Router
Message-ID: <8812161406.AA15500@decwrl.dec.com>
Date: 16 Dec 88 18:59:00 GMT
Organization: Digital Equipment Corporation
Lines: 49

> Does anyone know of a router/bridge that can be setup to restict/allow
> access according to the packet's ethernet address.

        [In addition to making restrictions based on addresses, you
        also need some way to verify that nodes are using the correct
        address.  You don't want a student system to change its address
        and impersonate a system in the business office.]


        Digital sells products that provide security for Ethernet LANs
        and  extended LANs.  Digital's Ethernet Enhanced-Security System
        provides data confidentiality, data integrity, and also
        implements an access control policy for the LAN.

        The system consists of DESNC controllers that perform encryption
        and VAX KDC software that manages the controllers.  A LAN is
        most secure if all nodes on a LAN are connected to DESNC
        controllers (which support up to 20 nodes each), but in many
        situations it is only necessary to use DESNC controllers for
        some nodes.

        For example, the environment described could be protected by
        only using DESNC controllers with administrative systems and
        servers.  The result would be:

            It would be possible to decide which systems could
            communicate with the administrative server or systems, and
            have this decision enforced by the DESNC controllers.

            No student system could communicate with one administrative
            system and pretend to be another administrative system.

            It would not be possible for student systems to read or
            modify communication between administrative systems.

            It would still be possible to allow administrative systems
            to communicate with the academic server, or anything other
            system on the LAN.

        DESNC controllers operate at the Data Link layer, they are
        transparent to any higher layer network protocols and they work
        with both Ethernet and IEEE 802 frame formats.

        If you have questions about these products, or want additional
        information, contact a DEC salesman or send me mail.

						B.J.
					Herbison@ULTRA.DEC.COM
					Herbison%ULTRA.DEC.COM@decwrl.DEC.COM