Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!purdue!bu-cs!kwe From: kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) Newsgroups: comp.protocols.tcp-ip Subject: Re: IP based authentication of hosts Message-ID: <29475@bu-cs.BU.EDU> Date: 11 Apr 89 22:33:47 GMT References: <376@ists.ists.ca> <29416@bu-cs.BU.EDU> <29455@bu-cs.BU.EDU> <10526@bloom-beacon.MIT.EDU> Reply-To: kwe@buit13.bu.edu (Kent England) Followup-To: comp.protocols.tcp-ip Organization: Boston U. Information Technology Lines: 54 In article <10526@bloom-beacon.MIT.EDU> jon@mit.edu (Jon A. Rochlis) writes: >In article <29455@bu-cs.BU.EDU> kwe@buit13.bu.edu (Kent England) writes: > >> I would not want to allow someone with genuine >>Kerberos-authenticated access to login from an "open" subnet. I would >>want some assurance that the data stream is following routes >>controlled by the routers and not by the hosts. (Another argument >>against source routing :-) >> >> Is this reasonable? > >I don't think so. What does an "open" subnet mean? I should have known better than to toss that off-the-cuff. So, Jon takes me to task. :-) How about we call a subnet "open" if it has no special security features; no control over nodes, etc? Ie, subject to packet snooping by anyone on the subnet. > >Remember the model we're working with here. The path from client to >server may span several networks and pass through several (many) >routers each possibly under different (and potentially hostile) >administrative control. > I was thinking of a much simpler case where I might be able to secure a subset of subnets under my control and protect data in transit from snooping. I think this is a common case in many institutions. If some data paths could be "secured" to some degree from snooping and all hosts on a "secure" subnet could be maintained by administrators to some level of security, etc, we might be able to achieve some measure of protection against snooping for communication between "secure" hosts. > >The only real solution is an end-to-end approach using something other >than addresses for authentication. > > -- Jon True, but assuming that full data encryption is too expensive in terms of performance and software, perhaps I could implement a limited security model consisting of "secure" subnets and "secure" routing that would provide enough protection against snooping that I could get my administrative users on the network and get their auditors off my back. :-) So, if I set-up "secure" subnets with hosts that are "sanitized" to some degree, and I have some level of physical security on these subnets, and I use Kerberos to protect passwords, and I turn off source routing in secure hosts and all routers, and secure hosts do some address checking to keep sensitive data from transiting open subnets, do I have something worth having, ie a modest level of security sufficient to fulfill my obligations to protect data and yet still allow these applications to use network technology?