Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!bloom-beacon!athena.mit.edu!dla From: dla@athena.mit.edu (Don Alvarez) Newsgroups: comp.protocols.tcp-ip Subject: Re: IP based authentication of hosts Summary: "Secure" subnets????? Keywords: security, ethernet, vampire taps Message-ID: <10540@bloom-beacon.MIT.EDU> Date: 12 Apr 89 16:03:12 GMT References: <376@ists.ists.ca> <29416@bu-cs.BU.EDU> <29455@bu-cs.BU.EDU> <10526@bloom-beacon.MIT.EDU> <29475@bu-cs.BU.EDU> Sender: daemon@bloom-beacon.MIT.EDU Reply-To: boomer@space.mit.edu (Don Alvarez) Organization: Massachusetts Institute of Technology Lines: 41 In article <29475@bu-cs.BU.EDU> kwe@buit13.bu.edu (Kent England) writes: > ... assuming that full data encryption is too expensive >in terms of performance and software, perhaps I could implement a >limited security model consisting of "secure" subnets and "secure" >routing that would provide enough protection against snooping that I >could get my administrative users on the network and get their >auditors off my back. :-) > > So, if I set-up "secure" subnets with hosts that are >"sanitized" to some degree, and I have some level of physical security >on these subnets, and I use Kerberos to protect passwords, and I turn >off source routing in secure hosts and all routers, and secure hosts >do some address checking to keep sensitive data from transiting open >subnets, do I have something worth having, ie a modest level of >security sufficient to fulfill my obligations to protect data and yet >still allow these applications to use network technology? No. You don't have anything worth having. All I need is an IBM-PC ($0.10/dozen), an ethernet card ($0.20/dozen), and a vampire tap ($0.50/ dozen), and I can listen to ANYTHING I want to on your "secure" subnet. As you leave your office today, look at the yellow or orange cable running all over your building/campus and tell me that you can secure every inch of it. It may sound far-fetched for a student to be running around with an ethernet card and a vampire tap today, but in five years the statement "nobody can tap ethernet because they don't have the hardware" will sound like "9600 baud lines are secure because no hackers can afford 9600 baud modems." I can already buy everything I need to tap your ethernet for just over $1000, and prices are dropping fast. Remember that any network you would want to secure, someone else would want to tap. Unless you can see every inch of your ethernet cable at the same time, and can put it all behind the same locked door, you don't have a secure subnet. If you can secure it, and if enough of your traffic is internel to that subnet to make your special internal protocol worthwhile, then your best bet is almost certainly to do as the romans do and not allow any external connections to your subnet. -Don boomer@space.mit.edu MIT Center for Space Research