whna@cgch.UUCP (Heinz Naef) (11/21/89)
Hello system integrators, what could be done to turn existing personal computers (industry standard) into real trusted clients on a TCP/IP network? What activities would be required at the organizational and at the technical level? - Would it be necessary to disable/remove the floppy disk unit? - Would it be a good idea to boot the PC over the network interface (learning IP-address, loading DOS, etc.)? Did anyone implement this already (e. g. using BootP, etc.)? - Would it be better to choose an application gateway solution, i. e. implementing some proxy-Telnet, -FTP, -NFS, -etc. agent on a departemental host which is accessed by corresponding PC clients? - etc. Any comments, suggestions, pointers to solutions, etc. are appreciated. I will summarize to the net, so you could e-mail instead of followup-posting to save News bandwidth. Thanks, and best regards, Heinz Naef, c/o CIBA-GEIGY AG, R-1045.3.37, P.O.Box, CH-4002 Basel, Switzerland UUCP: cgch!whna Internet: whna%cgch.uucp@uunet.uu.net Phone: (+41) 61 697 26 75 BITNET: whna%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 32 88
jon@athena.mit.edu (Jon A. Rochlis) (11/23/89)
In article <907@cgch.UUCP> whna@cgch.UUCP (Heinz Naef) writes: >Hello system integrators, >what could be done to turn existing personal computers (industry standard) >into real trusted clients on a TCP/IP network? My 2 cents: Don't try to turn PC's into "trusted clients". Don't build around the concept of trusted clients at all. Instead assume all clients run with software (possibly even hardware) written from the ground up by a cracker. Assume all communications are monitored by the "bad guy". Require something like Kerberos to make the client process prove its identity to a server. Encrypt data streams or do crypto-checksums depeneding upon the sensitivity of the data in question. Don't trust the software on the client. After unless you control and secure all the wire, somebody can pretty easily hook up their own portable PC and at the very least run a sniffer to grab all the packets as they go over the wire. -- Jon
cpcahil@virtech.uucp (Conor P. Cahill) (11/23/89)
> control and secure all the wire, somebody can pretty easily hook up > their own portable PC and at the very least run a sniffer to grab all > the packets as they go over the wire. Speaking of sniffers, can somebody send me information on what hardware is available for a portable pc to collect/view/analyze ethernet traffic (and hopefully decript the TCP/IP packets) on both thin and thicknet. Thanks in advance -- +-----------------------------------------------------------------------+ | Conor P. Cahill uunet!virtech!cpcahil 703-430-9247 ! | Virtual Technologies Inc., P. O. Box 876, Sterling, VA 22170 | +-----------------------------------------------------------------------+
henry@utzoo.uucp (Henry Spencer) (11/25/89)
In article <907@cgch.UUCP> whna@cgch.UUCP (Heinz Naef) writes: >what could be done to turn existing personal computers (industry standard) >into real trusted clients on a TCP/IP network? ... Rip out the boards. Save the monitor, case, and power supply. Put a decent processor (with memory management) in, and run a decent operating system (one that pays some attention to security). Unless you construct an environment in which users cannot do any programming at all -- difficult -- it can't be done with standard PCs. -- That's not a joke, that's | Henry Spencer at U of Toronto Zoology NASA. -Nick Szabo | uunet!attcan!utzoo!henry henry@zoo.toronto.edu