cory@gloom.UUCP (Cory Kempf) (12/30/88)
In article <6943@spool.cs.wisc.edu> dave@cs.wisc.edu (Dave Cohrs) writes: >There are types of networking hardware that make it much easier >to detect when your workstation is rebooted (or whatever). Don't assume >that all the world's an Ethernet. You are in charge of security for a site consisting of several networked workstations... When you logged in this morning, you notice that Cindy's (one of the company's employees whith a workstation) machine went down last night at about 3:12 AM. Cindy is currently working on her machine. What are you going to do? (And are you really going to do this for each and every machine, every time it goes down?) (if it appears that I am about to try to lead you down the garden path, you may be right...) >Also, if I read Phil correctly, he's talking about having you, the >user, authenticate the workstation as *yours*. That is, you have to >go though some authentication protocol, giving your password, which >would give your workstation some cookie that said "this workstation >belongs to cory", [etc] The problem that I am going to be bringing to light (to the extent of my imaginings today) would not find the above to be a significant problem. >If being root on your workstation can spoof the authentication >mechanism, then it's pretty useless in the grand scheme of things. >Yes, rlogin is too trusting. I submit that any scheme that only requires the user to log into the host machine can be subverted by root on that machine. If it appears that I am being theatrical, ya, I am. I admit it. I am hoping to make a serious point on network security. A little under a year ago, I attended a seminar on Security given by the ACM. It was for the most part interesting, but they glossed over network security. Very disapointing. Especially, as a lot of the stuff that was discussed were things that I already knew. +C -- Cory ( "...Love is like Oxygen..." ) Kempf UUCP: encore.com!gloom!cory "...it's a mistake in the making." -KT
preece@urbana.mcd.mot.com (12/31/88)
Cory Kenpf: > >If being root on your workstation can spoof the authentication > >mechanism, then it's pretty useless in the grand scheme of things. > >Yes, rlogin is too trusting. > > I submit that any scheme that only requires the user to log into the > host machine can be subverted by root on that machine. ---------- The question is whether the workstation is part of the trusted computing base or not; that is, is the network, including that workstation, all one system or not. IF the administration of the workstation is as tough as the administration of the net AND the workstation's operating system is hard enough to protect against authentication attacks, then there's no reason why the workstation shouldn't have trusted access to the network. There's no particular reason why your workstation should be any easier for you to subvert than any other machine you work on. If, on the other hand, the network is unwilling to accept your workstation as part of the TCB, then a secure networking scheme would have to place the authentication barrier between the workstation and the network and you would be required to log in to the network authentication system to get access to network facilities. Because of the danger of the untrusted node subverting communication between the trusted user and the network, though, one would expect the network to limit the capabilities available in this mode. [Disclaimer: If I ever have occasion to speak as Motorola, I will say so; this posting represents my own partially-baked knowledge and opinions only] -- scott preece motorola urbana design center uucp: uunet!uiucuxc!mcdurb!preece arpa: preece@urbana.mcd.mot.com