shapiro@pdp.cs.OHIOU.EDU (brian shapiro) (05/04/87)
Locally we are running a Bridge COmmunications network with XNS (soon to be switched to TCP-IP. There has recently been discussion concerning the attachment of Personal Computers directly to the ethernet and some feel that this presents a threat to the security of our data. I am seeking information about security mechanisms that are available for ethernet. It should be noted that currently no single device has direct access to the ethernet. All users are Asynchronous terminals. I would appreciate hearing from any vendors that deal in this type of security systems. Thanks in Advance. Brian Shapiro Ohio University Computing and Learning Services Haning Hall Athens, Ohio 45701 (614) 593-1608 BITNET: shapirob@ouaccvma UUCP: ihnp4!cbosgd!oucs!shapiro
sr16+@andrew.cmu.edu (Seth Benjamin Rothenberg) (08/25/89)
Would someone be able to point me to some info on security on an ethernet? At work, we are going to be switching to a UNIX machine soon, and I mentioned to my boss that we might take advantage of the fact that our the campus ethernet is accessible in most of our buildings, and stop stringing a twisted for every new terminal. He said he would rather not have our computer on any ethernet. I expect there are ways of limiting access so that only our terminal servers are recognized, but am not sure. Any pointers would be appreciated. Thanks Seth Rothenberg sr16@andrew
roy@phri.UUCP (Roy Smith) (08/25/89)
In article <MYx=ma_00WB44Zp5QB@andrew.cmu.edu> sr16+@andrew.cmu.edu (Seth Benjamin Rothenberg) writes: > I expect there are ways of limiting access so that only our terminal > servers are recognized, but am not sure. It depends on what level of security you are interested in. It should be fairly straight-forward to hack your telnet daemon to only accept connections from a given set of IP source addresses (i.e. just your terminal servers) if that is really what you want to do. I'll leave it to others to debate if this is wise, sufficient, and/or a protocol violation. One thing I will point out, however, is that it is fairly easy to forge IP addresses if you have access to raw ethernet packets (like you do with Sun's NIT, or on a PC). On the other hand, there is no way you can prevent anybody with physical access to the ethernet wire to spy on every connection between your terminal servers and your host. Anybody with, for example, a Sun workstation, can run tcpdump, etherfind, or something similar and print out the data (including login names and passwords) flowing in both directions of every telnet connection to your host. I only mention Sun because their NIT interface makes it easy to get at raw ethernet packets regardless of their intended destination, but the same thing should be possible with a PC, a dedicated network monitor box, or probably other timesharing systems. It might be possible to hack up your terminal server software and your telnet deamon to use some non-standard port, but that will only confuse the issue a little bit. A dedicated spy will eventually figure out what is going on. You could get a packet filtering ethernet bridge and put your host and terminal servers on one side of the bridge and the rest of the campus ethernet on the other. This will keep local terminal traffic from being visible outside your local ethernet segment. You should be able to get a good local ethernet bridge for on the order of $10k. This doesn't, however, help you if your terminal servers are scattered about the campus. The eventual solution will be to have all network traffic encrypted, but I don't know of any terminal servers that currently support that. You would need a non-standard telnet deamon too, but presumably the terminal server vendor would be able to supply that if it existed. -- Roy Smith, Public Health Research Institute 455 First Avenue, New York, NY 10016 {att,philabs,cmcl2,rutgers,hombre}!phri!roy -or- roy@alanine.phri.nyu.edu "The connector is the network"
hedrick@geneva.rutgers.edu (Charles Hedrick) (08/26/89)
It's quite true that anyone on the Ethernet can watch any packet go by, given appropriate software. If you have a host or a set of hosts that you want to limit access to, I'd set up a small Ethernet just for them. Note that people can't watch Ethernets by magic. They have to have a machine on it that is under their control. I.e. either a PC or a multi-user system to which they have root access. (Roy didn't point out that the Sun software he is describing can't be run by normal users.) So if you have a small Ethernet that just goes to machines under your control, that Ethernet itself isn't a danger. Now the question becomes what happens with access to the rest of the campus. You'll need a gateway between your Ethernet and the campus network. Most gateways allow some access control. How effective control in the gateway is has to do with how your campus network is managed. You should talk to your campus networking people about it. I would bet that things could be arranged so that the risks are acceptable. Anyone who demands zero risk should go into a different business... You should be careful not to be overly concerned about the security of new technology and ignore the dangers of old technology. We've had students tap RS232 wiring. You've got exactly the same exposure with an RS232 wire as an Ethernet: anybody who taps it will see everything on it. In fact it probably requires less sophisticated equipment to watch an RS232 line than an Ethernet. This is what I mean about zero risks. Be careful that you don't demand zero risk with Ethernet, while accepting unknown risks with your old technology.
davecb@yunexus.UUCP (David Collier-Brown) (08/27/89)
I'd recommend puting an inexpensive machine between the
ethernet in question an the rest of the world: there was a
PC-based gateway (ar was it a bridge) mentioned here some
days ago.
Failing that, put an inexpensive **card** between the net
an the rest of the world. My old boss required the sales
and admin nets to be physically seperate, so we put two
ethernet cards in the customer support machine so it
could talk to both nets. Then we mucked with magic tuning
incantations to keep them from getting at each other (which
was not fun( :-})).
--dave
--
David Collier-Brown, | davecb@yunexus, ...!yunexus!davecb or
72 Abitibi Ave., | {toronto area...}lethe!dave
Willowdale, Ontario, | Joyce C-B:
CANADA. 223-8968 | He's so smart he's dumb.hd@kappa.rice.edu (Hubert D.) (08/27/89)
Last year I designed a simple circuit which has used to reliably isolate ethernet segments (thin-net) from one another. It costs about 40 dollars in parts and 3 hours building time. The circuit consists of a stand alone uart, a max-232 level converter, a pair of relay drivers, and a pair of relays. A host of the users choice is connected to the serial device. Proper termination is maintained. If there is any interest in a schematic and a parts list for this form of solution, send me mail. If there is sufficient interest I'll post a postscript schematic and a parts list --==-- Hubert Daugherty Department of Electrical and Computer Engineering hd@rice.edu Rice University (713) 527-4035 Houston, TX 77252 --==-- Hubert Daugherty Department of Electrical and Computer Engineering hd@rice.edu Rice University (713) 527-4035 Houston, TX 77252
roy@phri.UUCP (Roy Smith) (08/29/89)
In <Aug.25.16.38.32.1989.2145@geneva.rutgers.edu> hedrick@geneva.rutgers.edu (Charles Hedrick) writes: > (Roy didn't point out that the Sun software he is describing can't be run > by normal users.) Depends on what you mean by "normal". Yes, they have to be clever, but no, they don't have to have the root password. They do have to have superuser access, but on a typical Sun workstation, it is trivial to become the superuser without having the root password. L1-A, for example. But, Charles is correct in the gist of his argument; just because it is technically possible to spy on an ethernet doesn't mean I would classify ethernet as "insecure" for what I would guess is the majority of what goes on in a university computing environment. Certainly RS-232 tapping is possible as Charles pointed out, and if you are clever enough you can tap just about any medium you want to (I've heard of ultra sensitive optical amplifier which can tap a fiber optic line). Find out what level of security is really required before you decide what step you have to take to ensure that level. -- Roy Smith, Public Health Research Institute 455 First Avenue, New York, NY 10016 {att,philabs,cmcl2,rutgers,hombre}!phri!roy -or- roy@alanine.phri.nyu.edu "The connector is the network"
sr16+@andrew.cmu.edu (Seth Benjamin Rothenberg) (08/29/89)
The Security currently used is: Users do not have the ability to log in. Pocesses monitor terminals for wake-up requests, then use lookup tables to get password, run progs. T ese processes are started at boot time. Users never actually log into the (TI) operating system. If a certain number of login failures occur, our software locks out the terminal until our department is called. Since these are RS-232, mostly in secure areas, we know where the user was. This is not so with an ethernet. I figure a simple hashing algorithm is possible, but I guess it hasn't been done yet. (Assume the terminal concentrator is in a secure area). We handle patient medical records and billing, and payroll. That's what the security is for. Thanks Seth
naftoli@aecom.yu.edu (Robert N. Berlinger) (08/29/89)
In article <Aug.25.16.38.32.1989.2145@geneva.rutgers.edu>, hedrick@geneva.rutgers.edu (Charles Hedrick) writes: > ... You've got exactly the same exposure with > an RS232 wire as an Ethernet: anybody who taps it will see everything > on it. In fact it probably requires less sophisticated equipment to > watch an RS232 line than an Ethernet... I agree with you on general terms that an Ethernet user cannot expect complete security, but then neither can an RSR232 point-to-point user. However, I don't agree that the risks are the same. Tapping an RS232 often means tracing it, physically breaking it open and monitoring. These things can apply to Ethernet too. But it's just as often the case that the Ethernet cable is handed on a silver platter to the potential snoop (run through his/her office). And the Ethernet may well have been tapped already and connected to the back of their system. In fact, that's the basis for Ethernet in the first place! Now all that is needed is some appropriate software to snoop, and can be done from the convenience of their office, undetected, with no physical evidence to prove malintent. Just about every PC NIC out there supports promiscuous mode, so the hardware to build X amount of Ethernet snoopers on every net is already out there. So I think the risks and nature of Ethernet snooping are not the same as point-to-point links, but I agree that there are risks in point-to-point as well, which can't be ignored when weighing the risks/benefits. -- Robert N. Berlinger |Domain: naftoli@aecom.yu.edu Supervisor of Systems Support |UUCP: {uunet}!aecom!naftoli Scientific Computing Center |CompuServe: 73047,741 GEnie: R.Berlinger Albert Einstein College of Medicine |Pan: berlinger AppleLink: U0995
kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) (08/30/89)
In article <2424@aecom.yu.edu> naftoli@aecom.yu.edu (Robert N. Berlinger) writes: > >But it's just as often the case that the Ethernet cable is handed >on a silver platter to the potential snoop (run through his/her >office). And the Ethernet may well have been tapped already and >connected to the back of their system. In fact, that's the basis >for Ethernet in the first place! Now all that is needed is some >appropriate software to snoop, and can be done from the >convenience of their office, undetected, with no physical >evidence to prove malintent. > I agree that the degree of security risk is related to the perceived as well as actual difficulty in accomplishing the compromise. This is another reason I like twisted pair ethernet. I think it will be much harder to attach an unauthorized device to a TP Ethernet and I am not sure that tapping the twisted pair itself will result in anything useful without modification of the tapping device's ethernet attachment. While I would never tell a client that this is absolutely secure, I would point out the advantages over thin and thick cable promiscuously distributed. My guess is that, in future, when ethernet bridging/filtering chips are developed and are available as options in ethernet concentrators, that many users will opt for these as another form of security enhancement. Then the snooper will really have to gain access to the concentrator network management agent to gain access to datagrams that don't belong to him. Still not perfectly secure, but a long way better than the alternatives (ie, networks with security built in from the ground up, so to speak, or complete host-based security). Kent England, Boston University [please no comments to the effect that less than complete security is no security.]
larry@macom1.UUCP (Larry Taborek) (08/31/89)
From article <2424@aecom.yu.edu>, by naftoli@aecom.yu.edu (Robert N. Berlinger): > In article <Aug.25.16.38.32.1989.2145@geneva.rutgers.edu>, hedrick@geneva.rutgers.edu (Charles Hedrick) writes: >> ... You've got exactly the same exposure with >> an RS232 wire as an Ethernet: anybody who taps it will see everything >> on it. In fact it probably requires less sophisticated equipment to >> watch an RS232 line than an Ethernet... > > I agree with you on general terms that an Ethernet user cannot > expect complete security, but then neither can an RSR232 > point-to-point user. However, I don't agree that the risks are > the same. > I'm with you Bob, The exposure is far greater with Ethernet. The medium of Ethernet and its high bandwidth and cost justifies its use in multicomputer environments. In some instances dozens of minicomputers are using the same backbone (I know of one site, NRL in Washington DC that had 70+), and as a result, when you compromise the cable, you are compromising all the computers that are using it. With RS232 wiring, you are probably only compromising one or two users or computers, so even if Ethernet is harder to tap into, the rewards to the snoop can be much greater, and so is the risk of the exposure level. Just a thought... -- Larry Taborek ..!uunet!grebyn!macom1!larry Centel Federal Systems larry@macom1.UUCP 11400 Commerce Park Drive Reston, VA 22091-1506 703-758-7000