paul@aucs.UUCP (Paul Steele) (12/14/88)
Does anyone know of a router/bridge that can be setup to restict/allow
access according to the packet's ethernet address. We want to set up
a Novell network with one server for academic users (students) and one
for administractive users (such as the business office). While we want
some people to have access to both servers, we do not want students to
have access to the administrative server. Is there a router that would
allow some users immediate access to both servers (according to the user's
ethernet address), while restricting other stations to just one or the
other server. There are ways within Novell to do what we want, but
Novell's security is a question mark so we would rather really on hardware
means of restricting access.
Any suggestions would be welcome.
--
Paul H. Steele UUCP: {uunet|watmath|utai|garfield}!dalcs!aucs!Paul
Acadia University BITNET: Paul@Acadia or PHS@Acadia (preferred)
Wolfville, NS Internet: Paul%Acadia.BITNET@CUNYVM.CUNY.EDU
CANADA B0P 1X0 (902) 542-2201x587kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) (12/15/88)
In article <1448@aucs.UUCP> paul@aucs.UUCP (Paul Steele) writes: >Does anyone know of a router/bridge that can be setup to restict/allow >access according to the packet's ethernet address. >[...] >Is there a router that would >allow some users immediate access to both servers (according to the user's >ethernet address), while restricting other stations to just one or the >other server. The Proteon p4200 IP routing software allows you to filter packets based on masks on the IP address. You can make it an inclusive or exclusive list and you can mask on source and destination addresses. One simple access control list use that we have tried is to restrict nodes with IP host parts of 192 and above to the local network (ie, restrict off-campus access). That way our name czar can assign addresses based on access privilege (and relieve the network crew of the job). It works, but it still isn't terribly secure. Of course, every datagram must go through the filter and that's a performance hit. Keep the list short and limit it to as few routers as possible. Access control in an IP router based on Ethernet addresses is less desireable than based on IP addresses. Kent England, Boston University
ron@ron.rutgers.edu (Ron Natalie) (12/16/88)
The restricted router wouldn't be sufficient if the students could get to the wire. All I'd have to do is wait until adminstrator wasn't using their machine and I could use their hardware address to access the server. -Ron
herbison@ultra.dec.com (B.J.) (12/17/88)
> Does anyone know of a router/bridge that can be setup to restict/allow > access according to the packet's ethernet address. [In addition to making restrictions based on addresses, you also need some way to verify that nodes are using the correct address. You don't want a student system to change its address and impersonate a system in the business office.] Digital sells products that provide security for Ethernet LANs and extended LANs. Digital's Ethernet Enhanced-Security System provides data confidentiality, data integrity, and also implements an access control policy for the LAN. The system consists of DESNC controllers that perform encryption and VAX KDC software that manages the controllers. A LAN is most secure if all nodes on a LAN are connected to DESNC controllers (which support up to 20 nodes each), but in many situations it is only necessary to use DESNC controllers for some nodes. For example, the environment described could be protected by only using DESNC controllers with administrative systems and servers. The result would be: It would be possible to decide which systems could communicate with the administrative server or systems, and have this decision enforced by the DESNC controllers. No student system could communicate with one administrative system and pretend to be another administrative system. It would not be possible for student systems to read or modify communication between administrative systems. It would still be possible to allow administrative systems to communicate with the academic server, or anything other system on the LAN. DESNC controllers operate at the Data Link layer, they are transparent to any higher layer network protocols and they work with both Ethernet and IEEE 802 frame formats. If you have questions about these products, or want additional information, contact a DEC salesman or send me mail. B.J. Herbison@ULTRA.DEC.COM Herbison%ULTRA.DEC.COM@decwrl.DEC.COM