alan@cunixc.columbia.edu (Alan Crosswell) (03/30/88)
DEC has very recently announced what I believe to be a LAN-bridge like
box combined with a VMS-based key server. It use a hardware DES
implementation and is supposed to encrypt data at the packet level in
one box and decrypt it at the other (totally transparent to the
hosts). It will also allow clear text passthru when one host sits
behind a decrypter but the other doesn't so you can add these things
to an existing ethernet, protecting the "important" hosts ("important"
meaning how much money you want to spend) while still allowing access
for others. It's supposed to have all kinds of configuration stuff
too so you can decide who can talk to whom. Anybody have any better
information on it? Since it coexists with non-encrypted Ethernet, it
must transmit unencrypted source and destination addresses in the
header (or does it simply use the source and desitnation address of
the encrypter itself?) What kind of performance does it provide? Is
it a functional replacement for a LAN-bridge or would one still need a
LAN-bridge to do the filtering? Prices are about the same as a LAN-bridge
with the VMS key software also costing about that amount (I'm not sure if
Robert's Rules of Netiquette and price quotes apply here:-)
Alan Crosswell
User Services
Columbia Universitysweeny@silver.bacs.indiana.edu (04/01/88)
Subject: Re: Security on ethernet (and DEC product announcement)
Organization: Indiana University BACS, Bloomington
The (hardware) device is called a DESNC, a "multiport bridge with
encryption" which nonetheless won't work with DEC's RBMS (remote bridge
management software). It has 4 unmodified thinwire ethernet ports, a
physical key lock, a numeric pad for entering authentication keys, and a
bypass capability (so that you can turn it off if your authentication
node goes down, for instance). One reason for putting the encryption in
a board instead of the host, they say, is to avoid loading the host.
Throughput is supposed to be about 4 Mb/sec.
The DESNC works together with "KDC" (key distribution center) softwarE
on a VAX somewhere (only under VMS at the moment) which is essentially a
configuration database ("are conversations between node A and node C
encrypted or freetext?") which distributes its "keys" to DESNCs on the
network. The Idea is that there would probably be 1-2 KDC software
locii on the network, and a DESNC interface at every node that wanted to
be able to do encryption. One additional interesting note is that the
KDC software is priced the same for all CPU types, unlike most DEC
software. The KDC also can keep an audit trail of security events, and
has a DESNC itself. I hope that information helps.
Brent ultra361@estevax_b.UUCP (Hr Fuchs Norbert ) (04/25/88)
In article <24000001@silver>, sweeny@silver.bacs.indiana.edu writes: > > > Subject: Re: Security on ethernet (and DEC product announcement) > Organization: Indiana University BACS, Bloomington > > The (hardware) device is called a DESNC, a "multiport bridge with > encryption" which nonetheless won't work with DEC's RBMS (remote bridge > management software). It has 4 unmodified thinwire ethernet ports, a hi are the source and destination addresses encrypted too? how can i tell the DESNC, which stations have an DESNC? has each DESNC his own station-address? what will the unit cost? thank you, norbert