peter@ria.ccs.uwo.ca (Peter Marshall) (10/19/90)
I'm not very familiar with IBM's token ring having grown up on ethernet, so my question may be a little naive. On most ethernet cards there is a promiscuous mode that allows stations to monitor all traffic. This is very useful for example for a LAN watching device, an ethernet bridge or a hacker bent on getting some passwords. I have heard (second hand from IBM) that on token rings while promiscuous mode is available on some boards that there is a way to restrict it to just certain stations. Is this a general facility provided by the token ring protocols? How is this identification enforced? What do I have to buy? We may be basing alot of our campus security on such a scheme, so I'm very interested to discover any and all details. Peter Marshall, Manager (Academic Networking) CCS, NSC, U. of Western Ontario, London, Canada N6A 5B7 (519)661-2111x6032 peter.marshall@uwo.ca pm@uwovax (BITNET); peter@ria.uucp
hank@bitnic.BITNET (10/19/90)
I'm not very familiar with IBM's token ring having grown up on ethernet, so my question may be a little naive. On most ethernet cards there is a promiscuous mode that allows stations to monitor all traffic. This is very useful for example for a LAN watching device, an ethernet bridge or a hacker bent on getting some passwords. I have heard (second hand from IBM) that on token rings while promiscuous mode is available on some boards that there is a way to restrict it to just certain stations. Is this a general facility provided by the token ring protocols? How is this identification enforced? What do I have to buy? We may be basing alot of our campus security on such a scheme, so I'm very interested to discover any and all details. Peter Marshall, Manager (Academic Networking) CCS, NSC, U. of Western Ontario, London, Canada N6A 5B7 (519)661-2111x6032 peter.marshall@uwo.ca pm@uwovax (BITNET); peter@ria.uucp
drake@drake.almaden.ibm.com (10/20/90)
In article <1990Oct19.143505@ria.ccs.uwo.ca> peter@ria.ccs.uwo.ca writes: >I have heard (second hand from IBM) that on token rings while promiscuous mode >is available on some boards that there is a way to restrict it to just certain >stations. Is this a general facility provided by the token ring protocols? >How is this identification enforced? What do I have to buy? Standard Token Ring cards (from IBM, at least) don't have a "promiscuous mode" at all. Can't be done. For monitoring applications, you have to purchase a special "trace and performance adapter". When such a card inserts itself into the ring, an alert is sent to every other station on the ring. If one of those stations is running the IBM LAN Manager, it logs the fact that a monitor is on the ring, and if the monitor isn't registered with the LAN Manager it will force that station OFF the ring. So with standard Token Ring adapters there is no promiscuous mode. Adapters with promiscuous mode announce their presence and can be shut off by another system on the ring. Reasonably secure! Sam Drake / IBM Almaden Research Center Internet: drake@ibm.com BITNET: DRAKE at ALMADEN Usenet: ...!uunet!ibmarc!drake Phone: (408) 927-1861
drake@drake.almaden.ibm.COM (10/20/90)
In article <1990Oct19.143505@ria.ccs.uwo.ca> peter@ria.ccs.uwo.ca writes: >I have heard (second hand from IBM) that on token rings while promiscuous mode >is available on some boards that there is a way to restrict it to just certain >stations. Is this a general facility provided by the token ring protocols? >How is this identification enforced? What do I have to buy? Standard Token Ring cards (from IBM, at least) don't have a "promiscuous mode" at all. Can't be done. For monitoring applications, you have to purchase a special "trace and performance adapter". When such a card inserts itself into the ring, an alert is sent to every other station on the ring. If one of those stations is running the IBM LAN Manager, it logs the fact that a monitor is on the ring, and if the monitor isn't registered with the LAN Manager it will force that station OFF the ring. So with standard Token Ring adapters there is no promiscuous mode. Adapters with promiscuous mode announce their presence and can be shut off by another system on the ring. Reasonably secure! Sam Drake / IBM Almaden Research Center Internet: drake@ibm.com BITNET: DRAKE at ALMADEN Usenet: ...!uunet!ibmarc!drake Phone: (408) 927-1861
TOM@PENNDRLS.BITNET ("Thomas D. Denier") (10/22/90)
I asked about promiscuous mode at an IBM communications seminar. As far as IBM's token-ring interfaces are concerned, the speaker gave a less detailed version of Sam Drake's response. However, there are other companies making token-ring interfaces. As far as the speaker was aware, the makers of such interfaces were not subject to any formal requirement to build them without a promiscuous receive capability, and he suspected that some of the interfaces on the market had such a capability.
lstowell@pyrnova.pyramid.com (Lon Stowell) (10/24/90)
Line monitor devices are SUPPOSED to announce their presence on the ring, but most don't. Only the newer versions from reputable manufacturers do so by actually sending the "Trace Device Present" vector. Most others do participate in Ring Poll and Neighbor Notification, so the network manager, if smart enough, can spot an unidentified station, but is not necessarily aware of any snooping.... Some "smart" MSAU's like the Star Tek and Proteon can be set to prohibit ANY new station from mechanically accessing the ring, which eliminates all but the most persistent units which could tap the data by bypassing the MSAU and the phantom drive technique entirely.... With the new TI chipset and the available C-compiler support for the Comm Processor, it would be child's play to create a non-obvious snooper....if you can de-jitter the data (sorry, couldn't resist....) sufficiently. I cannot imagine why anyone would do this... Physical security of the LAN media is quite important....if you REALLY want security, run strictly SNA protocols and use IBM's DES Encrypted RU feature (if available yet for Token Ring..) You can read the SNA headers, but no way will you get at the user data......