whna@cgch.UUCP (Heinz Naef) (11/21/89)
Hello system integrators, what could be done to turn existing personal computers (industry standard) into real trusted clients on a TCP/IP network? What activities would be required at the organizational and at the technical level? - Would it be necessary to disable/remove the floppy disk unit? - Would it be a good idea to boot the PC over the network interface (learning IP-address, loading DOS, etc.)? Did anyone implement this already (e. g. using BootP, etc.)? - Would it be better to choose an application gateway solution, i. e. implementing some proxy-Telnet, -FTP, -NFS, -etc. agent on a departemental host which is accessed by corresponding PC clients? - etc. Any comments, suggestions, pointers to solutions, etc. are appreciated. I will summarize to the net, so you could e-mail instead of followup-posting to save News bandwidth. Thanks, and best regards, Heinz Naef, c/o CIBA-GEIGY AG, R-1045.3.37, P.O.Box, CH-4002 Basel, Switzerland UUCP: cgch!whna Internet: whna%cgch.uucp@uunet.uu.net Phone: (+41) 61 697 26 75 BITNET: whna%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 32 88
romkey@amiga.UUCP (John Romkey) (11/21/89)
This isn't the answer you're looking for, but I think it's just a bad idea to trust a PC in a networked environment. - john romkey USENET/UUCP: romkey@asylum.sf.ca.us Internet: romkey@ftp.com "Some people walk on water/Some people walk on broken glass/Some people walk round and round in their dreams/Some just keep falling down." Laurie Anderson
werner@nikhefk.UUCP (Werner Vogels) (11/22/89)
In article <8911202309.AA06824@asylum.sf.ca.us> romkey@asylum.sf.ca.us writes: >This isn't the answer you're looking for, but I think it's just a bad >idea to trust a PC in a networked environment. > - john romkey >....... I think you should treat PC's in the same way you treat other workstations : NEVER TRUST THEM !!!!!! they are a main security problem. On machine's were a user can control all the memory and the devices, one can never be sure about the identity of the user, the processes and the machine itself. A solution to these authentication and authorization problems is provided by Project Athena's (M.I.T) kerberos. We are currently trying to port the programming and data encryption libaries to the PC envirionment, so it might be possible in the near future to have PC's use services on other machines. When we have succeeded we will notified the netcommunity about the diff's. Werner H.P. Vogels Software Expertise Centrum Haagse Hogeschool, Intersector Informatica tel: +31 70 618419 Louis Couperusplein 2-19, 2514 HP Den Haag E-mail: werner@nikhefk.nikhef.nl The Netherlands or werner@hhinsi.uucp
jon@athena.mit.edu (Jon A. Rochlis) (11/23/89)
In article <907@cgch.UUCP> whna@cgch.UUCP (Heinz Naef) writes: >Hello system integrators, >what could be done to turn existing personal computers (industry standard) >into real trusted clients on a TCP/IP network? My 2 cents: Don't try to turn PC's into "trusted clients". Don't build around the concept of trusted clients at all. Instead assume all clients run with software (possibly even hardware) written from the ground up by a cracker. Assume all communications are monitored by the "bad guy". Require something like Kerberos to make the client process prove its identity to a server. Encrypt data streams or do crypto-checksums depeneding upon the sensitivity of the data in question. Don't trust the software on the client. After unless you control and secure all the wire, somebody can pretty easily hook up their own portable PC and at the very least run a sniffer to grab all the packets as they go over the wire. -- Jon
cpcahil@virtech.uucp (Conor P. Cahill) (11/23/89)
> control and secure all the wire, somebody can pretty easily hook up > their own portable PC and at the very least run a sniffer to grab all > the packets as they go over the wire. Speaking of sniffers, can somebody send me information on what hardware is available for a portable pc to collect/view/analyze ethernet traffic (and hopefully decript the TCP/IP packets) on both thin and thicknet. Thanks in advance -- +-----------------------------------------------------------------------+ | Conor P. Cahill uunet!virtech!cpcahil 703-430-9247 ! | Virtual Technologies Inc., P. O. Box 876, Sterling, VA 22170 | +-----------------------------------------------------------------------+
henry@utzoo.uucp (Henry Spencer) (11/25/89)
In article <907@cgch.UUCP> whna@cgch.UUCP (Heinz Naef) writes: >what could be done to turn existing personal computers (industry standard) >into real trusted clients on a TCP/IP network? ... Rip out the boards. Save the monitor, case, and power supply. Put a decent processor (with memory management) in, and run a decent operating system (one that pays some attention to security). Unless you construct an environment in which users cannot do any programming at all -- difficult -- it can't be done with standard PCs. -- That's not a joke, that's | Henry Spencer at U of Toronto Zoology NASA. -Nick Szabo | uunet!attcan!utzoo!henry henry@zoo.toronto.edu
romkey@amiga.UUCP (John Romkey) (11/25/89)
But Henry, the problem is that your average single user workstation is no more secure than a PC is; the user can usually become root pretty easily and hack whatever he or she wants. A lot of the problem is security paridigms that depend on your machine to have its proper IP address or the use of "secure" port numbers. I guess you did say "a decent operating system (one that pays some attention to security)", and I don't want to get into a discussion of whether or not UNIX (and which release of whoever's version) is decent. But basically, I believe that the problem isn't that MS-DOS is awful (it is), but that the security paridigms in place are bogus. - john romkey USENET/UUCP: romkey@asylum.sf.ca.us Internet: romkey@ftp.com "Some people walk on water/Some people walk on broken glass/Some people walk round and round in their dreams/Some just keep falling down." Laurie Anderson