pkr@sgi.com (Phil Ronzone) (05/03/90)
In article <9005010243.AA15404@physics.phy.duke.edu> rgb@PHY.DUKE.EDU ("Robert G. Brown") writes: >If one looks at the enumerated list above, it seems reasonable to >conclude that we (as a University) cannot isolate our LAN by more than >a "normal" gateway, and the gateway cannot/should not prevent >telnet/ftp/smtp/rlogin/socket and so forth connectivity. The gateway >can (and will automatically) filter and route packets, sure, but >unless you cram Maxwell's Daemon himself (maxwelld?) into the >filtering algorithm you are not going to be able to tell a hacker >telnetting in as "joe" from "joe" himself. A packet is a packet. >It's the contents that is the killer. > >Nor are you going to be able to fix the fundamental security hole in >any public network -- anyone who is really good can tap the line >directly and read your packets. If they do that, only dual ended >"scrambling" (encryption) is secure, and that carries a tremendous >overhead. Well, I understand your point, but I do not agree. Any network has as one of the worst problems "authentication". Sending passwords in the clear is not too smart, and traditional UNIX encryption schemes have problems with either key distribution and/or safety of the encryption algorithm. Such things as public key technology for authentication schemes solve these (and other problems). Of course, the fact that such technology is not yet widely available in most/almost-all UNIX'i is a problem for you ... :-) -- +-------------------------------------------------------+---------------------+ | Philip K. Ronzone Manager Secure UNIX | WORK=(415) 335-1511 | | Silicon Graphics, Inc. MS 9U-500 | pkr@sgi.com | | 2011 N. Shoreline Blvd., Mountain View, CA 94039 | FAX= (415) 965-2658 |