Path: utzoo!mnetor!uunet!husc6!bu-cs!kwe From: kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) Newsgroups: comp.dcom.lans Subject: Re: LAN security screw-ups Message-ID: <17429@bu-cs.BU.EDU> Date: 14 Dec 87 20:37:23 GMT References: <1858@cup.portal.com> Reply-To: kwe@bu-it.bu.edu (Kent England) Organization: Boston Univ. Information Tech. Dept. Lines: 70 Summary: Network security is different than host security In article <1858@cup.portal.com> David_J_Buerger@cup.portal.com writes: > >Aside from standard password schemes, directory rights, etc., >what do some of your LAN managers do to keep security tight on >your systems? Do old employees try to sneak in a mess things up? >How good are users at logging off when they walk away from their >desks? How do you deal with asynch dial up requests? Is it a >Pandora's Box re the security issue? > The question as stated is a host security issue. I differentiate between "login" or "host" security and network security. I don't know whether David intended the distinction. As a network manager I assume the presence of good host security and will work together with any sa to fix those kind of problems. A typical example is a host without good hardware connect/disconnect signaling on our terminal network. A user-initiated forced disconnect can leave a session hanging. Beyond these kind of technical issues I do not worry about login security, or user file permissions or linked files. But, yes, network security is a Pandora's Box. There was a discussion [was it here on this group?] not long ago when I made the rash statement that network security was not yet an issue. Several people took pains to set me right, as you may recall. The best responses that I saw mentioned routers and bridges as a necessary first step toward good network management and security. David Wasley, among others, described how he had set up dual Ethernets with one secure (relatively) and the other untrusted. I myself am looking for a way to allow academic staff to use their academic workstations for administrative functions. This would require that both secure and untrusted sessions occur over the same ethernet. Someone from Athena said that they were going to release their validation protocol, Kerebos, to the public. This protocol, if released, will be the best thing since X windows out of Athena. It validates resource access, including login, with encrypted exchanges between workstation and validation server. I think they said that currently they did not encrypt sessions, but their current functionality protects passwords. I think that Kerebos, adopted as a standard, is the next best thing to session encryption and will satisfy security requirements for many for a while. Someone else ominously stated that they had a way (which they could not reveal) to thwart routers, but I do not know what kind of threat that is to router-based networks. Those kind of statements, including one person who said for $1.98 he had set up a Lan analyzer and sucked off all the e-mail traffic for an afternoon, worry me a little. (a lot :-) Ungermann-Bass recently announced at their user group meeting a DES hardware session encryption NIU with an access key, a literal key for a box on the NIU that enabled access. This sounds like the way to go for secure sessions with good interactive performance. Their box doesn't scramble all the headers, only the data or all but the Ethernet headers. I haven't analyzed the situation enough to know just how many headers you can leave in the clear but I imagine you could just encrypt data within IP, if necessary. It depends on whether you use bridges or routers. Perhaps other vendors are working on encrypted session hardware, too. I would like to see Kerebos for login security on all our host logins. I would also like to have the DES hardware for selected pieces of equipment. Perhaps someday Sun will install DES chips in their servers and workstations and we can encrypt all the sessions when we want to. Meanwhile, judicious use of bridges and routers and careful watching will have to do. -- ------------------------------------------------------------------- Kent W. England | Boston University Network & Systems Engineering Group | Information Technology kwe@bu-it.bu.edu internet | 111 Cummington Street itkwe@bostonu BITnet | Boston, MA 02215 harvard!bu-cs!kwe UUCP | (617) 353-2780 -------------------------------------------------------------------