[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference netcad::hub_mgnt

Title:	DEChub/HUBwatch/PROBEwatch CONFERENCE
Notice:	Firmware -2, Doc -3, Power -4, HW kits -5, firm load -6&7
Moderator:	NETCAD::COLELLADT

Created:	Wed Nov 13 1991
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	4455
Total number of notes:	16761

356.0. "DECrepeater 900TM Security" by IJSAPL::VANDOMMELEN (Donald van Dommelen, NIS uto) Wed Aug 25 1993 14:19

    Customer of me has bought STARLAN 10 equipment from AT&T. They wanted
    to use the eavesdrop capability from STARLAN, to prevent some
    unauthorized individual starts listening at the ethernet and pickup
    usernames/passwords and other information.
    
    Problem with STARLAN is that per segment it is possible to "filter"
    on or one address per station or multiple (many) addresses. Using
    our Pathworks software causes problems, we use the MAX address and 
    the translated DECnet address (AA-something). So, they figure their
    ethernet segments are "unsecure".
    
    Our DEChub 900 program offers the DETMM, DECrepeater 900TM, with 
    security features. Does anyone know if this DETMM can solve my
    customers problem, which means, can we prevent eavesdropping in
    combination with multiple addresses per station.
    
    If our DETMM can, we have a fair change to kick STARLAN out....
    
    Hope someone knows the answer !
    
    Thanks in advance,
    
    Donald.
    
    BTW. I advised the customer to complain at AT&T as well.

T.R Title User Personal
Name Date Lines

356.1 DECrepeater 900TM security works with DECNET nodes LEVERS::PAGLIARO Fri Aug 27 1993 15:54 39

T.R	Title	User	Personal Name	Date	Lines
356.1	DECrepeater 900TM security works with DECNET nodes	LEVERS::PAGLIARO		`Fri Aug 27 1993 15:54`	39
	Donald, The DECrepeater 900TM (DETMM) supports both intrusion protection and eavesdrop security. Up to two authorized addresses can be assigned to each repeater port. This is NOT designed to support multiple independent stations connected to a single port. The intent of allowing two addresses is to accommodate DECNET nodes which initially use their hardware addresses (08-00-2B-12-34-56, for example) while booting and then switch over to use their DECNET addresses (AA-00-04-AB-CD-EF, for example). With intrusion protection, if a packet received by a port has a source address which does not match any of the port's authorized addresses then the intrusion is logged and the port is (optionally) disabled. With eavesdrop security, packets with destination addresses not equal to a port's authorized address are jammed/scrambled before being transmitted out that port. While the DECrepeater 900TM allows (up to) two authorized addresses to be assigned to any given repeater port, only one such address is actively used at any given time to enforce eavesdrop security. The DECrepeater 900TM uses the following algorithm to select which address in a given port's authorized address list to use when enforcing eavesdrop security: 1. The authorized address which was most recently used by a station transmitting into a given repeater port is used to enforce eavesdrop security on that port. 2. If no packets from an authorized station have been received on a given port then the most recent address added to the authorized address list for that port is used to enforce eavesdrop security. Regards, Rich Pagliaro

	Donald,

	The DECrepeater 900TM (DETMM) supports both intrusion protection
	and eavesdrop security. Up to two authorized addresses can be
	assigned to each repeater port. This is NOT designed to support
	multiple independent stations connected to a single port.  The
	intent of allowing two addresses is to accommodate DECNET nodes
	which initially use their hardware addresses (08-00-2B-12-34-56,
	for example) while booting and then switch over to use their DECNET
	addresses (AA-00-04-AB-CD-EF, for example).

	With intrusion protection, if a packet received by a port has a
	source address which does not match any of the port's authorized
	addresses then the intrusion is logged and the port is (optionally)
	disabled.
	
	With eavesdrop security, packets with destination addresses not
	equal to a port's authorized address are jammed/scrambled before
	being transmitted out that port.  While the DECrepeater 900TM
	allows (up to) two authorized addresses to be assigned to any given
	repeater port, only one such address is actively used at any given
	time to enforce eavesdrop security.
	
	The DECrepeater 900TM uses the following algorithm to select 
	which address in a given port's authorized address list to use when
	enforcing eavesdrop security:

	1. The authorized address which was most recently used by a station
	   transmitting into a given repeater port is used to enforce
	   eavesdrop security on that port.

	2. If no packets from an authorized station have been received on a
	   given port then the most recent address added to the authorized
	   address list for that port is used to enforce eavesdrop security.

	
	Regards,

	Rich Pagliaro