[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference netcad::hub_mgnt

Title:DEChub/HUBwatch/PROBEwatch CONFERENCE
Notice:Firmware -2, Doc -3, Power -4, HW kits -5, firm load -6&7
Moderator:NETCAD::COLELLADT
Created:Wed Nov 13 1991
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:4455
Total number of notes:16761

601.0. "DECrepeater 900TM source address filter capability?" by NWD002::KOPEC_ST (Squash:Racketball::Chess:Checkers) Mon Jan 10 1994 14:32

    One of my customers in Alaska told me that, while at DECUS, he was 
    discussing the inclusion of "source address filtering" capabilities 
    in the DECrepeater 900TM 10BASET module with one of the DEC
    representatives.  IE, if the incoming packet is
    not on the list of approved source MAC addresses then it is discarded.
    This would complement the "outgoing intrusion feature" that exists
    already.  I know looking at MAC addresses are really a bridge function,
    but is there any truth to including this incoming feature in this
    REPEATER module, and when?
    
    						Thx, Stan
T.RTitleUserPersonal
Name		DateLines
601.1QUIVER::SLAWRENCEMon Jan 10 1994 15:342
    It's already there.  Search this conference for 'security'.
601.2Source Address security: yes: Bridge discarding: noLEVERS::PAGLIARORich Pagliaro, Hub Products GroupMon Jan 10 1994 16:1440
    When INTRUSION PROTECTION is enabled on a DECrepeater 900TM, if the source
    address of an INCOMING packet received on a port does match any of the 
    authorized addressed assigned to that port, the intrusion is logged in 
    a security violations log table and counted. Additionally, the DECrepeater
    900TM can optionally be configured to automatically disable a port when 
    such an intrusion security violation is detected. 
    
    It is important to note that when the DECrepeater 900TM enforces EAVESDROP 
    PREVENTION (i.e.the "outgoing intrusion feature"), OUTGOING packets 
    transmitted out a given port with destination addresses which don't match
    any  of the authorized addresses for that port, are not "discarded" in the
    bridge sense. Rather, the offending packets are still transmitted but they
    are first "garbled" by overwriting the packets with an alternating 1s and 0s
    jam pattern. See note 356.1 for a complete description of the DECrepeater
    900TM's security capabilities.

    The DECrepeater 900TM does not (and cannot) perform any action other than
    logging the intrusion and disabling the port when an incoming intrusion
    violation is detected. Future firmware upgrades will never provide it with
    more sophisticated capabilites. The hardware simply does not support it. 
    In addition to the DECrepeater 900TM, this fact hold true for the 
    DECrepeater 900GM, DECrepeater 900FP, DECrepeater 90FS, and 
    DECrepeater 90TS repeaters to be shipped in the near future.

    That being said, future "per-port switching" repeaters will support an 
    additional incoming INTRUSION PROTECTION security mode.  If the source
    address of an INCOMING packet received on a port doesm't match any of the 
    authorized addressed assigned to that port, the offending packet is garbled
    before it is repeated to any other repeater ports. That is, packets from
    an unauthorized intruder are prevented from being received by any other
    node NOT by disabling the port (thereby preventing any further access 
    by ANYONE), but by trashing the intruder's packets. Note that these 
    repeaters are NOT discarding any packets. Consult product management for
    the scheduled ship date for these products.

    Regards,

    Rich Pagliaro