| When INTRUSION PROTECTION is enabled on a DECrepeater 900TM, if the source
address of an INCOMING packet received on a port does match any of the
authorized addressed assigned to that port, the intrusion is logged in
a security violations log table and counted. Additionally, the DECrepeater
900TM can optionally be configured to automatically disable a port when
such an intrusion security violation is detected.
It is important to note that when the DECrepeater 900TM enforces EAVESDROP
PREVENTION (i.e.the "outgoing intrusion feature"), OUTGOING packets
transmitted out a given port with destination addresses which don't match
any of the authorized addresses for that port, are not "discarded" in the
bridge sense. Rather, the offending packets are still transmitted but they
are first "garbled" by overwriting the packets with an alternating 1s and 0s
jam pattern. See note 356.1 for a complete description of the DECrepeater
900TM's security capabilities.
The DECrepeater 900TM does not (and cannot) perform any action other than
logging the intrusion and disabling the port when an incoming intrusion
violation is detected. Future firmware upgrades will never provide it with
more sophisticated capabilites. The hardware simply does not support it.
In addition to the DECrepeater 900TM, this fact hold true for the
DECrepeater 900GM, DECrepeater 900FP, DECrepeater 90FS, and
DECrepeater 90TS repeaters to be shipped in the near future.
That being said, future "per-port switching" repeaters will support an
additional incoming INTRUSION PROTECTION security mode. If the source
address of an INCOMING packet received on a port doesm't match any of the
authorized addressed assigned to that port, the offending packet is garbled
before it is repeated to any other repeater ports. That is, packets from
an unauthorized intruder are prevented from being received by any other
node NOT by disabling the port (thereby preventing any further access
by ANYONE), but by trashing the intruder's packets. Note that these
repeaters are NOT discarding any packets. Consult product management for
the scheduled ship date for these products.
Regards,
Rich Pagliaro
|