| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1076.1 | Nope | JUMP4::JOY | Perception is reality | Fri Sep 24 1993 12:07 | 5 |
| I have been trying to find any products from any vendors who provide
encryption over FDDI for over a year now and had no success.
Debbie
|
| 1076.2 | when do you need crypto on FDDI? | PERE::BRUCE | | Fri Sep 24 1993 13:40 | 6 |
| I don't know if it will help your customer to realize some inherent
security features of fiber optic communications. Especially if he is
using the Full duplex point to point FDDI for MDF, crypto on the fddi
will buy him almost nothing. The fiber doesn't radiate, and is very
very difficult to tap.
|
| 1076.3 | detection is what's hard to avoid | ASDS::LEVY | | Fri Sep 24 1993 14:41 | 7 |
| re: .-1
> The fiber doesn't radiate, and is very very difficult to tap.
Actually, it's not that hard to tap (just make a tight bend in it), but
it is hard to tap without being detected.
|
| 1076.4 | I think I could tap your FDDI easily. | MUDDY::WATERS | | Fri Sep 24 1993 15:39 | 7 |
| This "hard to tap" stuff is fine for marketing, but don't say that to
the technical customers. If you tap a line, and leave it tapped forever,
the user will surely not notice that it has been tapped. The moment of
tapping it is easily mistaken for a glitch caused by a power outage or
something. I would not say "easy to notice tapping" unless the network
management interface has a specific indication "...line1.hasBeenTapped" or
equivalent. Surely we do not offer that level of intrusion protection.
|
| 1076.5 | | KONING::KONING | Paul Koning, A-13683 | Mon Sep 27 1993 12:49 | 16 |
| FDDI is neither hard to tap, nor hard to tap without detection. Taps that
pick off a small fraction of the power are off-the-shelf items and are included
with FDDI LAN analyzers.
The "fiber is secure because you can't tap it" statement is BULLSHIT.
However... it IS true that fiber has security advantages if your worry is
about radiated signals picked up at some distance from the cable (e.g., your
opponent can get to the other side of the wall, but can't touch the cable
itself). There you have a benefit because fiber doesn't radiate while some
kinds of copper cable, UTP in particular, do. So if you're into TEMPEST
considerations, fiber is interesting. If you're worried about tapping by
people who have actual physical access to the cable, fiber is no better (nor
worse) than copper.
paul
|
| 1076.6 | more on detection... | ASDS::LEVY | | Mon Sep 27 1993 14:21 | 9 |
| re: .4 & .5
By "detection," I was referring to the ability to measure the drop in
power at the receiver due to some of the light being tapped off
midstream.
I wasn't trying to imply that an SNMP trap existed to detect this power
drop, or that "commercial-grade" FDDI equipment had this type of
detection capability built into it.
|
| 1076.7 | | KONING::KONING | Paul Koning, A-13683 | Mon Sep 27 1993 16:06 | 6 |
| Is the insertion loss of a -10dB tap high enough to be observable with
commercial grade power meters? How does it compare with variations that
occur due to connector insert/remove cycles, cables being shoved around,
etc.? I wonder...
paul
|
| 1076.8 | | ASDS::LEVY | | Mon Sep 27 1993 16:59 | 1 |
| Hand-held power meters typically offer 0.1 dB resolution....
|
| 1076.9 | | RUSURE::GENTRY | Subtle operational change (read bug) | Thu Dec 09 1993 13:17 | 11 |
|
I think the answer would have to be the same as for Ethernet, if
you want encryption, the end-points have to do it (encrypt/decrypt).
If this is via software or hardware, it doesn't matter. Once the
data gets beyond the cabinet of the machine (via copper, fiber,
whatever), it is tappable. it must be encrypted before it gets
outside the computer cabinet...
My $.02
Megan
|
| 1076.10 | | KONING::KONING | Paul Koning, B-16504 | Thu Dec 09 1993 14:49 | 22 |
| Yes, the answer is the same in all cases, but no, the answer is not necessarily
that the endpoints must do it. It depends on what technology you have
available to you, and what threats you're worried about.
If you're worried about wiretap by insiders, protect the data before it leaves
the box.
If you're worried about wiretap by outsiders, protect the data before it leaves
the building.
If you're worried about traffic analysis, use link level encryption (i.e.,
at the physical layer). If not, you can do it at a higher layer (datalink,
application, whatever).
If you can't get crypto hardware, you'll have to make do with crypto software.
That's easy at the application layer, harder (though still possible) lower down.
If you want to export it, any kind of crypto is a problem. But if your customer
is in another country, they can get their own crypto from any number of places,
including Moscow... (!)
paul
|