| Title: | DEChub/HUBwatch/PROBEwatch CONFERENCE |
| Notice: | Firmware -2, Doc -3, Power -4, HW kits -5, firm load -6&7 |
| Moderator: | NETCAD::COLELLA�DT |
| Created: | Wed Nov 13 1991 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 4455 |
| Total number of notes: | 16761 |
One of our large customers has the following question. With an configuration with DEChub900MS and DECrepeater 900TM with HUBwatch T2.8. the following is stated by the customer: "Due to the error in the DECnet architecture the MAC address can be used to create a secure port on the DECrepeater 900TM. When both MAC addresses are specified it works fine for DECnet (end)nodes. Since there is nosuch relation between an MAC address and the IP address the DECnet trick can not be repeated. In HUBwatch we noticed that the repeater detects the IP-address of an TCP/IP node on an port of the DECrepeater 900TM. " Is it posible for the DECrepeater 900TM / HUBwatch combination to signal an IP address-change on an port? Ultimately: Is it posible to additionaly specify an IP address for an port on a secure repeater to create the same level of security as with DECnet nodes? thanks in advance jos [email protected] ijsapl::roling My first reaction was that the customer needs something else than a repeater. Where is the end of this kind of functionality (secure an IP socket ;-) ) in an repeater?
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 795.1 | please read 356.1 and clarify | QUIVER::SLAWRENCE | Mon Mar 07 1994 08:20 | 8 | |
I'm not sure that I understand the question here - but look at note
356.1 for a summary of the repeater security features.
The repeater security operates _only_ on the MAC addresses; it does not
look at any network layer address, DECnet or IP.
Can you please ask the customer to explain in more detail just what the
problem is?
| |||||
| 795.2 | beyond repeater functionality? | IJSAPL::ROLING | Jos R�ling, Network Consultant, Holland | Mon Mar 07 1994 10:44 | 17 |
To be more specific, According to my knowledge HUbwatch can display the IP address if the connected node on a DECrepeater 900TM that runs TCP/IP. If this is the case; is it then possible with HUBwatch 3.* to generate an alarm when that address changes. This is handy to quickly detect "spoofing" and reduces network down time? Secondly, if a repeater can detect the ip address is it possible and / or likely that the repeater can be upgraded to a "secure ethernet access server". thereby give customers the same level of security when running TCP/IP as they have today when running DECnet. regards jos | |||||
| 795.3 | definitly beyond a repeater... | QUIVER::SLAWRENCE | Mon Mar 07 1994 11:34 | 34 | |
> According to my knowledge HUbwatch can display the IP address if the
> connected node on a DECrepeater 900TM that runs TCP/IP.
Correct. HUBwatch does this by reading the MAC address for the port
from the repeater and then checking for IP addresses at that MAC
address; the repeater does not know what the IP address is. This
lookup is quite expensive.
> If this is the case; is it then possible with HUBwatch 3.* to
> generate an alarm when that address changes. This is handy to quickly
> detect "spoofing" and reduces network down time?
First, it would be prohibitivly expensive both in terms of network
traffic and HUBwatch cpu time.
Second, since HUBwatch asks the node (via its MAC address) for the IP
addresses it is using, a 'spoofer' could easily lie or just fail to
respond to the query, making the check useless.
> Secondly, if a repeater can detect the ip address is it possible and
> / or likely that the repeater can be upgraded to a "secure ethernet
> access server". thereby give customers the same level of security
> when running TCP/IP as they have today when running DECnet.
I don't know enough to comment on the level of security they have with
DECnet.
Basically, I don't think you can get this at a competetive cost in a
repeater. You might raise the issue with the product management for
the Personal Ethernet product(s), however; they are multi-port bridges,
not repeaters. It might be possible to set up bridge filtering on a
port to prevent either eavesdropping or spoofing through the port.
| |||||