Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Nov 1995 06:40:17 -0800
From:      "Jordan K. Hubbard" <jkh@time.cdrom.com>
To:        security@freebsd.org
Subject:   I wonder how much trouble something like this would be to do? :)
Message-ID:  <1867.817224017@time.cdrom.com>

next in thread | raw e-mail | index | archive | help
Someone sent me this.  It sounds like "one of those really simple
engineering ideas that marketing got ahold of and hyped the heck
outta" but still - I can think of more than a few MIS managers who'd
just eat this up.

					Jordan
----
UG565-07 DEC's SECURE INTERNET ROUTE
         
Tunneling - transporting data from one point to another 
encapsulated in wrapper packets - is a networking technique 
that's been around for some years. Claiming to have its neck 
ahead of the pack, Digital Equipment Corp says its Internet 
Tunnel has extended this capability to provide encryption and 
authentication technologies for the Internet enabling corporate 
data to be transmitted securely over the net (UX No 562). Digital 
Internet Tunnel uses a regular Internet Protocol (IP) jacket, 
encrypted and encapsulated inside a TCP/IP packet. The source and 
destination IP applications work as normal, but data on the 
network between the two tunnel servers appears scrambled. When a 
client wants to initiate a connection with an Internet Group 
Tunnel server, a connection request is sent over the network. The 
connection request message contains an identification message 
that is encrypted by the client with the server's public key, and 
then decrypted by the server with its own private key. The 
server's database contains a list of clients that are authorised 
to establish tunnels. If and when the request has been granted, 
the tunnel server sends a response encrypted using the client's 
public key, which is then decrypted by the client using its 
private key. After the authentication session, the two parties 
exchange portions of a session key, which is then combined to 
form a secret session key. DEC uses the encryption technology, 
devised by Rivest, Shamir and Adeleman, known as RSA. Versions 
for the US and Canada use a 128-bit RC4 key, international 
versions (because of US government restrictions) a 40-bit version 
only. The session key is changed periodically to enhance 
security. The tunnel comes in two flavours, the Group tunnel and 
the Personal tunnel. The Group tunnel software runs on Digital 
Unix, with a SLIP (Serial Line Internet Protocol), PPP (Point to 
Point protocol), Ethernet or FDDI (Fibre distributed data 
interface) connection. It manages the construction and operation 
of tunnels from other tunnel servers. Performance is based on 
system configuration and end-to-end network throughput; DEC 
claims to support up to 512 tunnel connections. The 
authentication key generation and management software is included 
with the Tunnel product. Personal Tunnel software installed on a 
PC must have Windows 95 TCP/IP software active, connected to a 
network with connectivity and using a valid IP address for the 
local subnet. Personal Tunnel includes a Win32 Windows-based 
application to enable the request, operation and management of an 
encrypted tunnel. The Internet Tunnel is meant to complement 
firewall products, and unlike other tunnel products is said to be 
firewall-independent. DEC reckons its tunneling technology 
differs from router and firewall vendors because it offers 
connections from home or mobiles to the corporate network, 
whereas routers only provide a single private data circuit and do 
not support end to end or trans-Internet privacy. Firewall 
tunneling products require the use of their tunnels at both ends, 
since interoperability standards don't exist, says the company. 
DEC says its approach also wins out over Netscape's SSL (Secure 
Socket layer) protocol, which also uses RSA encryption, because 
its used at a different level of the IP stack. SSL encrypts 
information for applications, while tunnels establish a link for 
all connections between two networks. With Netscape applications 
the need to encrypt a specific session, such as Web browsers, 
Telnet or FTP must be modified to enable the request for an 
encrypted link. In contrast, Digital Internet tunnel applications 
are not modified, it says, and all the traffic between the 
tunnels is encrypted. The international version is due next 
month. Prices start at $10,000 on Digital Unix and comes with 
DEC's own Firewall Unix, $3,600 on PCs.

 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1867.817224017>