Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 07 Sep 1999 01:17:39 -0700
From:      dmp@aracnet.com
To:        Mike Nowlin <mike@argos.org>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Layer 2 ethernet encryption?
Message-ID:  <37D4CA23.6A64FCAC@aracnet.com>
References:  <Pine.LNX.4.05.9909070210440.3318-100000@jason.argos.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Mike Nowlin wrote:
> > The network in question doesn't use IP-based routing.
> >
> > > If you are doing this for a local LAN, I suggest you have bigger
> > > problems :)
> >
> > You're right, I do have bigger problems.  Like deep paranoia among
> > the users of the LAN.
> 
> I'm having trouble grasping the idea behind this...  Generally speaking,
> even if you couldn't see the IP src and dst addrs for a packet (as if they
> were encrypted), you could still see the ethernet addresses, and those are
> almost as good when it comes to local networks.  Anybody with half a clue
> could figure out which ethernet addresses match up to which machines and
> their uses.

True, you can determine which hardware devices are sending and
receiving the traffic, but with layer 3 encrypted, that's all you can
see.  You wouldn't be able to determine which IP or port the packet
is coming from or going to, not even if it's IP traffic or not.

> As far as the paranoia, it sounds like your users know enough to be
> dangerous, but don't really understand the problem.  Marketing people,
> perhaps?  :)

We got rid of the marketing people last year when we determined that
the ability for our organization to pander to the general public was
a security risk.  :)

> Assuming someone has physical access to something (the ethernet) that
> carries traffic they're not supposed to see (like the packets in
> question), there's little you can do to ensure that somebody can't figure
> out a way around your security.  If that isn't enough, you start looking
> into managed switches, locked server rooms, and (if all else fails) a new
> profession.

In order:

A machine on the network can't see any other machine other that it's
firewall interface until the DC authorizes it's presence.

Managed switches aren't used, we haven't found one that can provide
a high enough level of security.

The server rooms already are locked.

A new profession?  I hope you're kidding.  :-)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37D4CA23.6A64FCAC>