home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: 16 Announce
/
16-Announce.zip
/
NWSEC.ANN
< prev
next >
Wrap
Text File
|
1992-10-23
|
6KB
|
115 lines
IBM LAN Systems Statement on LAN Protocol Integrity
14 October 1992
Recently a Netware users' group in the Netherlands announced that it
had successfully breached Netware security. Novell subsequently
issued a press release acknowledging the attack and noting that the
same kind of attack can be performed against LANs based on the
Microsoft LAN Manager protocols, including the IBM LAN Server.
Because this kind of attack requires both specialized software and
specialized knowledge of LAN protocols, and because unauthorized access
to the physical LAN cabling is difficult in many customer environments,
the existence of this attack represents a very small risk in the majority
of installed LAN environments.
With appropriate equipment and software and a good understanding of the
appropriate protocols it is in fact possible to perform this kind
of attack in a LAN Manager or LAN Server network, although IBM is not
aware that any incident of this kind has actually occurred, and the
attack is not simple to perform.
The attack exploits the lack of cryptographic message integrity in
today's LAN protocols, which were designed to assume a reasonable
level of physical network security.
For customers or environments which require a higher level of security,
attacks of this nature can be prevented by insuring that "counterfeit
packets" cannot be introduced into the LAN. IBM has several products
available which customers can use to protect their networks -- both
Netware and LAN Server -- and their users' data against this kind of
attack. The attachment (pages 2 and 3) describes several protection
options available today.
IBM has announced that it will incorporate elements of the OSF
Distributed Computing Environment (DCE), including the Security and
Authenticated RPC components, into its LAN Systems solutions on
OS/2 and AIX. Applications based on Authenticated RPC can be
protected against counterfeit packet attacks by using RPC's
packet-integrity or packet-privacy modes. No additional hardware
or software (beyond the DCE services) is required to provide this
level of protection for DCE Authenticated-RPC-based services.
Protection Available Today
1. Controlling access to the network
The IBM 8230 Controlled Access Unit, in conjunction with the IBM LAN
Network Manager program, can be used to protect a token-ring network
against the introduction of unauthorized adapter cards into a network.
Use of the 8230 and LAN Network Manager, together with a reasonable
level of workstation security (power-on passwords and keyboard lock
programs, for example) will prevent counterfeit-packet attacks against
a token-ring network by individuals who do not have authorized access
to a known workstation.
An equivalent level of protection against unauthorized adapter card
access to an Ethernet LAN, or to a mixed Token-Ring/Ethernet LAN, can
be provided by the IBM 8250 Multiprotocol Intelligent Hub and its
management modules (The Advanced Ethernet Management Module and the
Basic Token-Ring Management Module).
The 8230 and 8250 products and their associated management software
can be used with any LAN server protocol (Netware, LAN Manager, LAN
Server, TCP/IP, etc...).
The protection described above can be combined with periodic software
audits of known workstations to insure that the tools necessary to
generate counterfeit packets are not available except to trusted users.
2. Encrypting traffic on LAN links
Third-party link encryption products (for example, encrypting LAN
adapters) can be used to provide cryptographic integrity and/or
confidentiality protection. Link encryption traffic on each network
link prevents attackers from introducing counterfeit packets into
a network.
3. Protecting data
The IBM Transaction Security System (TSS) can be used by LAN-based
applications to protect the confidentiality and integrity of data
passed between user workstations and LAN servers.
To protect data on a LAN using TSS, it is necessary to
* Install an IBM 4755 Cryptographic Adapter on each workstation from
which protected data will be accessed. Optionally (if it is not
feasible or desirable to store data at the server in encrypted
form), install an IBM 4755 Cryptographic Adapter on each LAN
server which will store protected data.
* Administer cryptographic keys for each workstation and server
through the IBM Common Cryptographic API ("CCA").
* Modify LAN applications to use the cryptographic facilities of the
4755 through the IBM CCA to generate Message Authentication Codes
("MACs", for integrity protection) or to encrypt data (for privacy
protection) before passing the data into the LAN file system
interface, and to check MACs or decrypt data when accepting data
from the LAN file system interface.
The IBM 4755 Cryptographic Adapter can be used with any LAN server
protocol (Netware, LAN Server, LAN Manager, TCP/IP, etc...). Both
Family 1 ("ISA") and Family 2 (Microchannel) versions of the 4755 are
available, and each family version is available in a full-DES and a
limited-DES-function (easier to export to non-US, non-financial
industry customers) configuration. All versions and configurations
of the adapter support generation of Message Authentication Codes.
Limited-DES-function configurations of the 4755 do not support
encryption for user data privacy protection.