Bob Dew says:
> Mainframes, being what they are, don't allow users root access and
> generally have enough political clout to justify a unique subnet number.
> The private subnet prevents other hosts from imitating the mainframe's
> IP conversations,
Huh? What would make you think this?
Everyone on this list should get through their heads that wires are
insecure, and that anyone can forge packets. Data going over a wire
without cryptographic authentication is always insecure, barring
complete physical control over the entire line at all times. Few sites
can afford to place an armed guard every five feet. Most sites have a
PC here and there already on their networks. Intelligent users abound.
I remember how we didn't take X security seriously around here ("none
of our users could know how to tap X sessions" was the attitude) until
someone posted an X keystroke recorder to the net, and some of our
users started fooling around with it. There are a dozen packages out
there that could be modified very easily to allow anyone who's got a
link to your ethernet to start spoofing you in a big way. "private
subnet numbers" mean squat. A "private subnet number" is as easy to
stick into an IP header as any other number. Bits are bits are bits.
> If the authenticating AFS client, the
> "remote executor", is physically secured and configured so that it is
> protected from remote network access,
Nothing will prevent spoofing by a determined attacker other than
cryptographic techiniques. NOTHING. If you accept datagrams over a
network for which you do not have absolute control over every machine
and every inch of network line, you cannot trust the network.
Recently, we've been having trouble with internal mainframe types who
don't think they need cryptographic techniques because they have RACF.
They don't understand that networks are almost inherently insecure
without cryptography and that they can't automatically trust what
another machine claims.
> For added security, you could
> place the AFS executor right next to the mainframe, on the same private
> subnet, where you could keep an eye on it, and the router that its
> connected to.
It might take a little more work, but I suspect I can spoof even that,
from another network, with a few well placed ICMP messages and some
tricky packet forging.
Perry
Follow-Ups:
References:
|
|
