>One other possibility to keep people from using their machine to scarf packets
>from the network is to use a network card that provides access
>control between host systems (which hosts can talk to which hosts) and
>also encrypts all transfers on the network. Such a beast has been around for
>a few years (since 1985) and has been evaluated by NSA as a B2 level
>It's not cheap (about 1K per network board) so it
>might be overkill for some/most commercial situations but if you REALLY WANT
>TO BE SURE that a user can't sit back in his PC, SUN, MAC, etc. and soak up
>everything on your network then this is for you.
Have been evaluating similar things and have come to the conclusion that it is
not cost effective on a per-node basis. Per subnet it makes a lot more sense
so I have been examining assigning subnets along project/department/workgroup
lines where the individual nodes are trusted by each other and protecting the
connections to be backbone.
For a large installation like ours, equipping individual entities with
firewall/filter/encryption capabilities makes sense in the macro. *Not*
having to specially equip every node makes cents in the micro. Win-Win
and *lots* easier to troubleshoot.
Of course what we *really* need is a $25.00 encryption add-in that can be
plugged into the Boot-P ROM socket...