On Fri, 31 Mar 1995, Jimmy Brown wrote:
> I suspect this has been discussed in extreme detail, but I am
> new to the list so I'll ask anyways. :>
>
> I know how to allow specific unsecure sites telnet access
> to my firewall. The problem of course is, that they will be
> passing their username/passwords across the unsecure net
> for anybody to sniff. What are ways to address this
> and where do I go for more info? Are there any commercial
> products that provide this?
>
> What is the best way to encrypt TCP/IP traffic between one
> site and another on the Internet? Essentially I want
> to tunnel all traffic coming out of one site bound
> for another site into an encrypted stream to provide
> some modicum of security. Is this feasible?
>
> Thx for any suggestions.
>
> Jimmy
> _________
> ___jnb___
>
>
Jimmy:
There are 2 attractive approaches that I can think of. The most
sophisticated is to set up an "encrypted tunnel" through the
Internet. This could be done by using encrypting routers. These
routers would need to be carefully set up and administered so
that they recognize one another and so that packets sent between
them are encrypted. I know there are several vendors that make
or enhance routers to support this kind of thing, and I suspect
one or more of them will dive into this discussion to help you
out.
The other technique is to provide non-replayable authentication.
The Internet has given birth to at least 3 protocols that support
this kind of thing. One of them, called "TACACS" is very widely
deployed (although not so widely used) because it is found in
every Cisco router and Cisco comm server, as well as the routers
or comm servers of several other vendors. It has been standardized
via Internet RFC 1492. Another protocol that is becoming very
popular and has earned a lot of support lately is called "RADIUS".
It is published as an Internet-draft. A third protocol, published
by my company, is called "EASSP", for "Enhanced Authentication and
Single Signon Protocol". All 3 of these can be used to interface
your user's logon procedures with a "one-time password" system
where users don't know their own passwords. Instead, they learn them
as they are needed by reading them from the display of a handheld
"super smart-card" authenticator that looks like a credit-card
calculator.
You can learn all about these protocols and the authenticators from
more than half a dozen vendors that work with software from my
by consulting our anonymous ftp archives. You'll find copies of the
standards documents defining the protocols, as well as demonstration
copies of our network authentication software. (It's commercial
software that you'll have to purchase if you keep it.)
Our archives are at:
ftp.netcom.com /pub/sa/safeword
Get the "readme.001" file first. From the information in your
posting above, it appears to me that you might find the following
areas especially useful:
/pub/sa/safeword/clients/pubs/flattext/ascii/eassp
/pub/sa/safeword/clients/pubs/flattext/ascii/radius
/pub/sa/safeword/clients/pubs/flattext/ascii/tacacs
/mkt/animated/tutorials/grasp/sas1
/pub/sa/safeword/examples.txt
I hope this helps.
Bob Bosen
Enigma Logic Inc.
2151 Salvio St. #301
Concord, CA 94520
USA
Tel: +1 510 827-5707
Internet: bbosen @
netcom .
com
anonymous ftp archives: ftp.netcom.com /pub/bb/bbosen/Enigma read.me
also: (bigger archives) ftp.netcom.com /pub/sa/safeword readme.001
**************************************************************************
* "It wasn't me!!! Somebody must have captured my username/password!!!" *
**************************************************************************
References:
|
|
