From owner-freebsd-security Fri Nov 24 08:45:26 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id IAA02734 for security-outgoing; Fri, 24 Nov 1995 08:45:26 -0800 Received: from kilgour.nething.com (kilgour.nething.com [204.253.210.65]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id IAA02718 for ; Fri, 24 Nov 1995 08:45:21 -0800 Received: from randy.nething.com (randy.nething.com [204.253.210.83]) by kilgour.nething.com (8.6.11/8.6.9) with SMTP id KAA26846; Fri, 24 Nov 1995 10:44:06 -0600 Date: Fri, 24 Nov 1995 10:44:06 -0600 Message-Id: <199511241644.KAA26846@kilgour.nething.com> X-Sender: rberndt@nething.com X-Mailer: Windows Eudora Version 2.1.1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Jordan K. Hubbard" , security@FreeBSD.ORG From: Randy Berndt Subject: Re: I wonder how much trouble something like this would be to do? :) Sender: owner-security@FreeBSD.ORG Precedence: bulk Wow, only $3,600 for the PC version. I wonder if Dec has looked on the ftp site: ftp.cs.hut.fi:/pub/ssh for the ssh program, that does much the same thing for telnet, rlogin type stuff for FREE. At 06:40 AM 11/24/95 -0800, Jordan K. Hubbard wrote: >Someone sent me this. It sounds like "one of those really simple >engineering ideas that marketing got ahold of and hyped the heck >outta" but still - I can think of more than a few MIS managers who'd >just eat this up. > > Jordan >---- >UG565-07 DEC's SECURE INTERNET ROUTE > >Tunneling - transporting data from one point to another >encapsulated in wrapper packets - is a networking technique >that's been around for some years. Claiming to have its neck >ahead of the pack, Digital Equipment Corp says its Internet >Tunnel has extended this capability to provide encryption and >authentication technologies for the Internet enabling corporate >data to be transmitted securely over the net (UX No 562). Digital >Internet Tunnel uses a regular Internet Protocol (IP) jacket, >encrypted and encapsulated inside a TCP/IP packet. The source and >destination IP applications work as normal, but data on the >network between the two tunnel servers appears scrambled. When a >client wants to initiate a connection with an Internet Group >Tunnel server, a connection request is sent over the network. The >connection request message contains an identification message >that is encrypted by the client with the server's public key, and >then decrypted by the server with its own private key. The >server's database contains a list of clients that are authorised >to establish tunnels. If and when the request has been granted, >the tunnel server sends a response encrypted using the client's >public key, which is then decrypted by the client using its >private key. After the authentication session, the two parties >exchange portions of a session key, which is then combined to >form a secret session key. DEC uses the encryption technology, >devised by Rivest, Shamir and Adeleman, known as RSA. Versions >for the US and Canada use a 128-bit RC4 key, international >versions (because of US government restrictions) a 40-bit version >only. The session key is changed periodically to enhance >security. The tunnel comes in two flavours, the Group tunnel and >the Personal tunnel. The Group tunnel software runs on Digital >Unix, with a SLIP (Serial Line Internet Protocol), PPP (Point to >Point protocol), Ethernet or FDDI (Fibre distributed data >interface) connection. It manages the construction and operation >of tunnels from other tunnel servers. Performance is based on >system configuration and end-to-end network throughput; DEC >claims to support up to 512 tunnel connections. The >authentication key generation and management software is included >with the Tunnel product. Personal Tunnel software installed on a >PC must have Windows 95 TCP/IP software active, connected to a >network with connectivity and using a valid IP address for the >local subnet. Personal Tunnel includes a Win32 Windows-based >application to enable the request, operation and management of an >encrypted tunnel. The Internet Tunnel is meant to complement >firewall products, and unlike other tunnel products is said to be >firewall-independent. DEC reckons its tunneling technology >differs from router and firewall vendors because it offers >connections from home or mobiles to the corporate network, >whereas routers only provide a single private data circuit and do >not support end to end or trans-Internet privacy. Firewall >tunneling products require the use of their tunnels at both ends, >since interoperability standards don't exist, says the company. >DEC says its approach also wins out over Netscape's SSL (Secure >Socket layer) protocol, which also uses RSA encryption, because >its used at a different level of the IP stack. SSL encrypts >information for applications, while tunnels establish a link for >all connections between two networks. With Netscape applications >the need to encrypt a specific session, such as Web browsers, >Telnet or FTP must be modified to enable the request for an >encrypted link. In contrast, Digital Internet tunnel applications >are not modified, it says, and all the traffic between the >tunnels is encrypted. The international version is due next >month. Prices start at $10,000 on Digital Unix and comes with >DEC's own Firewall Unix, $3,600 on PCs. > > > > > Randy Berndt ---------------------------------- AOS/VS, FreeBSD, DOS: I'm caught in a maze of twisty little command interpreters, all different.