Editorial Tl1e D(�ilul Tccl:ntiwljournalis a refereed The tdlo11 i11� .tre tr.tdem;�rk.s ofDigital J�ne C. Blake, t'vbna�ing Editor journal published quarterly bv Digital Equipment Corpor.uion: :\lph.1SerHT. Helen L. Patterson, Fdiror Equipment Corpor,nion, 50 Nagog Park, AlpluSwion, AltaVista, DECner, Dil;rr.\L., Karhlct·n M. Srerson, Ediror AK02-3/B3, Acton, MA 01720-9843. rhc DIGITAL logo, DIGITA L C:S:JX. and Open VMS H .1rd-copv subscriptions can be order ed lw Circulation sending o chec k in U.S. funds (made pavable BSME is a tr.1ckm.u-k ofR.'iA 1),1[,1 Sec11rill, Inc. Catherine M. Phillips, Adminisrr�ror ro Digirol Equip ment Corporation ) ro rhe ccM.1il is a rr.ldcm;Hk ol·,·c:Mail, Inc., a wholl,·. publi shed- bv address. General subscription owned subsidiar�· ot' Lon1s DcYclopmcnr Production rates ,\re 540.00 (non-U.S. $60) for tour issues Corporation. Christa vV. Jcssico, Production Editor and 575.00 ( non- U.S. S!!5) tor eight i"uo. CRYPTOCard is,\ registered rradenurk of Elizabeth McCrail, Tvpogr•1phcr UniversitY and college protessors and Ph.D. CRYPTOC.ud Corp<;ration. Pc[(;r R. Woodburv, Illustrator srudcms in the elecoicol engineering and com­ purer science tields receive cornplimcnrarv sub­ IBM is .1 registered trademark of International tion r. Advisory Board scrip s upon regucs DIGITALc ustomers Business 1\'i�chine.s Corpor;1rion. lll<ll quolif\' tor giii:s ubscriptions <Uld are encour­ Samuel H. hiller, Chairn1an Intel ;lnd e u :\rc rce,i�tcrcd rradenurk-. aged ro contacr their account represenrati,·es. P nti m " SconE. Curler of In rei C:orporarion. Thon1Js F Gannon Electronic subscriptions are available ar i\'lacinto:\h is .1 rq.!,ist�.::rcd rradcm;lrk of' Apple Donald Z. Harbert no charge by accessing URL Computer, Inc Richard). Hollin�sworrh hnp://www.digital.com/info/subscription. )ames E. Kuenzel This service will send an electronic mail Microsoli:, \\'indows, Windows 95, cmd e v issue is William A. Lling nori�icnion when J n \ available Windows NT .1n: n:e.istcrcd trJ<.kmJrks on the I nrerner. Richard f. l.;1ry oflv1it.:niS()fl C(_)rp();.ltic)Jl. Alan G. t'\cmcrh Single copies and back issues can be ordered QuickSwitch is a n.:!-'-i�l'-."ITtl rr.H.kmJrk Robert M. Supnik by sending the requested issue's volume and of Quality .Semi (ondw..:ror, f1K. number and a check for $16,00 (non-U.S. R.Hnbus is o trademark ofltunbu, Inc. Sl8) each ro rhe published-by address. Recent issuts are also avoilable on the lnr.erncr ar Sccur<:t'\er Key is .1 rr.ldem.lrk ofDigir.1l http://www.digital.com/info/dtj. Parhwavs, Inc. DIG !TAL employees mav order subscrip ­ SccuriD is a rcgistncd tr:Hknurk of Security tions through Readers Choice at URL DynamiLs Technologies, Inc hrtp://wcbrc.das.dec.com or by entering S/Kcv is;\ regi,stcred trademark ot'Bcll VTX PROF! LE •H the OpenVM5 system Communications R.csc.1rch, lnc. prompr. SPEC is a registered rr.tdern;lfk ot'rhe Srand;ml Inquiries, address changes, and compli ­ l\:.:rfOnn;lncc Ev.1luation Corpor.1rion. nu:nt.Hy subscription orders can be sent ro rhc Digilal '{(>cbnica!juurnalar rhe UNIX is .1 rcgisrernl rradenurk in rhe l 1nitcd published- bv address or rhe e lectronic St:ttcs .lnd orhc:r C<HIIHrif.'"�, lin.:used t..·.xdusi\·t.·lv· mail address, [email protected]. Inquiries rhroush X /Open Comp.un- I ,rd. made can also be bv c�lling the journal WJtch Word is .1 registered rr.l<klll<lfk of RacJI oFfice ar 978-264-7549. Dara,·om Lrd. Comments on rhe conrenr ot'anv paper and requests ro conracr ourhors arc \\'clcomed and rn.1y be scnr ro rhe managing editor .H rhc pubJisbcd-ll\' or electronic mail address. C:op,Tighr © 1997 Digital Equipment Corpor;Hion. Cop,·ing without fee is pcr­ rnirrcd provided thar such copies arc made t<n use in educational insrirurions bv !acuitY members and ue nor distributed for com­ mercial .ldV<llH<lge. Absrractins wirh credit of Digiral Equipment Corporation's author­ ship is permirred. The inform:�rion in rhejouma/is subject to ch,1ngc \\'ithour notice and should nor be construed as a commirrncnr by Digital Equipmenr Corporation or bv the compan­ ies herein represented. Digital Equipment Cover Design Corpor.ltinn assumes no responsibility for Tunndin� and ti rt:walb arc two dh:crive :1ny errors thar may appear in the journal. rcchnologit:s t(>r ensuring secure commu­ ISSN 0898-901X nicnions between rhc public Internet and private n<:tworks. Our covet· depicts encap­ Documentation Number EC-P8429-18 sulated and cryptographically .,ccurcd dara Book productionwas done by Quant.ic as "unreadable" numbers rr:wcling in <1 Communications, 1 nc. protective runnel until reaching rhe tircwall. The tirew;1ll functions as;\ screen rhar permits only authorizt:d cLna to p�ss into rhe pri,·are network wht:rc· p.1ck<:ts ofdat1 can bt: dt:cryptcd wirh a key rh.n is shared between the sender and rhc receiver. DIGITAL implcmcnrarions of a runnel and � tirewall arc presented in rhis issue. The cover design is by i.tKinda O'Neill ofrhc DIGITAL lnd usrri.ll <lnd (3raphic Design Group. Contents Foreword Paul J. Cormier 3 ALTAV ISTA INTERNET SECURITY AND MAIL The AltaVista Tu nnel: Using the Internet Kenneth F. AJdenand Edward P. Wo bber 5 to Extend Corporate Networks Protecting a Private Network: The AltaVista Firewall J. Mark Smith, Scan G. Doherty, Oliver J. Leahy, 17 and Dermot M. Tynan Developing Internet Software: AltaVista Mail Nick Shipman 33 ALPHA-BASED WORKSTATIONS FOR NT AND UNIX DIGITAL Personal Workstations: The Design of Kenneth M. We iss and Kenneth A. House 45 High-performance, Low-cost Alpha Systems Design of the 21174 Memory Controller for Reinhard C. Schumann 57 DIGITA L Personal Workstations FurtherReadings 71 Dtgttal Tcchnic:d journal Vol. 9 No.2 1997 Editor's Introduction DIGITAL has pioneered many net­ their experiences in deploying the House discuss the primary reasons f(x working developments i.n its 40-year AltaVista Tunnel within DIGITAL. initiJting a wholly new design: simul­ history. A recent development, AltaVista, Once data arrives-almost-at irs taneously ro take advantage of new, has ctptured the popular imagination, destination, the firewall is a filtering high-performance memory technolo­ as evidenced by worldwide accesses, router that determines whicb data gies and ro implement at a low cosr. averaging 18 million per day, to this packers will be allowed to pass from A new, low-cost core logic design Internet search engine. Introduced in rhc public to the private ncrvvork. was needed ro fimction as rhe CPU­ 1995, AltaVista indexing of the entire lv!JrkSmith, Scan Doherty, Ollie to-memory interface. The result, Internet \Vas made possible by 64-bir Leahy, and Ocr Tynan compare types described by Reinhard Schumann, VLM Alpha technology. The index of firewalls; describe firewall functions w:ts tl1e 21174 single-chip core logic proceeds today at a pace of more than �uch as alarm systems, autJ1cntication, ASIC f()r the Alpha microprocessor. 6 million pages per day. DIGITAL's and reporting; and present tJ1c design Designers were able to meet tl1eir Internet developments, however, ofcheAiraVista Firewall tor DIGITAL own aggressive performance go:Ils bv go well beyond search functions. UNIX. The AltaVista Firewall com­ f(xusing on reductions in the main Business users need greatJy improved prises both application-level and memory latency that was attributable security and protection to integrate p�Kket-filtering functionality and ro rhc memory controller subsystem the power oflnternet connectivity implements the p1inciplc "that which and by using as much of the raw into their businesses. It is this need is not expressly permitted is denied." bandwidth of the Alpha 21164 that is addressed in tl1e papers on The development of the Alta Vista CPU's data bus as possible. tunnels, firewalls, and electronic mail. Mail product is presented by Nick Subjects tor papers in the next Additional papers in the issue feature Shipman as a case study in the issues issue of rhe .fou mal inc I ude the high-performance, low-cost Alpha being engineers who design products par:dlel SCS I technology, shared microprocessor-based workstations t(Jr business users of the Internet. desktop software, and a high­ with unique design features, such He relates several of the fundamental performance debugger. as a single-chip core logic ASIC. assumptions about engineering pro­ "Tunnel" and "firewall" are strong jects that were overturned by the metaphors rhar developers use to engineering team; tor example, connote rhe kind of security software product definitionhad conventionally necessary to prorecr business com­ started witJ1 tJ1c tcclmical issues to be munications rransmirted over the addressed and now starred instead Internet. Tunneling protects data 11�tl1 a product pw-cbase price. .htrtl1er, Jane C. Blake as ir travels in the public Internet in an eftorr ro ensure product sim­ McmuMillJ:t Fditor by providing secure encapsulation plicity tor the target customer, they within the standard TCP/I P proto­ imposed the principle of simplicity col. However, as Ken Alden and Ted throughout tl1e project-simplicity Wobber explain, additional security in presentation, in design, in meth­ measures arc necessary, specifically, ods, ::md in implementation. cryptographically secure encapsulated A low-cost, high-performance packers. The authors describe how workstation has been designed by secure network-level routing can DIGITAL's workstation engineering be achieved by combining tJ1e well­ group. In the first of two papers known technologies of tunneling and about the DIGITAL Personal secure channels.