[Info-vax] What would you miss if DECnet got the chop? Was: "bad select 38" (OpenSSL on VMS)
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Mon Sep 19 16:28:03 EDT 2016
On 2016-09-19 16:03:57 +0000, Kerry Main said:
> An interesting note on this ..
>
> I was doing large DC migration last year where the mission critical OS
> was Solaris (some Windows, Linux). They had a huge amount of batch jobs
> (thousands per day) using a commercial scheduler (forget which one).
>
> They were constantly transferring files all over the place internally
> for maint, archiving, reporting and likely a host of other reasons via
> sftp. The sftp pwds were maintained inside the batch jobs. There was a
> number of different application support groups so changes had to be
> coordinated between groups.
>
> They had security policies in place which stated pwds needed to change
> something like every 120 days. It was a horrendous mess as they had to
> go into all of their batch jobs to fix passwords and then coordinate
> with impacted groups on other systems.
>
> While I am sure there must be cleaner ways to do this, there was just
> so many jobs and different groups, that even today, this is their
> reality using TCPIP internally.
>
> Point being is that even if it is internal use only, the DECnet proxy
> access is not something to be simply thrown away.
If the site is requiring password changes every four months — at least
some of the standards bodies are finally realizing the problems with
that, and NIST and other entities are finally starting to move away
from that recommendation — and if the site is not already using
certificates or (better) LDAP authentication? Um, okay. If the
folks are actually using hard-coded passwords in shell scripts (I hope
not!), then — sure — DECnet proxies are certainly an appropriate
(equally wonderfully bad) choice.
Absent extenuating circumstances or explicit waivers, I'd seriously
consider removing any security auditor or agency that approved a DECnet
connection in any environment that required secuity or handled
sensitive data, much less a DECnet connection involving a DECnet proxy
login.
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list