[Info-vax] (Hypothetical only) Major new security issue for VAX/Alpha. What do you do ?

Scott Dorsey kludge at panix.com
Sat Sep 24 17:48:25 EDT 2016 

Simon Clubley  <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
>
>Suppose someone discovers a major security issue in VMS for IA64
>or x86-64 and it turns out to be a common mode vulnerability that
>causes VMS on all architectures (from VAX onwards) to be vulnerable.
>
>Now suppose you have some of these vulnerable VAX or Alpha systems
>in production use (maybe in an emulated environment so you can
>continue to run them as-is without any hardware failure concerns).
>
>Questions:
>
>What would you do to tackle the problem that your old system, which
>is long off software support, now has a major new potential security
>hole in it ?

First, I'd find out what the actual risk is.  If it's an escalation
vulnerability on a machine with only the operator as user and no
outside services other than ssh, I might not worry a bit.  If it's
a network vulnerability on a machine that isn't on the internet or
maybe even not on a private network, I might not worry a bit.  

A vulnerability that is critical on a web server is likely not to be
any serious worry on a factory automation system.  And there are far
more VMS systems in the latter than the former.

If it IS a vulnerability that affects me, I likely have three different
approaches:

1. replace the system
2. replace the specifically vulnerable piece of code myself
3. apply some other layer of protection (perhaps a hardware firewall
   or an external proxy) to isolate the vulnerability from any threat.

I have taken the #2 approach in a few cases, but #3 is likely easy to
do.  Sometimes given a corporate climate where people want to spend money
for new things but don't want to pay a penny to maintain existing things,
#1 may be the most practical.

>When you decided to continue running your old VAX and Alpha machines
>in production, did you take steps to isolate them from the rest of
>your network (just as any remaining Windows XP users should have done) ?

For the most part we did that when we installed them in the first place.
--scott

-- 
"C'est un Nagra. C'est suisse, et tres, tres precis."

More information about the Info-vax mailing list