[Info-vax] Some SEARCH commands

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Sat Mar 2 16:46:52 EST 2019 

On 2019-03-02, Mark Berryman <mark at theberrymans.com> wrote:
> On 3/1/19 5:15 PM, Simon Clubley wrote:
>> 
>> The idea that you _need_ enterprise level hardware locked down to
>> the level Mark has specified in his challenge in order to give
>> DECnet Phase IV any level of real security is insane.
>> 
>> TCP/IP also benefits from having custom enterprise level hardware on
>> the network but it doesn't actually _need_ it in order to provide a
>> core level of security.
>
> Of course not.  That's why nobody uses firewalls any more.  Oh, wait...
>
> Simon, look up what the "switchport port-security" command does on a 
> Cisco switch.  Yes, that's right.  The same things I have suggested for 
> making a DECnet network more secure are also used to make an IP network 
> more secure.
>
> Insane?  Not in the real world, pal.
>

Actually, it is insane and for one simple reason: security in the
real world relies on multiple layers of protection. If an attacker
breaches one layer, they may be stopped by the next layer.

There is no layered security when using hardware only protection
to protect your DECnet systems. When using hardware only protection,
you have to use a complex configuration to protect your systems and
you have to get it right 100% of the time.

If you don't get it right and leave a hole or an attacker breaches
that single layer of security then you have nothing left to protect
your systems.

Compare that with the IP world. If they get through the hardware
protection, they may be stopped by the encrypted protocols running
on top of TCP/IP. (You _are_ running encrypted protocols on your
TCP/IP network right ?).

If they get through that, and the TCP/IP based applications are
running on an operating system with Mandatory Access Controls
(SELinux style) or jails, then the attacker may be stopped by that.

BTW, it would be nice if "the world's most secure operating system"
actually supported MAC security or jails.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list