[Info-vax] DECnet challenge

Dave Froble davef at tsoft-inc.com
Fri Mar 1 19:09:59 EST 2019 

On 3/1/2019 6:47 PM, Stephen Hoffman wrote:
> On 2019-03-01 20:18:21 +0000, Mark Berryman said:
>
>> They have been configured by a network engineering staff who knows
>> what they are doing.
>
> Now try that same network configuration again with what passes for
> networking in many of the organizations running OpenVMS and DECnet.

I understand, and agree.  Probably describes my own network quite well.

> Which is very far from perfect security.  Even with a good team.
>
> Worse, with the sorts of folks that have unfortunately chosen to believe
> some of the worst of the marketing codswallop around.
>
> It's always been (theoretically) possible to lock down and isolate
> servers and server networking.  That was the foundation of the NCSC
> Orange Book security decades ago.
>
> Keeping all that locked down and isolated... gets interesting. Mistakes,
> compromised staff, compromised servers and devices, and compromised
> apps.  And with ever-changing requirements for communications and
> cross-connections.
>
> Pragmatically, we're way past trying for perfection.  Or we should be.
> Which is what this talented-management approach seeks.  Or the
> only-use-highly-skilled developers approach that has been suggested for
> system and network and app deployments.
>
> Assuming we're not going to be perfect leads to discussions of
> mechanisms to increase difficulty.  Which can include sandboxes, ASLR &
> KASLR, W^X, etc.  And encrypted and authenticated connections.
>
> Failures in complex systems are seldom single events.  They're a chain
> of mistakes.  As are exploits.
>
> Unauthenticated connections and cleartext credentials is really hard to
> scale.  Tell me that you'd trust this cleartext configuration to
> maintain security over months and years, across staff churn and
> consultants, across malware-infested printers, and across software and
> firmware upgrades, the telnet and ftp usage for reasons, across patch
> rollouts for printers and switches and servers and MRI scanners and
> embedded warehouse control systems that can take days or weeks or months
> or years, and across the "fun" that is side-channels of other
> co-resident guests peeking into your clients and into your servers.

But to get back to the topic.  Going outside the challenge rules avoids 
the challenge,  right?

The only question I have is, how do I find out about switches that can 
do what Mark suggests?  All I got are dumb $10 switches.

-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list