[Info-vax] DECnet challenge

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Sat Mar 2 11:03:39 EST 2019 

On 2019-03-02 10:32:53 +0000, Andy Burns said:

> Mark Berryman wrote:
> 
>> The switches have been configured so that no port may accept a DECnet 
>> MAC address not assigned to that port.
> 
> Every switch, or just those switches which have VMS kit connected to them?

I've worked at sites that have all ports locked down and that require 
RADIUS or other authentication to connect, or MAC spoofing to connect 
to the port.

Some systems rotate MAC addresses for security.  Which breaks the 
assumptions that other systems can make around MAC addresses.  But I 
digress.

And I've worked at other sites that have more open or that have 
effectively wide open switches.

The sites that have the network universe locked down can certainly be 
served with VLANs and the rest to isolate DECnet traffic.

If they can keep that configuration, and keep all devices at current 
firmware, and related efforts.  This is Not Easy.

Other sites and for network connections traversing untrusted or open 
networks, not so much.

We're headed toward internal networks not being trusted, given the 
difficulty-approaching-impossibility of keeping everything locked down.

If you can create and maintain the equivalent of the 
fossil-era-document NCSC Orange Book isolated-network configuration 
with OpenVMS, then that DECnet is cleartext and unauthenticated is less 
of an issue.

But I would still want to migrate those connections to VPNs or to TLS.  
Because I don't trust Orange and NCSC Red Book networks to stay that 
way.

For OpenVMS environments that are configured rather further from the 
Orange and Red Book security, cleartext unauthenticated connections 
such as DECnet, telnet, and FTP, are more of a concern.

But entertainingly, you can run a completely locked down network shop 
and still get bit, because of an upstream provider that was using 
DECnet, telnet and FTP, and they got popped.

Which means that some OpenVMS DECnet app you've added or have upgraded 
now has additional and undocumented features.

Different sites have different security requirements.  Some sites can 
get away with using DECnet.  Others... shouldn't...  and can't...





-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list