[Info-vax] DECnet bashing

Grant Taylor gtaylor at tnetconsulting.net
Sat Aug 8 17:41:25 EDT 2020 

On 8/8/20 11:49 AM, Arne Vajhøj wrote:
> But there are some basis for the criticism.

I naively think that the basis can also serve as guidance on how to do 
things.

> Networking security standards has changed a lot since DECnet was 
> invented.

As have networking solutions.

> It is becoming increasingly difficult to defend any unencrypted 
> network communication when a security audit happens.

I agree that unencrypted communications is bad.  But I believe that it's 
possible to add encryption around otherwise unencrypted protocols.

  - DECnet Phase-IV put into a GRE tunnel that's IPsec encrypted
  - DECnet Phase-V(+) over TCP/IP that's IPsec encrypted
  - DECnet that is MACsec encrypted

I'm assuming that there is a piece of helper equipment doing the IPsec 
and / or MACsec encryption inside the same locked cabinet.

Outside of the locked cabinet, these are all DECnet and encrypted.

> It is not just an actual security problem - it is also a security 
> policy compliance problem. Some may even say that it is more the 
> latter than the former.

Inflexible policy without any understanding is in and of itself a problem.

If the spirit of the policy is that nothing is unencrypted (any further 
than it absolutely must be) then all the above solutions adhere to the 
spirit.

> Maybe you have never had the "pleasure" of having a team of security 
> auditors come in and ask for a list of all network connections and 
> the protocols used and get all unencrypted protocols flagged as 
> security risks.

I have no problem talking to such auditors explaining that the insecure 
protocol is wrapped in an encrypting VPN, and where & how it is done.

> Same people also tend to flag all software not uptodate with security 
> patches as security risks.

I've seen businesses acknowledge the auditors findings, turn around, and 
continue with business based on other business decisions.  After all, a 
perfectly secure system (powered off) is ultimately unusable.  So 
there's always a compromise.  It's just a matter of where that 
compromise is.



-- 
Grant. . . .
unix || die

More information about the Info-vax mailing list