[Info-vax] What to do with my VAX.....

[Arne Vajhøj]

On 10/18/2020 7:33 PM, seasoned_geek wrote:
> On Sunday, October 18, 2020 at 12:34:14 PM UTC-5, Grant Taylor
> wrote:
>> On 10/18/20 3:17 AM, seasoned_geek wrote:
>>> There is a growing need for an OS without any TCP/IP stack. *nix
>>> did it wrong. There is absolutely no way of securing any system
>>> using *nix based TCP/IP when it is connected to the Internet.
>> 
>> I can't agree with that.
> 
> Well you should because it is reality. Even TLS/SSL isn't secure
> despite the name.

Anyone breaking current TLS could become very rich.

>>> Lots of places dusting off old proprietary protocols for
>>> internal networks, putting one or two sacrificial machines out on
>>> the Internet and only installing/allowing the proprietary
>>> protocol between them and the internal network.
>> 
>> I don't agree that using a different protocol makes the systems 
>> inherently more secure.
>> 
>> What using a different protocol does is make it inherently harder
>> to access the systems using said protocol.
> 

> You know, the fans of TCP/IP never cease to amaze me. They 
> continually claim that making something more difficult to access 
> doesn't make it more secure then they talk about the various forms
> of encryption used with TCP/IP as "secure" when they are not. All 
> encryption is security via obscurity.

No.

Security by obscurity is when the security relies on the
algorithm being kept secret.

A public known algorithm with a key kept secret is not
security by obscurity.

> You're just bragging about the size of the forest you are hiding the
> tree in, but you are still just hiding a tree in a forest. A hacker
> doesn't need to find every tree, just the one they are looking for.

IT security is a practical discipline.

If the expected/average time to brute force a key guess
is 10 billion years, then people are willing to accept
that there is a probability extremely small but still greater
than zero that the first key guess is the correct one.

>> But if there is a single system that is using both TCP/IP and the
>> other protocol, then it's possible to pass through that system to
>> get to the other systems.  Thereby doing a protocol translation.
>> 
> 
> No, it's not. That's an x86 view of the world. That there must be 
> this pool of services exposed to the network and said services must 
> map to known TCP/IP services like telnet, ftp, etc.> The systems I'm
> seeing and which appear to be getting quite common are Hub & Spoke.
> Out here the end of the spoke is a sacrificial x86 computer with a
> wanna-be OS. It runs TCP/IP and is exposed to the Internet.

Almost all enterprise IT is TCP/IP today.

The OS comes with TCP/IP.

If the programming language has builtin support for network
then it is TCP/IP.

Web servers are by definition TCP/IP based.

App servers typical only support TCP/IP.

Most databases only support TCP/IP for remote access.

Most message queues only support TCP/IP for remote access.

Most network boxes only handle TCP/IP.

It is very difficult to avoid TCP/IP.

> Inside of the company, the real computers run a different networking 
> protocol. They have no traditional services. There is no "protocol 
> translation" happening. On the sacrificial computer some set of icky 
> nasty free format (i.e. XML, JSON, etc.) messages come in. Those 
> messages are then converted into fixed field width fixed length 
> proprietary internal messages and placed on the message queue for
> one of the real machines. The only connection to the outside world
> the real computers have is these message queues. The only connection
> to the outside world any device on the internal network has is via
> the message queues completely controlled by one of the real
> machines.

Most message queues will require TCP/IP.

> Companies have been doing this since the early days of MQ Series on 
> OS/2 and they continue to do it with various Websphere type 
> solutions. The sacrificial x86 box runs Websphere (or your favorite 
> Internet capable message queuing product). There is a completely 
> different NIC using a completely different set of wire running a 
> completely different protocol messaging back to the real computers. 
> Most of the Websphere shops I've encountered operate in this manner.

IBM MQ does support LU6.2 as alternative to TCP/IP.

But don't hold you breath waiting for SNA to take over
modern networking.

:-)

>> Judicious firewalling can offer the same level of protection for
>> the other systems without the complexity of the other protocol(s).

> Not even in a fantasy world can a firewall offer the above level of
> security and up-time.

What you described above is a firewall.

One NIC on the outside and one NIC on the inside and no way
to the inside systems except through the 2 NIC box - that is
what is called a firewall.

And since there is no access to the inside network,
then the security benefits of another protocol
on the inside network are not that big.

Arne