[Info-vax] What to do with my VAX.....

Wed Nov 11 19:16:46 EST 2020

On 11/11/2020 11:52 AM, seasoned_geek wrote:
> On Tuesday, November 3, 2020 at 8:24:16 PM UTC-6, Arne Vajhøj wrote:
>> On 10/18/2020 7:33 PM, seasoned_geek wrote:
>>> On Sunday, October 18, 2020 at 12:34:14 PM UTC-5, Grant Taylor
>>> wrote:
>>>> On 10/18/20 3:17 AM, seasoned_geek wrote:
> 
>>>> Judicious firewalling can offer the same level of protection for
>>>> the other systems without the complexity of the other protocol(s).
>>
>>> Not even in a fantasy world can a firewall offer the above level of
>>> security and up-time.
>> What you described above is a firewall.
>>
>> One NIC on the outside and one NIC on the inside and no way
>> to the inside systems except through the 2 NIC box - that is
>> what is called a firewall.
>>
>> And since there is no access to the inside network,
>> then the security benefits of another protocol
>> on the inside network are not that big.

> The vast majority of firewalls aren't hardware at all.
> 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls
> https://openport.net/centos-firewall/
> https://www.ubuntu18.com/how-to-enable-ubuntu-firewall-in-ubuntu-20-04/
> 
> https://www.windowscentral.com/how-open-port-windows-firewall

True.

Those port blocking software like Windows Defender and Linux iptables
(firewalld and ufw are just something nice on top of iptables)
for some reason was named "software firewalls".

And they may be valuable for desktop PC's.

But I hope that server installation does not rely on those.
Having a system protect itself is not as good as having
another system in front.

They need real network separation. Either a hardware firewall
or a virtual firewall, which even though it is software is not
the same as a "software firewall".

> Even when one has a firewall in a router, PASSTHROUGH PORTS ARE ENABLED for many things.

Hopefully all ports inbound are closed.

> A firewall is not taking a free-form XML/whatever "open" Internet
> message and chopping it down into a fixed field length fixed record
> width message for a queue. This means the people stuffing a billing
> characters or some other nonsense into that free format message to
> trigger an overrun so they can perform an SQL injection or some other
> hack physically can't happen. When someone tries to move a billion
> characters into a COBOL PIC X(25) field, what happens? The first 25
> characters make it and the rest land in the bit bucket.

Protocol conversion is sometimes used.

But then it will typical be:

--firewall--protocol conversion--firewall--backend system

For the same reason as firewall in front of system is better
than "software firewall" on system. Better isolation - less risk
in case something bad happens in the protocol conversion.

And stuffing into fixed length format is totally insufficient
as data validation.

> You are completely incorrect about Security by Obscurity as well. ALL
> ENCRYPTION is security by obscurity. Period.
Not by the definition of security by obscurity commonly used.

Arne