[Info-vax] What to do with my VAX.....

[Grant Taylor]

On 10/18/20 3:17 AM, seasoned_geek wrote:
> There is a growing need for an OS without any TCP/IP stack. *nix did 
> it wrong. There is absolutely no way of securing any system using 
> *nix based TCP/IP when it is connected to the Internet. 

I can't agree with that.

Sure, putting a system on the Internet exposes it to more harm than 
sitting in a room by itself with no external connectivity.  But then 
again, powering the system on exposes it to more harm than completely 
disconnecting it from power.

Also, anything with a TCP/IP stack can potentially be attacked across 
the Internet, not just *nix.

> Lots of places dusting off old proprietary protocols for internal 
> networks, putting one or two sacrificial machines out on the Internet 
> and only installing/allowing the proprietary protocol between them 
> and the internal network.

I don't agree that using a different protocol makes the systems 
inherently more secure.

What using a different protocol does is make it inherently harder to 
access the systems using said protocol.  But if there is a single system 
that is using both TCP/IP and the other protocol, then it's possible to 
pass through that system to get to the other systems.  Thereby doing a 
protocol translation.

Judicious firewalling can offer the same level of protection for the 
other systems without the complexity of the other protocol(s).

What the other protocols do offer is making the other systems 
incompatible with the Internet, thus meaning that they can't 
/accidentally/ or /inadvertently/ communicate with the Internet if 
(when) the firewall becomes misconfigured.  This is a belt and 
suspenders redundant security configuration.  /Combined/ they make a 
stronger configuration.  But, in my opinion, neither is stronger than 
the other when use individually.

If anything, having additional protocols means additional lines of code 
which is tantamount to additional attack surface.



-- 
Grant. . . .
unix || die