[Info-vax] What to do with my VAX.....
seasoned_geek
roland at logikalsolutions.com
Sun Oct 18 19:33:28 EDT 2020
On Sunday, October 18, 2020 at 12:34:14 PM UTC-5, Grant Taylor wrote:
> On 10/18/20 3:17 AM, seasoned_geek wrote:
> > There is a growing need for an OS without any TCP/IP stack. *nix did
> > it wrong. There is absolutely no way of securing any system using
> > *nix based TCP/IP when it is connected to the Internet.
>
> I can't agree with that.
>
Well you should because it is reality. Even TLS/SSL isn't secure despite the name.
>
> > Lots of places dusting off old proprietary protocols for internal
> > networks, putting one or two sacrificial machines out on the Internet
> > and only installing/allowing the proprietary protocol between them
> > and the internal network.
>
> I don't agree that using a different protocol makes the systems
> inherently more secure.
>
> What using a different protocol does is make it inherently harder to
> access the systems using said protocol.
You know, the fans of TCP/IP never cease to amaze me. They continually claim that making something more difficult to access doesn't make it more secure then they talk about the various forms of encryption used with TCP/IP as "secure" when they are not. All encryption is security via obscurity. You're just bragging about the size of the forest you are hiding the tree in, but you are still just hiding a tree in a forest. A hacker doesn't need to find every tree, just the one they are looking for.
> But if there is a single system
> that is using both TCP/IP and the other protocol, then it's possible to
> pass through that system to get to the other systems. Thereby doing a
> protocol translation.
>
No, it's not. That's an x86 view of the world. That there must be this pool of services exposed to the network and said services must map to known TCP/IP services like telnet, ftp, etc.
The systems I'm seeing and which appear to be getting quite common are Hub & Spoke. Out here the end of the spoke is a sacrificial x86 computer with a wanna-be OS. It runs TCP/IP and is exposed to the Internet.
Inside of the company, the real computers run a different networking protocol. They have no traditional services. There is no "protocol translation" happening. On the sacrificial computer some set of icky nasty free format (i.e. XML, JSON, etc.) messages come in. Those messages are then converted into fixed field width fixed length proprietary internal messages and placed on the message queue for one of the real machines. The only connection to the outside world the real computers have is these message queues. The only connection to the outside world any device on the internal network has is via the message queues completely controlled by one of the real machines.
Companies have been doing this since the early days of MQ Series on OS/2 and they continue to do it with various Websphere type solutions. The sacrificial x86 box runs Websphere (or your favorite Internet capable message queuing product). There is a completely different NIC using a completely different set of wire running a completely different protocol messaging back to the real computers. Most of the Websphere shops I've encountered operate in this manner.
The only way to access one of the real computers is to have a computer physically on that network. Most operate that network like a dial-up VPN. When that network connection is in use, TCP/IP is physically disabled. You have no external Internet or other network access.
> Judicious firewalling can offer the same level of protection for the
> other systems without the complexity of the other protocol(s).
Not even in a fantasy world can a firewall offer the above level of security and up-time. While I will admit that many smaller companies purchase Websphere without knowing how to properly architect systems around it, most of the big ones do know and IBM sells a lot of Websphere.
>
> What the other protocols do offer is making the other systems
> incompatible with the Internet, thus meaning that they can't
> /accidentally/ or /inadvertently/ communicate with the Internet if
> (when) the firewall becomes misconfigured. This is a belt and
> suspenders redundant security configuration. /Combined/ they make a
> stronger configuration. But, in my opinion, neither is stronger than
> the other when use individually.
>
> If anything, having additional protocols means additional lines of code
> which is tantamount to additional attack surface.
>
See above.
More information about the Info-vax
mailing list