[Info-vax] OpenVMS x64 Atom project

[Arne Vajhøj]

On 6/7/2021 10:20 AM, Dave Froble wrote:
> I'm not too sure just how much thinking I want to do.  However, it seems 
> to me that access, while bad, cannot do much by itself.  I'm thinking 
> that if someone with access cannot do anything, that might be a decent 
> defense.
> 
> It seems to me, and no, I don't know, that running various "standard" 
> software, such as a web server, offers the bad guys some possibilities, 
> none of which I'm aware of.  So not using these standard products might 
> be some defense.

Not running a web server will be more secure than running a web server.

But if you have to run a web server for valid business reasons, then
you are likely better off with a standard web server running standard
stuff.

There are frequently found vulnerabilities in such standard stuff, but
chances are that there will be more vulnerabilities in the home made
CGI script written in Fortran.

> Opportunity seems to be a part of reported break-ins.  Not much anyone 
> can do from inside to prevent that, disgruntled or dishonest employees, 
> same password used elsewhere, and such.  I'm not thinking about such, 
> rather what might be possible to deflect internet based probes.

You should design for multi layer defense in depth.

Do not think "I create this unbreakable barrier and then I am good".

Think "I create this strong barrier and if by some means the bad guys
come through then I have this other strong barrier and after that I have
another and ...".

Detection is important. It is bad to get hacked, but it is really bad to
get hacked and not know it.

> For what I'm looking at, I'm assuming that TCP/IP and sockets is the 
> path most or all probes might use.  I'm not going to attempt to replace 
> TCP/IP, and it would be worthless anyway, since the entire purpose is to 
> talk to other computers.  However, my custom usage of sockets could be a 
> fertile ground for looking for ways to prevent internet access.  I['m 
> just not aware of how such could happen.  But, where to start?

TCP/IP is used by almost all network traffic today. Most computers
only have TCP/IP networking. No surprise that attacks comes in that
way.

If you write the socket code then it is up to you to write it safely.

> But, back to actually doing anything.  If there was a database, the bad 
> guys could not get to, (and that itself is an issue), that had a list of 
> valid users and valid programs, with ways to verify the program was the 
> intended one, then image activation might be able to determine whether a 
> program, or process (have to think a bit more on processes) should be 
> activated.

Most database authenticate requests.

A firewall that only allows nodes that need to connect to the
database to do so can help.

Maybe it is possible to set it up so that connecting applications
need to have a client certificate that the database server knows
to connect.

There are technical possibilities.

Arne