On 2017-08-15 00:43:32 +0000, seasoned_geek said:
> On Thursday, August 10, 2017 at 10:30:02 AM UTC-5, Stephen Hoffman wrote:
>> For most of the rest of us, getting rid of DECnet, telnet, ftp, rlogin,
>> and the rest
>
> I like telnet and ftp. I simply keep my DS-10 away from the Internet so
> I can use my terminal emulator. <Grin>
I'm aware of a number of folks doing exactly that; of using telnet and
FTP and DECnet. With various of those folks using emulator client
tools that are fully capable of creating more secure connections, too.
Which is bad news.
> In truth, if any of those things are actually a problem, your systems
> architect should be taken out and shot.
I'm aware of a number of OpenVMS servers that are running cleartext protocols.
> Never ever plug a production system directly into the Internet. Always
> place a sacrificial lamb, like a Websphere server, outside the main
> firewall allowing only fixed format proprietary data messages to flow
> between it and the real production systems.
I'm skeptical that the folks that have invented their own proprietary
formats and protocols have all spent the time and effort and resources
to review and reverse-engineer and to look for security vulnerabilities
in their custom protocols and their libraries. Of becoming familiar
with Burp Suite and Kali and other common tools, too. Of fuzzing the
APIs and protocols. Then there's the discussion of depending on
990s- or Y2K-era application and server isolation, and of assuming that
firewalls provide more than a handy network demarcation. This also
assuming the organization can forever maintain the intended and
necessary isolation, the firewall rules and the rest. Worse for app
security, getting apps using OpenVMS-provided secure protocols working
correctly and securely with the provided APIs is non-trivial for those
folks that are or have migrated away from telnet and FTP and DECnet,
too.
> The day you allow a Web page to directly connect to a production
> database you have failed as a systems architect.
I'm aware of a number of OpenVMS servers that are both web server and
back-end server. More than a few other servers running other software
in similar configurations, too. That's before discussing extending
any existing breaches, too; of breaching one client or one server
within the target environment, and the attackers working toward further
access within and across other network-connected devices, and of
seeking additional vulnerabilities. Such as folks occasionally using
telnet or SCS or insecure revisions of TLS, and that then expose
information useful to the attackers.
While VSI is working to address various security vulnerabilities,
there's much more work to be done both at VSI and by end-users of
OpenVMS. This because OpenVMS itself has been maintained to be
upward compatible, and — irrespective of the VSI marketing — efforts to
upgrade the default system and app security and APIs have been
problematic. VSI have the leadership role around upgrading the
default OpenVMS system and app security and APIs, and this particularly
given VSI security marketing. VSI IP will help, though the effort is
much larger than that and it's very much ongoing for both VSI and
customers. And for now, VSI has to get the port out the door, and to
work to increase revenues.
The current environment is a whole lot less forgiving than the Y2K era.
Trying to "outrun" attackers — the sorts of folks that are using
continuously-running for loops, scanning for vulnerabilities — with the
current OpenVMS patch process is a security strategy that has already
failed. Keeping insecure tools such as telnet, FTP and DECnet around
in the default configurations is simply not living up to current
marketing, nor where we'll be in 2022 and 20217.
Put another way, VSI can continue work toward and can implement changes
toward making their marketing slogan rather more believable, and VSI
can update and in a few spots can replace problematic APIs, and can
provide updated and new tools and APIs that make both updating existing
apps and writing new apps much easier, or the VSI folks can use the
existing "most secure operating system on the planet" marketing to
continue to generate skepticism.
Yes, users can and will do unwise things. Users can and will make
mistakes. Developers and operations folks can make mistakes, too. A
secure platform works toward preventing folks — ISVs, end-users, even
the the platform's own developers — from making many of those mistakes.
BTW: For those of you updating to operating system releases that might
have eliminated the telnet client entirely and as can happen with
operating systems that don't presently market themselves as "the most
secure operating system on the planet", the netcat tool (where
available) can be used to test access. With the BSD nc variant, use:
nc -z {host} {port} Or s_client for testing a secure connection, of
course. Yes, OpenVMS lacks nc, though does offer s_client.