LISTSERV - HP3000-L Archives

HP3000-L Archives

December 1998, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L December 1998, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: HP3000/Internet Security Was: Dialup to a 3000
From:	Joe Geiser <[log in to unmask]>
Reply To:	Joe Geiser <[log in to unmask]>
Date:	Fri, 4 Dec 1998 07:03:30 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (151 lines)
(warning - a bit longish)

Wirt writes after Gavin,

Time for me to chime in on this issue - I've lurked it long enough :)

> If the basic security features of telnet/ftp/etc. are made part of a
> purchaseable product, then much of the reason that I proposed
> them evaporates.

Security in the area if inetd, as well as telnet, ftp, ns/vt, etc - should
NOT be a revenue generator for HP --- it should be HP's CYA.  Without
adequate security mechanisms built into the operating system (for users to
PROPERLY AND ADEQUAUTELY CONFIGURE AND USE), oh, I can see the lawyers
salivating now because there is one SOB out there who will call the legal
beagles in to discuss this.  If security is intrinsically built into the
operating system - then HP has their A's Covered (hence - "CYA") - but, see
the next paragraph:

> It's important NOT to look at the world the way it is now,
> but the way it's
> going to be in five years. At the moment, we already have
> five standard
> business customers that have their HP3000s on the internet
> and who allow us
> telnet access into them ...<snip>
> and not counting Joe Geiser and Jeff Kell and
> other internet gurus who have kindly allowed us into their
> machines for testing telnet].

First - we employ a firewall.  Anyone who places any TCP/IP based machine,
which includes the 3000 and any NT or Novell (under IP) server on a network
connected to the internet, and does not use at least a Proxy Server with
some firewall capabilities, is just plain fat, dumb and happy thinking that
MPE security will protect them.  WRONG.  They are looking for real trouble -
big trouble.

We use the firewall to keep out bad guys (and ladies - we are equal
opportunity blockers :).  We employ IP mapping between registered IPs to
unregistered IPs behind the firewall.  We employ a version if inetdsec to
"permit" our friends and associates access when they need it.  Recently, we
just cleaned house on this file -- which included the manufacuturer of the
very machine we love...  Even they, cannot get into our systems anymore - no
support modem (they never sent one) and via the net, not without asking
first - then we'll put them back in.  We let AICS in because he's doing some
valid testing, I trust him totally (there is no written agreement) and we're
all too glad to provide the capabilities.  (I also know where he lives <g>).
The same holds true with Adager.

So, in addition to inetd security - a firewall or proxy server (such as MS
Proxy Server on NT, which is an inexpensive solution that would be a good
first step) is a must!

> I have to consider this number of telnet accesssible HP3000s
> to be somewhat
> surprising -- and because of that, indicative of a trend that
> already has some real depth to it.

I've ditched NS/VT for my normal communications and started using Telnet.  I
have three termulators here - MS92, WRQ (old version licensed a long time
ago), and QCTerm.  I use all three for a reason --- our clients are all over
the board, and we need all of the tools.  Telnet, of course, is restrictable
from inetdsec.  NS/VT cannot be restricted except at the firewall.  It's
there, we can place "allowable IP addresses" on restricted ports.

> There are two extrinsically measurable attributes associated
> with these five
> businesses that speak to the obvious benefits of connecting
> an HP3000 to the
> internet: the speed at which these companies have adopted the
> technology
> (telnet hasn't been on the HP3000 very long), and the general
> conservatism and
> business-orientation of our customers. Most operate their
> machines without
> data processing staffs onsite, and the system manager is more
> often than not
> the CFO, or the mail clerk, or the company president.
>
> I am not sure, but I would bet at least a dozen doughnuts
> that NONE of these
> organizations have set the INETDSEC file to allow or disallow
> anyone. Its just
> not the kind of thing that most business-oriented users of
> HP3000s tend to do.

I would tend to agree with this statement, using the companies cited.  Of
course, there are firms like ours which in return for a fee, would assist
them in getting this put together for them.  The services part is not the
expensive part either - a small firewall configuration, depending on the
software, might take a day or two after planning - one man-week tops for
this type of environment.  Less than $10,000.  What's $10,000 - when it
could cost millions to reconstruct lost data (how many of these sites
actually do a backup each night?)

> But more than that, the unmanageability of manually keeping
> such files up to
> date would overwhelm them. That will only become increasingly
> more true in the
> future, particularly so in five years when internet-based
> telnet has become a
> pervasive business technology. In five years from now, people
> will expect to
> be able to dial a remote HP3000 via telnet, anywhere to
> anywhere, as easily as
> they have been able to dial a remote modem in the past.

Ahhh- this is where VPN comes into play!  I'm working with a client to look
at just this issue, both on a dial-up and a network perspective.

I can use my laptop and dial into a local ISP (I keep a Sprynet account in
my back pocket because they go all over the world) - and have secure access
to the network here, albeit much slower - as if I were sitting on the
network, with PPTP Tunnelling and VPN arrangements.  I did it last week
while in the UK!  I can do it from South Africa is I were there.  I can
telnet right into any host on our network that supports it - and use NS/VT
if needed for the 3000.  This, will be part of that future Wirt talks about.

> If truth be told, concerns about security out there in the
> real world are not
> nearly as pervasive as they are on this list. Indeed, most of
> our business
> users rarely give it much thought at all. Usability, reliability, and
> robustness are their primary concerns.

But, if connected to the internet, and their data is compromised - they are
opening themselves up to big trouble.  They have no one to blame but
themselves!  If you're big enough to put yourself on the internet, and open
your systems to the dangers, then you're big enough to get at least MS Proxy
Server for NT.

Sort of like safe sex:  Old enough?  Old enough to go to the drugstore and
face the pharmacist.  (That was aimed at my male counterparts -- we don't
need a prescription :)  My apologies to any I offended - but it is the best
analogy here.

Time to get ready for the day... Later people.

Best Regards,
Joe

==========================================================
Joe Geiser, Senior Partner, CSI Business Solutions, LLC
 ** Your Client-Server and Internetworking Specialists **
Phone: +1 (215) 945.8100  Fax: +1 (215) 943.8408
*New* Toll-Free (US/Canada): (877) 945-8100
http://www.csillc.com      mailto:[log in to unmask]
==========================================================
HP Channel Partner         Allaire Alliance Partner
Microsoft ClubWin - Team One
ATOM RSS1 RSS2
RAVEN.UTC.EDU