LISTSERV - HP3000-L Archives

HP3000-L Archives

June 2001, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L June 2001, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: webserver on the 3k
From:	Ken Hirsch <[log in to unmask]>
Reply To:	Ken Hirsch <[log in to unmask]>
Date:	Wed, 27 Jun 2001 13:42:07 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (69 lines)

Wirt Atmar wrote:


> I have yet to see any greater danger associated with having an HP3000
> connected to a fixed-address packet-switched network (the internet) than I
> used to have having it connected to a fixed-address public-switched
network
> (the phone system), save these two exceptions:
>
>      o the hacker used to have pay for each of his attempts to break into
my
> computer if he wasn't smart enough to use a "blue box," (which was, btw,
> Apple's first real product :-).
>
>      o he can cycle his attempts much more quickly nowadays than he used
to
> be able to do.

Big difference!

>
> But other than that, there is no real difference. Ultimately, good
> passwording is your only security. If security was miserable with a modem
> connected, it won't be any better now with TCP/IP circuits, no matter how
> many firewalls exist. But if it was good with a permanently connected
modem,
> it won't be any worse with a network connection. I blame a lot of the
calls
> for firewalls on simple fear and not much else.
>
> All security is an illusion. Now that we have such extraordinary features
as
> FTP and telnet, a lot of people have these protocols senselessly locked
down,
> so that now when I "telecommute" to a client's site, I often nowadays have
to
> use Reflection under NS/VT and use Reflection's file transfer mechanism.
When
> doing this, I only make slight mention of the fact to our clients that I'm
> blowing right through the firewall's protection, using precisely the
features
> -- although not the same protocols -- that they have locked down for fear
of
> external attack.

Yes, of course, telnet is the highest level of access.  Firewalls are not
designed to stop telnet users from doing file transfers.

Some considerations that make firewalls advantageous:
  - Security is not as good for FTP access as it is for logons.  Where are
unsuccessful FTP logons logged?  Do you have VESOFT security on FTP?
 - You may have Samba running on a port.  This is very convenient for
internal users, but do you really need to give this access to internet
users?
 - The more network services you run, the more vulnerabilities exist.  Samba
and Sendmail have had flaws discovered in the past that do not require a
password to exploit.
- In order to telnet into our HP3000 from home, I have to use special VPN
software.  This adds another level of security and encrypts all data sent to
the HP3000, including passwords.  The firewall prevents direct telnet
access.

Food for thought.

Ken

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU