Firewallers,
Ok, I blasted off a quick message. Too quick. Let me qualify.
In my experience, a well configured VMS machine can be made VERY
secure by an experienced SA. One can ALSO make a well configured Unix
Machine secure.
I am not remotely saying that a machine setup by an inexperienced user
or not set up at all is going to work. THAT can be a problem. Yes, I can
break into Vaxen or Unix boxes without much trouble. It helps as an SA.
This is usually because of inexperienced SA's, or known holes in the
OS. This is why we have firewalls - to keep Internet people from
breaking in.
However, with Unix, you want to modify the kernel so that the packets
can be analyzed WITH INFORMATION REGARDING WHICH PORT IT CAME FROM.
You want to be able to give SOME priviledges to users, but not all (ie.
nobody except a console logged in SA gets "Set-priv"). You want to be
sure that it's not possible to crash the kernel and getting in. I have
experienced many kernel bugs on popular machines. I have found that
VMS is less hackable by coming through sendmail or finger or DNS spoofing
or grabbing Joe Jr Operator's password.
I can take a combination of a router and a solidly patched Unix box
and add some tools to it (screend, and an interface aware packet filter)
and some socket wrappers, and disable everything I don't explicitely want
and have a Good Firewall.
However, I stand by what I say, VMS can be very secure and a number
of Large Banks use these - they also have VMS experts who administer
them. Given a choice, I'd setup a Unix box, and edit the kernel and
appropriate files and audit changes to those files and watch everybit
of unusual activity (like a login or ftp) and turn off certain mailers
(like the prog mailer), and use one-time passwords for logins, and so
on, and on, and on.
Chuck Yerkes
consultant
---------------------------
The opinions and diatribes rendered here
do not reflect the views of my employers.
|
|
