Firewalls: Re: VAX Gopher

Firewalls
(March 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: VAX Gopher
From:	Stephen . L . Arnold @ Arnold . Com
Organization:	Arnold Consulting, Inc.
Date:	Thu, 09 Mar 1995 21:11:15 -0600 (CST)
To:	"*STUART, FRANK" <STUART @ alexandria-emh2a . army . mil>
Cc:	firewalls <firewalls @ greatcircle . com>, Stephen . L . Arnold @ Arnold . Com
In-reply-to:	"Your message dated Wed, 08 Mar 1995 15:01:00 -0500 (EST)" <199503082005 . MAA06146 @ miles . greatcircle . com>

> Is anyone running Mosaic or Gopher on a VAX/VMS system and can
> share any security related issues that need to be considered?
>
> We are trying to determine whether a firewall is needed and if so,
> what type.

I don't know what you would be trying to protect, but if its privacy or
integrity is of any concern at all, you should be considering some kind
of firewall.  The level of protection will depend on the results of your
risk analysis.

OpenVMS is no different from UNIX in that to lock down a bastion,
complexity is your enemy.  If you have time sharing users and lots of
servers, put a firewall in front of it.  If it's a special purpose
information server with just a few daemons (FTP, Web, etc.), you can put
it out on the Internet.

You will need an operating system and TCP/IP software in which you're
confident.  It's important to say it that way, since TCP/IP software is
an unbundled product on the OpenVMS platform.  You'll want a recent
version of OpenVMS with any applicable security patches applied.  I
recommend MultiNet from TGV for TCP/IP, but then [*disclaimer*] I sell
it.  So ask some other folks.  It seems Digital's TCP/IP Services for
OpenVMS VAX (or AXP) (a.k.a. "UCX") is always playing catch-up.

In addition to the usual issues, web and gopher servers and clients are
subject to the risks inherent in letting possibly naive users fetch live
multimedia objects, including PostScript files, command procedures, and
executable images.  Web is a superset of gopher issues, so consider only
web and you'll cover gopher.  The risks are not unlike allowing folks to
play with floppy disks of uncertain origin:  viruses, trojan horses, and
other rogue programs/objects.  The best discussion of seen of these
issues for web users is the Rutgers WWW-Security Reference page
(http://www-ns.rutgers.edu/www-security/reference.html).

Mosaic is a web client.  Gopher includes both client and server.  Of
course there are also web servers for OpenVMS.  In followup questions,
do specify whether you intend to run only clients or also servers. 
(Don't run both on a bastion!)

> Thanks in advance!
> Frank.
> stuart @
 alexandria-emh2a .
 army .
 mil

You're welcome.  Good luck!

Regards,
"Steve"   Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc.
Address   2530 Targhee Street, Madison, Wisconsin  53711-5491  U.S.A.
Telephone +1 608 278 7700               Facsimile +1 608 278 7701
Internet  Stephen .
 L .
 Arnold @
 Arnold .
 Com   Pager (800) 351 8927

References:

VAX Gopher
From: "*STUART, FRANK" <STUART @ alexandria-emh2a . army . mil>

Indexed By Date	Previous:	chroot httpd From: paul @ rio . myra . com (Paul Dodd)
Indexed By Date	Next:	Deslogin-1.3 Now Available From: Dave Barrett <barrett @ asgard . cs . Colorado . EDU>
Indexed By Thread	Previous:	VAX Gopher From: "*STUART, FRANK" <STUART @ alexandria-emh2a . army . mil>
Indexed By Thread	Next:	Firewall design... From: <ROBERTA @ grolier . ccmail . compuserve . com>