Re: Firewall for VMS / TRU64

From: David Webb (david20_at_alpha2.mdx.ac.uk)
Date: 06/05/03 

Date: Thu, 5 Jun 2003 10:38:02 +0000 (UTC)

In article <3EDE950E.B5BF103D@fsi.net>, "David J. Dachtera" <djesys.nospam@fsi.net> writes:
>Bob Ceculski wrote:
>>
>> Andrew Harrison SUNUK Consultancy <Andrew_No.Harrison_No@nospamn.sun.com> wrote in message news:<bbkbek$4on$1@new-usenet.uk.sun.com>...
>> >
>> > External firewall boxes are an inexpensive and effective option."
>> > End quote ====================
>> >
>> > Now I could believe you or I could believe the wizard, its
>> > a difficult choice but on the basis of track record I will
>> > go with the wizard.
>> >
>> > All of which tends to suggest that you would be better of
>> > not using the send button without thinking or researching
>> > your subject. You should have taken my advice earlier in
>> > the thread you would be looking less confused if you had.
>> >
>> > Regards
>> > Andrew Harrison
>>
>> well Andrew, you strike out again, because the wizard unfortunately
>> has to deal with ucx and doesn't know anything about the capabilities
>> of TCPware ... packet filtering, encrypted decnet over IP, ssh2 ...
>> add to that the security VMS offers and as defcon9 proved, I believe
>> you could run a VMS box as a firewall very effectively ...
>

Although TCPWARE does provide Packet filtering and also much better access
control on services than DEC TCPIP services it is far from what I would
regard as a firewall. The packet filtering is just that packet filtering.
It is not in any way stateful. Most modern routers now provide this type
of packet filtering whereas Linux Iptables is a stateful packet filter.

The packet filtering capabilities of TCPWARE would probably not affect the work
required to write a real firewall for VMS. According to the type of firewall
you were writing you would need stateful packet filtering and/or application
proxies (nowadays most firewalls utilise both these approaches).

David Webb
VMS and Unix team leader
CCSS
Middlesex University

>Well, the burden of proof, I'm sorry to say, is on you. Can "it" be done
>with TCPware? Provide effective firewall capabilities without actually
>installing specialized firewall software?
>
>If you can do it, post your data - the config.'s, the tests, the
>results, etc. - and it will be a feather in your cap. Maybe even land
>you a new job, y'never know
>
>Make unsubstantiated claims and they will be the albatross around your
>neck.
>
>A word to the wise - if you're at all open to it: Yes, this is
>"comp.os.vms", not "comp.os.balanced-viewpoint". Still, it's one thing
>to be firm in your beliefs and convictions, as you clearly are - like
>many of us. It's something else entirely to be simply a cheerleader,
>with no proof or evidence, just empty claims (say: "sales-critter"),
>vis-a-vis claims about the futures of Alpha/NT, Alpha itself, VMS, etc.
>
>In short, put your evidence where your keyboard (read: mouth) is.
>
>Sorry if this sounds too stern. I'm trying to help, weak attempt as it
>may be...
>
>--
>David J. Dachtera
>dba DJE Systems
>http://www.djesys.com/
>
>Unofficial Affordable OpenVMS Home Page:
>http://www.djesys.com/vms/soho/