Experimental Physics and
Industrial Control System
| 1994 1995 1996 1997 1998 1999 <2000> 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 <2000> 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 |
| <== Date ==> | <== Thread ==> |
|---|
| Subject: | RE: disabling telnet and rlogin |
| From: | [email protected] (Jeff Hill) |
| To: | "Steve Lewis" <[email protected]>, <[email protected]> |
| Date: | Tue, 22 Feb 2000 10:40:24 -0700 |
IMHO the best
security solution in terms of maintenance costs and
guaranteed
uniformity of security policy is to place the operational IOC's
behind a firewall.
This
is somewhat similar to Steve's solution, but the firewall is easier to
maintain, has higher
performance, has better control over security, incorporates
industrial strength
security capabilities, has improved access logging capabilities,
costs about
the same as a Solaris workstation, allows unlimited IP address range
for the control
system ...
High quality
firewalls will allow transparent FTP initiated by the IOCs to the outside,
and
therefore
the IOCs can boot from development machines during maintenance
periods.
Jeff
-----Original Message-----
From: Steve Lewis [mailto:[email protected]]
Sent: Tuesday, February 22, 2000 9:55 AM
To: [email protected]
Subject: Re: disabling telnet and rloginAt 10:18 AM -0600 2000/02/22, Andrew Johnson wrote:"Porter, Rodney" wrote:
>
> Following up on your security talk at APS, I was wondering if there is a> standard way to disable telnet and rlogin. If not could one be made?You can inspect the INCLUDE_CONFIGURATION_5_2 macro, which is justa bunch of #defines, and pick what you want, leaving out telnet andrlogin. Just move the onces you do want from the grouping after#ifdef FALSE to just above it.By the way, I leave them in, because they are useful to me; further,I assume VxWorks is extremeley vulnerable, so to get some real security,I:- put my IOCs on a hidden subnet, for example, using IP masqueradingon one of my dual-homed servers. This really hides them from theInternet (and is good practice for your console Unix/NT machines as well--they can still see "out".);- do not give the IOCs a DEFAULT route; at most, give them single-hostroutes to special hosts not on the hidden subnet. They will not replyto any packet not on their own LAN (which would not occur if usingthe IP masquerading technique, of course). You can still access themby using ssh once to your above server; then rlogin or via you serialport acess method;- change the default password and login supplied by WRS. Do this bylooking further down in configAll.h;- finally, VxWorks is pretty obscure; I still forget to put quotesaround the arguments to cd and ls._____________________________________________________________________
Stephen A. Lewis | [email protected]
Mail Stop 71-259 | http://www.lbl.gov/~salewis
Lawrence Berkeley National Laboratory | Tel: +1.510.486.7702
Berkeley, CA 94720 USA | FAX: +1.510.486.4544
- References:
- Re: disabling telnet and rlogin Steve Lewis
- Navigate by Date:
- Prev: Re: disabling telnet and rlogin Steve Lewis
- Next: Problems with messages... Bonnie Madre
- Index: 1994 1995 1996 1997 1998 1999 <2000> 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
- Navigate by Thread:
- Prev: Re: disabling telnet and rlogin Steve Lewis
- Next: Problems with messages... Bonnie Madre
- Index: 1994 1995 1996 1997 1998 1999 <2000> 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·