You've never heard of using IPX in a DMZ (like a firewall, as mentioned)?...........Hoo-K, you *must* be sane then..

the idea is that it means no net (TCP/IP) traffic gets through, because you have to switch from TCP entirely. You don't need to run the whole network on IPX / SPX, although there are advantages to doing so because IP isn't involved (the network addresses go by the actual MAC), what you can do is create a deadzone between the internet and your LAN(s).

As for patching any issues, yes patches are all ok when the OS etc hasn't been thoroughly tested prior to release & is in need of being patched, but it's not exactly an efficient method of doing anything. The more code the more complexity the easier to exploit and hide things in.

Interesting angle you took though - going for the 'that is laughable because it's old and legacy' given the nature of most of the OS in these forums. Just because something is patched doesn't mean it's secure, it just means that someone has mentioned a flaw and that flaw has then also been in some way resolved; the patched system remains as potentially insecure as any older legacy system. The fact it's been patched means it was insecure the whole time previously to being patched; did anything actually happen though? If the TCP/IP WAN to LAN and back traffic is heavy, would you have noticed if anything did happen: there could be tiny little hidden executables borrowing bandwidth still in there following a patch & if a lot of folks are using the internet from within the LAN it's all the easier for such things to hide a stray packet - it'd depend how tight your other security is.

The other thing about using non-default internal IP ranges is not the same as the above. Yes obviously you would have to run the Novell server to have different protocols from TCP/IP. I don't know about 'nobody will be using it' - anyone can say that about any OS, but in reality loads of places are running entirely unpatched NT still, and so forth. This was about being really secure though, not worrying about not having certain tools already. And if it isn't widely known of, then that makes it more secure; just statistically - if less people know how to use it then the chances of anyone compromising it are reduced.

btw, I'm not a guru-anything & I sincerely never meant to imply such in answering this thread. I found the word choice unfortunate but I wanted to throw in my 2 cents..

OK, I've talked to hundreds of companies in the last few years and not one of them was running IPX/SPX for production, how's that? Even when I worked in Utah (home of Novell), for a company that supported tons of Novell software, all their customers were migrating to IP.

What the heck is the point of running a server with only IPX/SPX connections? What could it "serve"? Nothing, unless the clients supported the same networking, and then you have the whole problem I mentioned in the first place. The whole point of a server is to make a service available for other machines to connect to. Anyone could run a super-secure server just by removing all network cards, physically disabling built-in network interfaces, and soldering plugs into the keyboard & mouse input ports... it wouldn't be very freakin useful though, would it?

As for non-standard internal address spacing, if you're not using one of the assigned RFC1918 address ranges, then you're using some kind of range that has been assigned for some other purpose, probably one that has been assigned to some other network operator. Then what you are doing is creating network blackholes to certain networks. Not very smart at all.

Where the heck are you getting your hair-brained ideas from? You certainly are not a security or networking professional, and as such you really shouldn't be giving (bad) advice on these topics.

By the way, some factual corrections... you don't have to use Novell software to use IPX/SPX networking. It's built-in to many operating systems, including Windows (and an option on Linux). Also, the fact that no patches are released for legacy software doesn't mean it's completely secure and it doesn't need any patches; it means no one is bothering to do research on pointless software because it's well... pointless. Therefor if you're using it, there are probably dozens of unpatched vulnerabilities. Would you rather have frequently patched, well-supported software, or unsupported, never patched software? People who know what they're doing are pretty clear about this, which is why those of us who are actually in the industry never see IPX/SPX networks any more.

Really - so you've seen how many existing networks out of all the networks that actually exist? And you think you know what everyone must be using based on that amount.

There's something wrong with you in your head. You obviously know nothing about firewalls. Clearly my replying here upset you emotionally because you are so insecure; and also obviously the part about these forums being "friendly" is way wrong when people like you are here replying like that. If you are so interested in proving here you know how to supersecure a system then why don't you reply to the original poster.

I haven't done the course myself - but you might want to take your grievances about nobody using the Novell protocols as deadzones to the likes of the iNet vendors, as it's something they continued to be teaching as to securing systems, last time I checked was in their 2003 course texts. So - what do you recommend instead then, when installing a protocol-change deadzone?

btw, if you actually read my previous reply, and the one before it, it does actually indicate and then state outright where the client machines come in - hint, it's to do with the part about their not using IP but being identified by their MACs instead.

What's the matter with you, are you worried your boss is reading this and they'll ask why you never told them about some things mentioned in this thread, as regards their security? 'The industry' is full of overpaid phonies who talk a load of garbage to people that know nothing about computers, and basically con them into buying all kinds of things they will never need. That's why there's IDS systems on sale that cost thousands of pounds, but the same thing they do can be done with free software and a knowledge of the command line. They'll be gearing up in the fortune 500 companies to spend more more more on more 10gig switches and the like, because IPv6 has such big headers. Or perhaps they will need another 10 petabytes of space for all those database views, or are they going to actually begin to match their hardwares power usage to traffic requirements like all the adverts and blurbs about how green they are now claim. I don't care how long you've worked there or how many posts you've done on a forum - what would you recommend in a deadzone as a protocol change?

Hasn't linux fallen a long way away from what it started out as, now it's just another corporate-whore gangbang going by the likes of your post.

Besides which - the type of industry you're talking about doesn't send people to ask about security on internet forums. They're too busy being fleeced with 2nd rate advice and spending an equal amount of money to the same photographers and webpage designers that do all the big companies graphics and layouts - badly and tastelessly.

chort, did you go and see The Matrix and get offended when he tried to leave the company?

Your biggest problem will be your users - those who put post-it notes on their monitor with their password; those who give away account information on the phone just because someone claims to be a system-administrator doing maintenance work; those who access all those websites with "free contents" (free only in terms of money) and install everything right away.

You have to define the purpose of the system and how to set up reasonable restrictions for your users. Educating them is also helpful.

Both of you will put an end to the personal attacks IMMEDIATELY. This is a technical forum, and even though it is normal for technical discussions to sometimes turn extremely passionate, personal attacks will NOT be tolerated here. This is clearly stated in the LQ Rules. This is an official public warning to both of you.

He insulted me in both the replies; I only pointed out how wrong that was in saying there must be something wrong with him then. I didn't see anyone stepping in here to point out those two insults - but if I reply back there's a warning? How does that work? I'm not interested in wasting my time on any double-standard place if that's how things are here.

Further to what some of the topic is about: the conventional wisdom about upgrading OSs is that you wait until they are established, so after a few service packs / patches of that type have been released and are proven to be secure. And then they move on to the next release...while you install the older one that is now secured.

There is no double-standard. You have both received a warning because you have both launched personal attacks. If you ever feel you have been insulted by another member here on LQ, please use the Report button immediately in order to notify the Mod Team. Moderators aren't omnipresent and as such we rely a great deal on people actually using the Report button. That said, if you wish to further discuss this matter contact me or another moderator via email instead of using this thread (that goes for both of you). Hopefully this thread can get back on topic now.

Well if I'd known these were the kind of forums where you are allowed to report 'senior members' for insulting you then I would have the first time he did so - but 'senior member' looks like he is a mod of some kind, and in my experience with nasty replies on forums there is no point in ever reporting them as it just gets you banned instead because you report a moderator.

I don't mean to ignore your asking to discuss this further in private, it's just that I think the above needs stated publicly so anyone can read it.

For the record, our members are free to report any posts they deem necessary - including posts made by moderators such as myself. Also, we don't ever ban members only for reporting a post (regardless of whose post it was). And even if we did resort to such nastiness, you could still contact jeremy, who experience has shown is always willing to get things sorted-out in the most fair way possible.

I understand. Let's try and get this thread back on track now, though.

I have never once seen a "Protocol change deadzone" implemented in a civilian or government network. What is the point? The protocol has to be translated back again if it's going to be used for anything useful, so then you have to install some kind of a shimmed network stack that converts between two protocols... that doesn't some complicated or bug-prone at all! It adds nothing useful what so ever, and just put a huge performance and stability speed-bump in the middle of your network.

If you don't want anything to reach a certain machine across the network... disconnect it from the network! If you're not going to attach it in a way that's practically usable, you might as well not have it connected at all. If you're soooooo worried about IP spoofing, implement static MAC tables on each machine. Did you know that you may hard-code your ARP table? That's basically the same thing as IPX addressing, but without having to install a second, unsupported network stack on every machine.

Either implement a true air-gap, or use your firewall for what it was designed for. If you're not going to trust your firewall, you might as well not even have it.

As for firewall knowledge, I've worked on just about every major commercial firewall there is (Pix, CheckPoint, Netscreen/Juniper, SonicWall, WatchGuard, etc) in some of the most secure data centers in the world (production DCs for top5 banks, credit card companies, and sensitive Federal government facilities). I've built and implemented my own firewalls with Open Source tools, and ran the edge routers for what was, at the time, one of the largest IP block owners in the world. I think I know a tiny bit about firewalls and network security.

What Novell puts in their course curriculum isn't really relevant, because their proprietary networking standards are dead. Everyone uses TCP/IP, everywhere, all the time. Real production networks at real companies do not use IPX/SPX, so while it might be a good way for selling training for Novell, it's not useful knowledge for the real world.

Which brings me to the final point: If you're not a guru, and don't have practical experience with the subject you're talking about, perhaps it's best to not give advice about that subject.

I could really care less if anyone is offended. There's no point in having an informational site if the information is 90% wrong and the 10% right gets criticized. I get paid a lot for giving the same advice at work, so if people aren't willing to take good advice for free, it means nothing to me. Your boss will just pay my employer tons of money for me to say the same thing

I agree that any advice given must be objective, truthful, accurate and presented in a factual way. However you also have to remember that LQ is FFA and you don't gain "expert points" like in some other fora. Your reputation is in what you post about and *how* you post about things. Remember everybody has to have a chance to start out somewhere, learn from their mistakes and grow into it. If only "experts" are allowed to post then we would cut off a large proportion of enthusiasts, some of which could have the potential to become experts. So we have to be openminded, not shut people out, and let peer review do its work.


This topic does not require any OT remarks, so don't.


@both:
People who are knowledgable in some fields also tend to be passionate about the things they do, sometimes to the point where they want to browbeat people into just accepting theirs is "Teh Only Right Way". Unfortunately those who lack that knowledge, or haven't learned yet to acknowledge their mistakes tend to shield themselves from useful dialogue as well, stubbornly defending their (hopeless) position as passionate too. All very understandable, but such a stalemate can lead to clashes where any objective discussion of facts is stifled and replaced by drama, monologue, OT remarks, namecalling, intimidation and whatever LQ views as not part of constructive dialogue. You see the "how" part is equally important not only because it helps it make it easier for people (and those who find the discussion later on through other means) to decide which advice to follow but also to keep a useful dialogue going.

Deliberately offending people, not caring about offending people effectively means disqualifying yourself (solely by your own doing) under the LQ Rules, in terms of netiquette and in other ways (I hope I may expect everybody but especially the reputable, knowledgable, well-versed, more mature members of LQ to recognise that these written and unwritten rules more or less mirror Real Life). Especially those who already *know* it is their achilles heel.

The "fun" part of solving most questions and problems dealing with all aspects of computerized systems is for the majority they are binary: a solution either works or it does not. So while critique may at times be hard to swallow, in dialogue all parties involved share a responsability. If critique is on topic and factual one should be able to learn from it. If critique is wrong then deal with it challenging, correcting facts. Nothing else. Retalliating has no purpose except showing deficiencies. To the both of you: please deal with it.


If you want to talk to me about this please redirect your remarks to e-mail, not posts on LQ.

I thought I had made it clear that personal attacks, regardless of being directed at or started by whoever involved, would not be tolerated. It seems some LQ members require a nanny or the equivalent of a cattle prodding rod. Unfortunately we shot all the nannies, so to keep things from escalating this thread is closed for the time being.

To make certain you both understand where things are at. Now hear this CFB: I require both of you that, when you completed your cooldown period (where applicable), you do not challenge other peoples POV on LQ unless you do that in a respectful and factual manner. Rest assured that future excesses and failures to comply with LQ Rules and moderator directives will be noticed and will be dealt with.