[foxboro] windows...solaris...security

• From: "Lieven Taleman" <lieven.taleman@xxxxxxxxxx>
• To: <foxboro@xxxxxxxxxxxxx>
• Date: Thu, 26 Aug 2004 23:49:07 +0200

Hi,

Based on my experience with the Foxboro I/A System in developing special
applications and tools I would like to set some things straightforward :

The Unix solaris system is multi-process and multi-user. So if you have more
than 1 person working on 1 system this is the best choice.

The Windows system is single user and multi-threaded. The threading
mechanism allows us to run multiple processes but the Unix forking mechanism
is much more reliable.

* Reasons why the Unix Community is degrading :
- The step-in cost is higher and more difficult. On Unix you don't have a
fancy desktop which tells you wat to do, but a shell where YOU have to tell
the system what to do.
- Almost everybody has a home PC where he can starts learning how to
click,copy and paste. Once he has learned how to do something on an easy
way, the interest for learning the hard way is gone. This is more like
thinking "If I can do 90% of the easy things of my work, I am satisfied. For
the last 10% I'll say "It is impossible".
- The standard graphical tools on de Unix system are poor.

* Reasons why the Unix Community should remain :
- In certain environments (like a DCS system), you're not interested in the
last new feature or upgrade, but in doing what the system is ment for and
keeping it stable and reliable.
- A windows system is more front-end based. A Unix system is more back-end
based.
- Nowadays they exist very good development environments (e.g. : Perl) where
you can write graphical programs that can run under Unix and under Windows
with the same source code.
- The Unix scripting environment is considered as a part of the kernel
whereas the windows scripting environment is a separate program that allows
you to write some basic commands.
- A Unix system is more like writing it once in a script and running it
anywhere, whereas a windows system is more like "Clicking and entering it
fast and repeating that every time".

* Security
- The main reason why hackers attack PC's lies in the fact that they all
have a cheap windows PC and not an expensive Unix system. Before you can
attack something, you need the instruments first.
- The windows kernel is build on a whole bunch of DLL library files which
can be modified or overwritten. The Unix kernel is more robust. Access to
the Unix system is gained through the inetd-deamon or a specific networking
program, the kernel is almost untouchable.

For a Foxboro I/A DCS system, I believe that the main threat comes from the
Company itself. Nowadays big companies are spread over the whole world. A
lot of security is placed on the company borders (firewalls,DMZ-zones) to
block hackers. But once inside, a lot of systems have all their doors open.
Based on my experience of the past 2 years by implementing a security system
on +100 Foxboro I/A stations, hereby some action points :

- Change the default Foxboro root password and do this at least every 3
months.
- Put walls around your Foxboro system by adding a router or firewall
between the DCS systems and the Company network. Only allow certain ports
from and to certain stations.
- Avoid as much as possible the root shell to be used by anyone. Only the
system Administrator should have that privilege.
- Block the main security holes (You can start a root window without logging
in through a dmcmd script,through editing a sequence because vi has a shell
exit or directly through the Software maintenance VT100 menu. If a user
needs a shell window, he should identicate himself first by entering a login
and password.
- Enable as much logging as possible and store that regurarly on another
system. Enable Operator Actions Journal to get an overview of the Foxboro
actions. Activate BSM (Basic security module) to get a listing of all
entered Unix commands. BSM works very good in combination with personal
userlogins.
- Filter and examine the captured logging with some easy to use entrance
tools (eg : a webinterface). Logging gives you also interesting information
when malfunctions occur.

Greetings,
Lieven Taleman
Independent software developer
B.V.B.A Talsoft
E-mail : Lieven.taleman@xxxxxxxxxx


 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 

• References:
  • [foxboro] windows...
    • From: Glen Bounds

Other related posts:

• » [foxboro] windows...solaris...security

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription