[vishnu]

The only reason Cisco makes their crap routers and sell their crap routers is because they want your money. I'm willing to admit that their hardware is quality but Cisco does not give a shit about any security concerns that may "affect their bottom line." Hey, they've got a sports stadium they need to take care of.

[jwhat]

Hi gmcenroe,

no way in the world would I put any IRIX machine directly on the internet.

Also no way would I expose any application running on IRIX on the internet (via port forwarding, firewall or some other means).

Example is I recently put IRIX man pages up on a server, via mostly static pages, as there was no way I would expose IRIX Infosearch via internet....

Nowadays, it is no longer just ip address/port protection (which is what most "firewalls" provide), it is about securing the application behind the ip address/ports from application injection and buffer overruns and other hacking tactics.

Hence why security patches are being delivered daily across applications and OS.

To protect any internet facing systems you need to run regular scans on your network.

One of the most commonly used scanning tools was OpenVAS which morped into Greenbone Vulnerability Management and is readily available as part Kali Linux distribution, which is focused on providing security vulnerability tools.

Whether you use: Juniper, Cisco, Linux, BSD, Fortinet... or any other of the thousands of network router/security options, do not trust it blindly, run scans.

And if you want to access your SGI device remotely, then setup VPN, rather than exposing SSH to internet.

Cheers from Oz,

jwhat/John,

[hamei]

The only reason Cisco makes their crap routers and sell their crap routers is because they want your money. I'm willing to admit that their hardware is quality but Cisco does not give a shit about any security concerns that may "affect their bottom line." Hey, they've got a sports stadium they need to take care of.

Wull, for sure my cisco experience is with old stuff, but it all had fast ethernet interfaces which was fine for us so it was plenty good enough. As far as I know it did not have any of these vulnerabilities of which y'all speak. I'm sure it had some but they weren't built-in passwords cuz there weren't any. Now that they are consumer-grade crap and it's 2023 when it's all about the cash, things are probably different.

But you can still buy a 3660 and fill it with goodies and put different fans in it, and not have to worry.

About your other complaints, for sure. The entire world is like that. The worst offenders are the shitsticks at google but I don't hear anyone (else) screaming "stay away from ALL google products ! all they are is cameras in your underwear drawer !" Nope, people fill their pages with googlefonts, googleapis, googlethis and googlethat, google cameras under the toilet seat, all the worst real failure in one's security you can imagine. And then they run windows on top of it, which is filled with back doors that mickey can use ... then they hope no one else can find them. Yeah right, only mickey is smart, unh-hunh. Mickey has always been the dumbest of the bunch.

The whole thing is just shit on a shingle, everywhere. Fuck it. I read a couple of sites and stay away from everything else. Programs written in 1995 actually do the job, the rest of this crap can go on a throwaway device in case I need to use weixin for something. Screw computing, it's shit.

[vishnu]

In my personal life, I don't do anything on the Internet either, other than looking at some programming websites, this place, and slashdot.

In my work life, I only use the Internet to find parts that we need to buy in order to fill our contract requirements, those would be websites like digikey, mauser, jameco, and machine shops. Ordinarily, if I need to prototype a machined part, I make it myself. Then if I need a bunch of them I purchase req it out to any one of a dozen local machine shops, who all do a very fine job.

On my website, which maybe only 15 other people in the world ever look at (other than people trying to crash Apache thinking they can gain root access to the box), I've never used an html generator, I've written all the html myself by hand, and I don't use any of that google crap. I look at the page source of commercial websites today, and I think, what the hell is all this shit? For the love of all that's good any holy, do you really need a couple dozen javascript apps just to display a webpage?

[gmcenroe]

Thank you all for the numerous replies to this question. 

While I am still researching for the best solution, I am leaning toward setting up a VLAN from a managed switch. I looked at CISCO Catalyst 1000 which appears to be setup with easy management software rather than CLI, but it is only a level 2 switch. There are older CISCO switches that one can buy on ebay for far less that are level 3 for better security but they are end of life models and probably already heavily used, some require licenses, and I am not sure if they have the latest software installed or if I can update their firmware. Even the Catalyst 1000 8 port switch seems pretty expensive new from amazon ($289) or on ebay (similar price) for my use case. Other newer higher end models run over $1200, lol. There may be some other devices somewhere in between these 2 choices that are more affordable. I am still searching. 

There are also some good IRIX security white papers online that seem to enable hardening the system from attacks and run in a more secure mode that are quite helpful. 
See GIAC certification : Securing an IRIX 6.5.26 Workstation
Balancing Usability and Security in a Research Environment by Michael Schmit from September 2005

In the meantime I will just stay off the internet with my SGI.

[robespierre]

Why are you looking for a managed switch? I don't see any possible reason for that. A switch is just a bridge, it moves ethernet packets around and is mostly pretty stupid.
A router is a far more capable device and many routers have built in "switches" on a subset of their ports if you actually need that as opposed to just using a dumb switch or hub for LAN segments.
Unless you have a very large or complicated network, just assume each LAN segment is a local security domain and has total, unfettered access within each.
Your router is what provides a firewall between those segments, for example between a local "secure" segment that you control, and the public internet segment to your ISP. It does that using routing rules, and also with proxies if supported. I think VLANs are mostly a waste of time unless your network is so spread out that you can't physically connect different security domains to different router ports (because that is the only thing they accomplish; they do not provide any packet filtering at all).

[gmcenroe]

Why are you looking for a managed switch? I don't see any possible reason for that. A switch is just a bridge, it moves ethernet packets around and is mostly pretty stupid.

A router is a far more capable device and many routers have built in "switches" on a subset of their ports if you actually need that as opposed to just using a dumb switch or hub for LAN segments.


Unless you have a very large or complicated network, just assume each LAN segment is a local security domain and has total, unfettered access within each.
Your router is what provides a firewall between those segments, for example between a local "secure" segment that you control, and the public internet segment to your ISP. It does that using routing rules, and also with proxies if supported. I think VLANs are mostly a waste of time unless your network is so spread out that you can't physically connect different security domains to different router ports (because that is the only thing they accomplish; they do not provide any packet filtering at all).

I think that you are aware of the difference between a managed vs unmanaged switch. Maybe you thought that I was going to replace the router with a managed switch instead of add it? The router is basically an unmanaged switch limited to 4 wired ports and wireless connections. My router does have one "guest" network, but it only allows a guest to access the internet, not my network. It has no VLAN capability as most commercial routers don't. Running a managed switch with VLAN prevents a malicious device on my network from detecting devices that are isolated thereby providing additional security. It would also provide specific control and configuration options that prevent one device on the VLAN from seeing and communicating with other devices in that VLAN. There are other advantages of running VLANS, too much to write here. Adding layers to a network increases security instead of running everything in one device. Whatever switch I choose, it will also allow me to expand the network in the future to a greater extent than that provided by my router.

Others on this thread don't believe that firewalls on commercial routers are that secure. I am not certain about that. I could add a separate firewall device but that is too expensive and probably is redundant and overkill for me.

Thanks for posting your opinion though.

[vishnu]

It's just my humble opinion, but I think using a commercial router to connect your PC, LAN, whatever, to the Internet, is crazy. You just can't trust that shit.

I know I'm about nothing if not repeating myself, but my LAN connects to the Internet through a Linux PC that runs a kernel and an IPTables firewall that I configured myself, here's a fairly simplified version of how I've got it setup:

Code:

Linux computers---
                 |
SGI computers--------Hub---Linux with two NICS firewall---Internet connection
                 |
Sun computer-----

[gmcenroe]

It's just my humble opinion, but I think using a commercial router to connect your PC, LAN, whatever, to the Internet, is crazy. You just can't trust that shit.

I know I'm about nothing if not repeating myself, but my LAN connects to the Internet through a Linux PC that runs a kernel and an IPTables firewall that I configured myself, here's a fairly simplified version of how I've got it setup:

Code:

Linux computers---
                 |
SGI computers--------Hub---Linux with two NICS firewall---Internet connection
                 |
Sun computer-----

I know that you don't like routers, but I thought that they are designed to do what you do with your NICS firewall and provide wireless access as well. There seem to be solutions for everyone depending on your setup and if you run laptops or other devices that can use wireless access. Those devices that I run on wireless are much more secure than SGI boxes in my opinion. Thanks for sharing your setup.

Have you considered running a VPN router?

Here is a report that studied router security problems: https://www.fkie.fraunhofer.de/content/d...ericht.pdf so you are correct about the vulnerability of routers.
It looks like most routers are running Linux OS with 2 Network interfaces even though you can't call these NICS. You could also run one with a single physical interface with multiple sub-interfaces all using different VLAN IDs connected with a switch with connections to pass traffic according, such as connections to an internal LAN and an uplink to an ISP..

I also do not have a PC with 2 extra slots to add 2 physical NICs at this time.

[vishnu]

I have a Broadcom wireless antennae in my firewall computer, but I don't use it.

It's not that I don't like routers, I've never used one. Maybe there are some good ones that are actually secure. If there are, I've never heard of one. On my firewall, which as I'm so fond of repeating myself, I'll say again, is just a PC running Linux, with a kernel that I configured and compiled myself, and the firewall is IPTables, with a configuration script that I wrote myself. With a commercial router, what do you get? Some sort of a micro-Linux kernel and a firewall that their software engineers think will keep your LAN safe from intrusion. I call bullshit on that. Commercial routers, like any other commodity product, are designed and built for one thing, to make their manufacturers money. So even if there are software engineers working for the company that think more needs to be done to create a secure product, money money money. So when some monumental security flaw is found in any given router, which has happened thousands of times, the manufacturers are like, "Oh really? That's too bad. Let's sell some more crap routers and see how much more money we can make." Just my opinion, other opinions may vary (but they'd be wrong). 😆