Set up guards for viruses
September 15, 2005
HP 3000s have a built-in defense against viruses and malware which plagues the Windows alternatives. The 3000's operating system is tougher to penetrate, in part because of its design and in part because it's not as well-understood. But that doesn't mean managers don't have to answer questions about keeping the 3000 virus-free in today's hacked-up environments.
An IT manager recently wondered how to answer the question, "Where's your anti-virus protection for that 3000?"
"We have been asked if we run virus detection and prevention software on our 3000. The questions regard a client who wants Internet access (VPN) between the 3000 box and the client’s internal network security division. Any thoughts on how to satisfy the requirement? Unfortunately, they aren't likely to believe our claim that it's just not a problem. People are so used to the Windows status quo it's hard for them to accept that things might be better in other environments!"
As one user pointed out, "There’s that 'security through obscurity' aspect. There are more viruses written for Windows simply because there are so many Windows machines. But that’s a bad thing on which to rely."
There are several things you can do to secure your 3000s and deliver a reasonable answer to such anti-virus questions.
Mark Landin noted that "If accounts and users are properly configured (i.e., only certain accounts or users have, say, SM and PM capabilities) then there are no opportunities for 'malicious' code to run."
Art Bahrs of The Regence Group gave a first-rate talk on security and the impact of SOX and other federal regulations at the latest OpenMPE user group meeting. Bahrs said
Run LanGuard (www.gfi.com) against the 3000 via IP address, and see if any exploits are found. This will only work against your Posix side of the 3000.
James Hofmeister of the HP IT Response Center added that keeping up with MPE/iX network and Internet patches is a good defense, too:
I would recommend installing the GR networking patches for your [MPE/iX] release, specifically but not limited to the Internet products that have been reported in CERT security warnings or have been hacked on non-3000 platforms. Some examples: FTP, Telnet, INETD, Apache Web Server, sendmail, TCP...
There are also fixes for socket/port based denial of service attacks in NS Services. I would be more concerned about this when introducing a 3000 on the Internet than an encrypted VPN telnet access, but something to think about.
There is the design aspect of MPE which makes it tougher to hack, too. Jeff Kell, curator of the 3000-L mailing list/newsgroup and a veteran of networks from the late 1980s onward, has this explanation which you might forward to any non-MPE network security staff:
The 3000 (hardware and software) was designed from the ground up with separation of code and data in mind, as well as relatively intricate hardware protection mechanisms for storage protection. Most Windows/Unix exploits function at a base level of overwriting code and/or manipulating the code or data registers dynamically. With MPE, you can’t overwrite code, and you can’t execute data, and that’s a vast majority of the solution right there.
The point was driven home quite well back in the early Posix days, specifically when the old pioneering (at the time) NCSA httpd server was ported to MPE. One of the exploits that targeted NCSA httpd could compromise the system on most Unix and Linux implementations, and HP-UX as well. The MPE port aborted with a VSM protection error, but did not result in any compromise (only a DoS).