ch19.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 931 行 · 第 1/3 页

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 19 -- T</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch18/ch18.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch20/ch20.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">19</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">VAX/VMS</FONT></H1>
</CENTER>
<P>In this chapter we are going to take a stroll down memory lane. In order to make
the trip pleasurable for all readers, I thought I would make this a truly historical
treatment. Therefore, we will start with the rise of Digital Equipment Corporation
(DEC), the company that manufactured the once-popular product the VAX.</P>
<P>In one way or another, DEC has always been there at critical moments in computer
history. (You may recall that Ken Thompson was first hacking UNIX on a DEC PDP-10.)


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To appreciate just how
	long DEC has been delivering computer products to the industry, take a moment to
	catch this link: <A HREF="http://www.cs.orst.edu/~crowl/history/"><TT>http://www.cs.orst.edu/~crowl/history/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>This link will take you to Lawrence Crowl's wonderful computer history page, which
shows photographs of machines that mark milestones in our computer culture (starting
with the very first computer ever constructed by Charles Babbage, circa 1823). The
first DEC PDP-1 appears on that page.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To get a full-screen
	view of that machine, catch this link: <A HREF="http://www.cs.orst.edu/~crowl/history/dec_pdp1_2.full.jpg"><TT>http://www.cs.orst.edu/~crowl/history/dec_pdp1_2.full.jpg</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The machine looked, quite frankly, like a prop in some terrible B movie from the
1950s--something you would expect to see in the laboratory of a mad scientist. Incredibly,
there was a time when such &quot;technology&quot; was the state of the art. Well,
DEC moved on pretty quickly, to produce a wide range of products, including the very
first minicomputer, the DEC PDP-8.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can see this machine
	on Crowl's page as well, located full size at <A HREF="http://www.cs.orst.edu/~crowl/history/dec_pdp8.full.jpg"><TT>http://www.cs.orst.edu/~crowl/history/dec_pdp8.full.jpg</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>In 1978, DEC created the first VAX (virtual address extension), the Digital VAX
11/780. This machine offered 32-bit architecture and 1MIPS performance. By standards
of the day, the 11/780 was powerful and fast. (It was also backward compatible with
the PDP line that preceded it.) The pricetag? A mere $200,000.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>MIPS refers to million instructions
	per second. 
<HR>


</BLOCKQUOTE>

<P>Curiously, the 11/780 became so popular that it would establish itself as the
benchmark for the MIPS index. In other words, it became the yardstick by which to
measure performance of all workstations that later followed. (This occurred despite
the fact that the IBM 370/158 was reportedly comparable in terms of speed and processing
power. For reasons unknown to me, the IBM 370/158 never reached the popularity status
of the 11/870.)</P>
<P>So, to reiterate, the 11/870 was a $200,000 machine that could do roughly 1 million
instructions per second. Fantastic. Today, if you were to advertise this machine
for sale on the Internet, you would have to pay the buyer to haul it away. It is
considered by today's standards either junk or, perhaps more charitably, a collector's
item. However, one thing made the 11/870 a special innovation and still singles it
out from other machines in computer history: The 11/870 could support two operating
systems. One was a system--UNIX--that was known reasonably well at the time. The
other system was something a little different. It was called VMS. We will be examining
VMS in just a moment. First, however, I want to give you an idea of what the VAX
was all about.</P>
<P>The VAX was a multiuser system. Many readers may not be old enough to remember
the VAXstations, so I'll offer a little description. The MicroVAX stands nearly 3
feet tall. On the right side of the machine is a panel that, when opened, reveals
the cards. These cards are quite large, although not nearly as large as the panels
of, say, a SPARCstation 4/330 VME deskside computer. (But certainly larger than most
modern motherboards for personal computers.)</P>
<P>The Terminal is a VT220, with a viewing screen of approximately 8<SUP>1</SUP>/<SUB>2</SUB>
inches. At the back of the terminal are various connectors. These include a data
lead connection, a printer connection, and a serial port. The serial port could be
set to an amazing 19200 baud and terminal emulations available included VT220 and
VT100. If you connect a modem to the terminal, you have to set modem commands by
hand. (In other words, you would have to send raw modem commands from a blank screen
that sports a blinking cursor. Typically, you would dial by issuing the command <TT>ATDT5551212</TT>,
for example.)</P>
<P>Contained within the terminal is firmware. This is software hard-coded into the
board itself. (PC users should think of firmware in exactly the same way as the CMOS.
It is a small software module that performs a limited number of tasks, including
setting the machine's parameters.) Unfortunately, there is no facility by which to
capture a figure of the screen, so I must describe it. When the terminal boots, you
are presented with a copyright screen and then a blank screen with a blinking cursor.
The terminal is then ready to accept commands. To manipulate the settings in the
firmware, you choose the F3 (function 3, or Setup) key. This brings up a menu at
the bottom of the screen, where you can review and change various settings. These
include not only the way that communications are conducted, but also how the screen
is laid out and behaves. For example, you have a choice of either an amber background
and black foreground or the reverse. You can specify a typewriter keyboard or Data
mode, which is more commonly used when interfacing directly with the VAX. You can
also manipulate the number of characters per line and lines per screen. (Additionally,
the firmware has short help messages embedded within it. These generally appear at
the bottom of the screen, in the status area, as do the setting values for each facet
of your environment. These may indicate which printer you are using, whether you
want local echo, whether you want type-ahead mode, and so forth.) No mouse, hard
disk drive, floppy drive, or other components are either present or required.</P>
<P>You have a wide range of choices regarding communication. For example, you can
change the bits (typically 7 or 8) and also the parity of these (none, odd, even).
This makes the VT220 terminal valuable not only to interface with VAXen (slang for
VAX machines), but also a wide variety of UNIX machines. For example, you can use
a VT220 terminal as a &quot;head&quot; for a workstation that otherwise has no monitor.
This can generally be done by plugging the terminal into the first serial port of
the workstation. (For most versions of UNIX, you generally need to strip the eighth
bit.)


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>For Linux hackers: You can also &quot;add&quot;
	an Internet node to your box using such a terminal. To do so, you plug the terminal
	into either COM1 or COM2. You then edit <TT>inittab</TT> to respawn another instance
	of <TT>getty</TT> on that port. For this to work, you need to ensure that the cable
	used is a null modem cable. You also should set the emulation to VT100. When the
	Linux box reboots, a login prompt will appear on the VT220. From there, log in as
	any valid user, and you are ready. This is significantly valuable, especially if
	you are trying to train someone in programming or navigation of the Net via a CLI
	(command-line interface). It is important to note that if you are using the same
	COM port that normally supports your mouse, you need to kill <TT>gpm</TT> (general
	purpose mouse support). 
<HR>


</BLOCKQUOTE>

<P>These terminals, while intended for use with the VAX, can also be used as the
most inexpensive method ever of accessing the Internet. Naturally, you need an old-style
dial-up connection to do so (perhaps via Delphi), but there is no comparison in the
price. Such terminals can now be purchased for $20. Add to this the price of a 19200
baud modem, and you are done. They are also great for connecting to local BBSs.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>An interesting point here: Such a
	terminal does not have environment variables per se and therefore reports none. All
	the environment variables are obtained from whatever shell you happen to acquire
	on the remote machine. 
<HR>


</BLOCKQUOTE>

<P>These terminals are used to connect to the VAX. (Note, too, that I have described
only very early implementations of VT terminals. Much later models supported various
types of colors and graphics not available to the early VT100 and VT220 terminals.
These newer models are extremely functional but can run as high as several hundred
dollars. Good examples are the VT330 and VT340.)</P>
<P>Finally, you can connect to a VAX without such a terminal. Typically, this is
done using PC software that supports VT100 terminal emulation. (Kermit is another
popular and compatible emulation.)
<H2><FONT COLOR="#000077"><B>VMS</B></FONT></H2>
<P>The VMS (Virtual Memory System) operating system is unique, but bears similarities
to several others. Logging in works much as it does on a UNIX system. You are presented
with a login prompt (<TT>Username:</TT>) and a password prompt. If you enter the
correct information, you are dropped to a prompt represented by a dollar (<TT>$</TT>)
sign. You are also given a series of values when you log in, including your username,
your process ID, and so forth.</P>
<P>Some common VMS commands are listed in Table 19.1.
<H4><FONT COLOR="#000077"><B>Table 19.1. Common VMS commands.</B></FONT></H4>
<P>
<TABLE BORDER="1">
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Command</I></TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Purpose</I></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><TT>HELP [args]</TT></TD>
		<TD ALIGN="LEFT" VALIGN="TOP">If issued alone (without arguments), this command will bring up the prompt <TT>Topic?</TT>.
			The <TT>HELP</TT> command is generally followed by whatever command you want to learn
			about.</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><TT>COPY [arg1 arg2]</TT></TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Will copy an existing file or files to another file or directory.</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><TT>DIRECTORY</TT></TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Works very much like the DOS command <TT>dir</TT>, giving the contents of a directory
			and the attributes associated with the files therein.</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><TT>MAIL</TT></TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Invokes the e-mail program interface for VAX. This works (roughly) like standard
			mail in UNIX. When preparing to compose a message, you are prompted for recipient
			and subject.</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><TT>LOOK</TT></TD>
		<TD ALIGN="LEFT" VALIGN="TOP">The VAX equivalent to the UNIX command <TT>ps</TT>, <TT>LOOK</TT> shows you your
			current processes.</TD>
	</TR>
</TABLE>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>There is a nice table of command
	translations from VAX to UNIX. The table has been around for a while and basically
	offers UNIX users and others a brief reference. It is located at <A HREF="http://egret.ma.iup.edu/~whmf/vms_to_unix.html"><TT>http://egret.ma.iup.edu/~whmf/vms_to_unix.html</TT></A>.
	You might want to examine that table now, because I will refer to a few of those
	commands throughout this chapter. 
<HR>


</BLOCKQUOTE>

<P>VMS has many of the amenities of other operating systems. The commands may be
just slightly different. For example, the C shell in UNIX has a facility that will
recall commands previously typed at the prompt. This facility is called <TT>history</TT>.
(DOS has a similar command module, usually loaded at boot time, called <TT>DOSkey</TT>.)
In VMS, you can recall commands recently typed by holding down the Ctrl key and the
letter B. There are other key combinations that will stop a process, list all processes,
resume a process, report current user statistics, and edit the current command line.</P>
<P>There are still many VAX servers on the Internet, and VMS is still very much alive.
The newest version is called OpenVMS. OpenVMS is available for both VAX and Alpha
machines. Alphas are extremely fast workstations (now at speeds exceeding 400Mhz)
that can run Windows NT, OpenVMS, or Digital UNIX.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>There is a complete online manual
	on OpenVMS. It is almost 1MB, but offers comprehensive coverage of OpenVMS and its
	capabilities. That document is available at <A 
HREF="http://www.ethz.ch/ETH/ID/KS.html.docs/SW_Distr/OpenVMS_AXP_Distr/9506-OpenVMS_AXP_new_features.html"><TT>http://www.ethz.ch/ETH/ID/KS.html.docs/SW_Distr/OpenVMS_AXP_Distr/9506-OpenVMS_AXP_new_features.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The majority of VAX servers on the Net are older. Many are machines located at
university libraries. These provide users with facilities for searching electronic
card catalogs. In all likelihood, most older VAX machines are at least as secure
as their UNIX workstation counterparts. This is because much is known about the VAX/VMS
system and its security. If there is a hole, it is because the system administrator
missed it.
<H2><FONT COLOR="#000077"><B>Security in VMS</B></FONT></H2>
<P>Security in VMS is well supported. For example, there is a strong model for access
control. (Whether that access control is properly implemented by the system administrator
is another matter.) Access control on VMS is at least as comprehensive as that on
the Novell NetWare platform. Here are some of the values that can be controlled:

<UL>
	<LI><I>Time.</I> You can control both the days of the week and the hours of the day
	at which a user can access a given area of the system. (The default setting allows
	the user access at any time, 24 hours a day, 7 days a week.) The time access feature
	works similarly to a firewall: &quot;That which is not expressly permitted is denied.&quot;<BR>
	<BR>