From:	SMTP%"LEEBP@ISCS.NUS.SG" 23-MAY-1994 21:38:27.71
To:	EVERHART
CC:	
Subj:	VMS machine on Internet and security (Summary/Responses)

X-Newsgroups: comp.os.vms
Subject: VMS machine on Internet and security (Summary/Responses)
Message-ID: <23MAY199414305506@dec7000.iscs.nus.sg>
From: leebp@dec7000.iscs.nus.sg (LEE BOON PENG)
Date: 23 May 1994 14:30 +0800
Reply-To: LEEBP@ISCS.NUS.SG
Distribution: world
Organization: Opus One
NNTP-Posting-Host: dec7000.iscs.nus.sg
News-Software: VAX/VMS VNEWS 1.41    
Lines: 290
To: Info-VAX@CRVAX.SRI.COM
X-Gateway-Source-Info: USENET

Subject: Re: VMS machine on Internet and security

	A week ago, I asked the following and these are the responses I got.
Carl pointed out that my questions were quite vague. I'm sorry I wasn't clear
and I realized that this issue has to be carefully thought out and carefully
examined, especially with regarding on system setup, configuration and the
packages that one is running on the system.

	Anyway, thanks a lot guys!
						Paul

>         My VMS cluster has always been hiding behind a firewall
> with no direct Internet access (ftp, telnet). There is a possibility
> in the near future that one of my VMS machines may need to have direct
> Internet access.
> 
>         I would be grateful if any experienced sysadmin can highlight the
> issues of direct connectivity especially that of security and administration.
> For example, what extra measures can I adopt to secure the VMS machine with
> little inconvenience to my users?
>         How can I prevent mail/Decnet spoofing?
> Are there packages to monitor incoming connections?
>         What security packages does Dec offer and how relevant are they
> e.g. DecInspect etc? I'm currently running VMS 5.5-2 and VMS/AXP 1.5. Would
> upgrades to VMS 6.0/6.1 help?
>         Is there any sysadmin who experienced break-ins (attempted or
> successful) and probes and how often are such incidents? What steps
> can I adopt to trace probes/break-ins easily? Are there any papers/books/
> archives/articles dealing with these (VMS-specific)?

================================================================================
From: Carl J Lydick <carl@SOL1.GPS.CALTECH.EDU>

=How can I prevent mail (spoofing)

You can't really.

=/Decnet spoofing?

DECnet uses host addresses exclusively for communications.  It does the
translation from address to name locally (that's under DECnet Phase IV;  things
may have changed significantly under DECnet Phase V; since I don't manage any
systems running DECnet Phase V [I'm avoiding that until either:	
	1)  DECnet Phase-V supports host-based routing; or
	2)  We can allocate enough money for a dedicated router]
At any rate, at least under DECnet Phase IV, it's difficult to do DECnet
spoofing.  To do it, you've pretty much:
	1)  Crash the machine you're intending to spoof (or a router between
	    said machine and the machine you want to attack); then
	2)  Restart DECnet on your machine using the address of the machine you
	    want to spoof;
	3)  Finish your spoofing before the real machine (or router) is up
	    again.

=	Is there any sysadmin who experienced break-ins (attempted or
=successful) and probes and how often are such incidents?

Varies a great deal from site to site.

=What steps
=can I adopt to trace probes/break-ins easily? Are there any papers/books/
=archives/articles dealing with these (VMS-specific)?

You can regularly check the security logs maintained by your system.  Under VMS
v5.4-2, there's no way in vanilla VMS to figure out where all sessions
originate; I understand that that problem's been alleviated in more recent
releases.  RTFM!

================================================================================
From: Arne Vajhoej <ARNE@kopc.hhs.dk>

>         My VMS cluster has always been hiding behind a firewall
> with no direct Internet access (ftp, telnet). There is a possibility
> in the near future that one of my VMS machines may need to have direct
> Internet access.
> 
>         I would be grateful if any experienced sysadmin can highlight the
> issues of direct connectivity especially that of security and administration.
> For example, what extra measures can I adopt to secure the VMS machine with
> little inconvenience to my users?

VMS in standard/default setup is much more safe than UNIX in standard/default
setup, so you will need to do much less.

>                                   How can I prevent mail/Decnet spoofing?
> Are there packages to monitor incoming connections?

If you setup your internet gateway to only route TCP/IP packages and
not DECnet, then this problem is solved.

>         What security packages does Dec offer and how relevant are they
> e.g. DecInspect etc? I'm currently running VMS 5.5-2 and VMS/AXP 1.5. Would
> upgrades to VMS 6.0/6.1 help?

Not much. VMS 6.x has got a security brand, but it is more a question of
going through the test-procedure and make some procedures for testing of
later changes.

>         Is there any sysadmin who experienced break-ins (attempted or
> successful) and probes and how often are such incidents? What steps
> can I adopt to trace probes/break-ins easily? Are there any papers/books/
> archives/articles dealing with these (VMS-specific)?

Suggestions:
  - disallow DECnet and LAT packets through the router
  - check all usernames for easy to guess passwords (there are programs to
    do such a thing)
  - enable maximum logging
  - use time to examine those logs (can be partly automatic)
  - make sure that ver vey few usernames has privs and that they all
    have very very good passwords
  - consider shutting down incoming TELNET and FTP outside office hours
  - consider shutting down incoming TELNET and FTP at all time unless
    someone actually asks for it to be opened for a few hours

Note: incoming TELNET can be disabled even though SMTP continues to work
with a little effort !

================================================================================
From: "Joseph B. Gill" <GILL_J@Eisner.DECUS.Org>

Hi Paul,

You might want to subscribe to "firewalls-request@GreatCircle.COM".  Also,
here's a press release from Digital about a new Internet security service they
are offering.


              COMPREHENSIVE INTERNET SECURITY SERVICES

             ANNOUNCED BY DIGITAL EQUIPMENT CORPORATION




MAYNARD, Mass. -- May 2, 1994 -- Digital Equipment Corporation today 
announced comprehensive Internet Security Services to help make 
private computer networks and databases more secure from intrusion 
from the Internet. 
     Provided by Digital Consulting, a business unit of Digital, 
these Internet Security Services combine expert security consulting 
and software capabilities to deliver a protected and programmable 
"firewall" through a screened intelligent gateway that guards 
private networks, while giving users controlled links and access to 
the Internet and other networks.
     "These comprehensive security services are designed to allow 
our clients to tap the power of the Internet withou   These services provide rel
iable connectivity and a high degree 
of security between trusted private networks and the Internet or 
other potentially hostile TCP/IP networks. These services can also 
be used to protect sensitive areas of internal networks.
     Internet Security Services provide secured connections to and 
from the Internet through a number of "application gateways" to 
support popular applications like electronic mail, file transfer 
(FTP and Archie), remote terminal access (Telnet), client/server 
information services (Gopher, or World-Wide Web), and notes 
conferences. These services also support access to the World-Wide 
Web through trusted Mosaic browsers.
     Digital's Internet Security Services include: 

     *  SEAL (Screening External Access Link) - a combination of 
        custom security consulting, Internet security policy 
        development and rules definitions, installation and 
        configuration of customized software, training in all facets 
        of SEAL's operation, and post-delivery telephone support. 

     *  Optional components and consulting which include: additional 
        customized application gateways; configuration of public 
        domain software; cryptographic and authentication 
        capabilities; and computer and network security consulting.


     In unveiling the new security services, McNulty said "the 
critical need for comprehensive security has become an ever-growing 
concern of major businesses around the globe - particularly as 
millions of new users seek data on the Internet and other 
information super-highways.
     "Those businesses and organizations need to feel confident that 
they have the best protection available from the networks and 
systems to which they seek connections.
      "Digital's Internet Security Services, customized to each 
client's needs, are cost-effective, and embody the capabilities 
required to provide the level of confidence and security clients 
seek," McNulty added.
     SEAL's customized software provides the best detection 
available today to unauthorized connections between a user's private 
network and the Internet. 
     Digital's tested Internet Security Services deliver real-world 
benefits like high-level security, reliable connectivity, detection 
of unauthorized network probing, enhanced auditing, and on-line 
support. 
     "Internet security is not new to Digital," McNulty also noted. 
"These services are the result of more than a decade of our research 
and practical use of the Internet. They have been extensively used 
to secure Digital's own Internet connections, and have already been 
delivered to major multi-national corporations and organizations.
     "It is very common for Internet users to have no security 
through a direct connection to the Internet, or some security which 
can be provided by routers," McNulty noted. "But, ultimately, users 
need the high level of security and connectivity provided by a 
'programmable' firewall coupled with a screened intelligent gateway 
which is available today through Digital's SEAL." 
     Internet Security Services are available immediately in the 
United States, Canada, Latin America and Europe, and will be 
available in Asia later this calendar year. These services are part 
of an extensive Digital portfolio of security products and services 
designed to secure clients' business and computing environments.
     Internet Security Services are custom quoted. Prices for SEAL 
services begin at $25,000.

     Digital Equipment Corporation is the world's leader in open 
client/server solutions from personal computing to integrated 
worldwide information systems. Digital's scalable Alpha AXP 
platforms, storage, networking, software and services, together 
with industry-focused solutions from business partners, help 
organizations compete and win in today's global marketplace.
                                ####

Note to Editors:  Digital, the Digital Logo, and Alpha AXP are 
                  trademarks of Digital Equipment Corporation.

                  Mosaic is a trademark of the National Center
                  for Supercomputing Applications.

CORP/94/441

================================================================================
From: PW744412@PUCAL.BITNET

DEC Polycenter Security Integrity Checker (SIC), Braintree Auditor Plus ...
are two software packages that specialize in OpenVMS issues.

================================================================================
From: Steve Lembark <LEMBARK@SYSJJ.UG.EDS.COM>

check the current issue of SysAdmin, there is a book reviewed in it
specifically about internet firewalls.  99.9% of it applies to vms as well as
unix.

also check the guide to system security in the big grey wall.
steve lembark
(@oxy.edu:lembark@workhorse.uucp)

================================================================================
From: CANTERA@CISV.JSC.NASA.GOV
<	I would be grateful if any experienced sysadmin can highlight the
<issues of direct connectivity especially that of security and administration.
<For example, what extra measures can I adopt to secure the VMS machine with 
<little inconvenience to my users? How can I prevent mail/Decnet spoofing?
<Are there packages to monitor incoming connections?

A few simple rules:

  - Minimum password lengths. I suggest 8 chracters or less.

  - Force passwords to change at reasonable intervals (30 days system, 90 days
users should suffice.

  - Get some utility to test you user's passwords.

Also:  Disuser any accounts your verndors, field service etc. may use.  Some of
these companies use the same password for all their accounts (such as
FIELD/SERVICE).

Who's TCP/IP implementation are you running.  You can enable login of all
access from FTP, TELNET etc.

I sure hope that you are going to filter all non-tcp protocols (DECnet, LAT,
mop, etc) from going out of you box.

Spoofing mail? on a VMS box?  You are worried about known problems with
sendmail on Unix.  Just keep an eye on any security MUPs that DEC may put out.
Do keep all your clocks in synch and do educate your users about security
issues (i.e. passing passwords in the clear, etc.)

<	What security packages does Dec offer and how relevant are they
<e.g. DecInspect etc? I'm currently running VMS 5.5-2 and VMS/AXP 1.5. Would
<upgrades to VMS 6.0/6.1 help?

Keep an eye on accounting and the operator log etc.


<	Is there any sysadmin who experienced break-ins (attempted or
<successful) and probes and how often are such incidents? What steps
<can I adopt to trace probes/break-ins easily? Are there any papers/books/
<archives/articles dealing with these (VMS-specific)?

Go to DECUS and attend some of the security sessions.

=========================== END RESPONSES ======================================