From: SMTP%"LEEBP@ISCS.NUS.SG" 23-MAY-1994 21:38:27.71
To: EVERHART
CC:
Subj: VMS machine on Internet and security (Summary/Responses)
X-Newsgroups: comp.os.vms
Subject: VMS machine on Internet and security (Summary/Responses)
Message-ID: <23MAY199414305506@dec7000.iscs.nus.sg>
From: leebp@dec7000.iscs.nus.sg (LEE BOON PENG)
Date: 23 May 1994 14:30 +0800
Reply-To: LEEBP@ISCS.NUS.SG
Distribution: world
Organization: Opus One
NNTP-Posting-Host: dec7000.iscs.nus.sg
News-Software: VAX/VMS VNEWS 1.41
Lines: 290
To: Info-VAX@CRVAX.SRI.COM
X-Gateway-Source-Info: USENET
Subject: Re: VMS machine on Internet and security
A week ago, I asked the following and these are the responses I got.
Carl pointed out that my questions were quite vague. I'm sorry I wasn't clear
and I realized that this issue has to be carefully thought out and carefully
examined, especially with regarding on system setup, configuration and the
packages that one is running on the system.
Anyway, thanks a lot guys!
Paul
> My VMS cluster has always been hiding behind a firewall
> with no direct Internet access (ftp, telnet). There is a possibility
> in the near future that one of my VMS machines may need to have direct
> Internet access.
>
> I would be grateful if any experienced sysadmin can highlight the
> issues of direct connectivity especially that of security and administration.
> For example, what extra measures can I adopt to secure the VMS machine with
> little inconvenience to my users?
> How can I prevent mail/Decnet spoofing?
> Are there packages to monitor incoming connections?
> What security packages does Dec offer and how relevant are they
> e.g. DecInspect etc? I'm currently running VMS 5.5-2 and VMS/AXP 1.5. Would
> upgrades to VMS 6.0/6.1 help?
> Is there any sysadmin who experienced break-ins (attempted or
> successful) and probes and how often are such incidents? What steps
> can I adopt to trace probes/break-ins easily? Are there any papers/books/
> archives/articles dealing with these (VMS-specific)?
================================================================================
From: Carl J Lydick <carl@SOL1.GPS.CALTECH.EDU>
=How can I prevent mail (spoofing)
You can't really.
=/Decnet spoofing?
DECnet uses host addresses exclusively for communications. It does the
translation from address to name locally (that's under DECnet Phase IV; things
may have changed significantly under DECnet Phase V; since I don't manage any
systems running DECnet Phase V [I'm avoiding that until either:
1) DECnet Phase-V supports host-based routing; or
2) We can allocate enough money for a dedicated router]
At any rate, at least under DECnet Phase IV, it's difficult to do DECnet
spoofing. To do it, you've pretty much:
1) Crash the machine you're intending to spoof (or a router between
said machine and the machine you want to attack); then
2) Restart DECnet on your machine using the address of the machine you
want to spoof;
3) Finish your spoofing before the real machine (or router) is up
again.
= Is there any sysadmin who experienced break-ins (attempted or
=successful) and probes and how often are such incidents?
Varies a great deal from site to site.
=What steps
=can I adopt to trace probes/break-ins easily? Are there any papers/books/
=archives/articles dealing with these (VMS-specific)?
You can regularly check the security logs maintained by your system. Under VMS
v5.4-2, there's no way in vanilla VMS to figure out where all sessions
originate; I understand that that problem's been alleviated in more recent
releases. RTFM!
================================================================================
From: Arne Vajhoej <ARNE@kopc.hhs.dk>
> My VMS cluster has always been hiding behind a firewall
> with no direct Internet access (ftp, telnet). There is a possibility
> in the near future that one of my VMS machines may need to have direct
> Internet access.
>
> I would be grateful if any experienced sysadmin can highlight the
> issues of direct connectivity especially that of security and administration.
> For example, what extra measures can I adopt to secure the VMS machine with
> little inconvenience to my users?
VMS in standard/default setup is much more safe than UNIX in standard/default
setup, so you will need to do much less.
> How can I prevent mail/Decnet spoofing?
> Are there packages to monitor incoming connections?
If you setup your internet gateway to only route TCP/IP packages and
not DECnet, then this problem is solved.
> What security packages does Dec offer and how relevant are they
> e.g. DecInspect etc? I'm currently running VMS 5.5-2 and VMS/AXP 1.5. Would
> upgrades to VMS 6.0/6.1 help?
Not much. VMS 6.x has got a security brand, but it is more a question of
going through the test-procedure and make some procedures for testing of
later changes.
> Is there any sysadmin who experienced break-ins (attempted or
> successful) and probes and how often are such incidents? What steps
> can I adopt to trace probes/break-ins easily? Are there any papers/books/
> archives/articles dealing with these (VMS-specific)?
Suggestions:
- disallow DECnet and LAT packets through the router
- check all usernames for easy to guess passwords (there are programs to
do such a thing)
- enable maximum logging
- use time to examine those logs (can be partly automatic)
- make sure that ver vey few usernames has privs and that they all
have very very good passwords
- consider shutting down incoming TELNET and FTP outside office hours
- consider shutting down incoming TELNET and FTP at all time unless
someone actually asks for it to be opened for a few hours
Note: incoming TELNET can be disabled even though SMTP continues to work
with a little effort !
================================================================================
From: "Joseph B. Gill" <GILL_J@Eisner.DECUS.Org>
Hi Paul,
You might want to subscribe to "firewalls-request@GreatCircle.COM". Also,
here's a press release from Digital about a new Internet security service they
are offering.
COMPREHENSIVE INTERNET SECURITY SERVICES
ANNOUNCED BY DIGITAL EQUIPMENT CORPORATION
MAYNARD, Mass. -- May 2, 1994 -- Digital Equipment Corporation today
announced comprehensive Internet Security Services to help make
private computer networks and databases more secure from intrusion
from the Internet.
Provided by Digital Consulting, a business unit of Digital,
these Internet Security Services combine expert security consulting
and software capabilities to deliver a protected and programmable
"firewall" through a screened intelligent gateway that guards
private networks, while giving users controlled links and access to
the Internet and other networks.
"These comprehensive security services are designed to allow
our clients to tap the power of the Internet withou These services provide rel
iable connectivity and a high degree
of security between trusted private networks and the Internet or
other potentially hostile TCP/IP networks. These services can also
be used to protect sensitive areas of internal networks.
Internet Security Services provide secured connections to and
from the Internet through a number of "application gateways" to
support popular applications like electronic mail, file transfer
(FTP and Archie), remote terminal access (Telnet), client/server
information services (Gopher, or World-Wide Web), and notes
conferences. These services also support access to the World-Wide
Web through trusted Mosaic browsers.
Digital's Internet Security Services include:
* SEAL (Screening External Access Link) - a combination of
custom security consulting, Internet security policy
development and rules definitions, installation and
configuration of customized software, training in all facets
of SEAL's operation, and post-delivery telephone support.
* Optional components and consulting which include: additional
customized application gateways; configuration of public
domain software; cryptographic and authentication
capabilities; and computer and network security consulting.
In unveiling the new security services, McNulty said "the
critical need for comprehensive security has become an ever-growing
concern of major businesses around the globe - particularly as
millions of new users seek data on the Internet and other
information super-highways.
"Those businesses and organizations need to feel confident that
they have the best protection available from the networks and
systems to which they seek connections.
"Digital's Internet Security Services, customized to each
client's needs, are cost-effective, and embody the capabilities
required to provide the level of confidence and security clients
seek," McNulty added.
SEAL's customized software provides the best detection
available today to unauthorized connections between a user's private
network and the Internet.
Digital's tested Internet Security Services deliver real-world
benefits like high-level security, reliable connectivity, detection
of unauthorized network probing, enhanced auditing, and on-line
support.
"Internet security is not new to Digital," McNulty also noted.
"These services are the result of more than a decade of our research
and practical use of the Internet. They have been extensively used
to secure Digital's own Internet connections, and have already been
delivered to major multi-national corporations and organizations.
"It is very common for Internet users to have no security
through a direct connection to the Internet, or some security which
can be provided by routers," McNulty noted. "But, ultimately, users
need the high level of security and connectivity provided by a
'programmable' firewall coupled with a screened intelligent gateway
which is available today through Digital's SEAL."
Internet Security Services are available immediately in the
United States, Canada, Latin America and Europe, and will be
available in Asia later this calendar year. These services are part
of an extensive Digital portfolio of security products and services
designed to secure clients' business and computing environments.
Internet Security Services are custom quoted. Prices for SEAL
services begin at $25,000.
Digital Equipment Corporation is the world's leader in open
client/server solutions from personal computing to integrated
worldwide information systems. Digital's scalable Alpha AXP
platforms, storage, networking, software and services, together
with industry-focused solutions from business partners, help
organizations compete and win in today's global marketplace.
####
Note to Editors: Digital, the Digital Logo, and Alpha AXP are
trademarks of Digital Equipment Corporation.
Mosaic is a trademark of the National Center
for Supercomputing Applications.
CORP/94/441
================================================================================
From: PW744412@PUCAL.BITNET
DEC Polycenter Security Integrity Checker (SIC), Braintree Auditor Plus ...
are two software packages that specialize in OpenVMS issues.
================================================================================
From: Steve Lembark <LEMBARK@SYSJJ.UG.EDS.COM>
check the current issue of SysAdmin, there is a book reviewed in it
specifically about internet firewalls. 99.9% of it applies to vms as well as
unix.
also check the guide to system security in the big grey wall.
steve lembark
(@oxy.edu:lembark@workhorse.uucp)
================================================================================
From: CANTERA@CISV.JSC.NASA.GOV
< I would be grateful if any experienced sysadmin can highlight the
<issues of direct connectivity especially that of security and administration.
<For example, what extra measures can I adopt to secure the VMS machine with
<little inconvenience to my users? How can I prevent mail/Decnet spoofing?
<Are there packages to monitor incoming connections?
A few simple rules:
- Minimum password lengths. I suggest 8 chracters or less.
- Force passwords to change at reasonable intervals (30 days system, 90 days
users should suffice.
- Get some utility to test you user's passwords.
Also: Disuser any accounts your verndors, field service etc. may use. Some of
these companies use the same password for all their accounts (such as
FIELD/SERVICE).
Who's TCP/IP implementation are you running. You can enable login of all
access from FTP, TELNET etc.
I sure hope that you are going to filter all non-tcp protocols (DECnet, LAT,
mop, etc) from going out of you box.
Spoofing mail? on a VMS box? You are worried about known problems with
sendmail on Unix. Just keep an eye on any security MUPs that DEC may put out.
Do keep all your clocks in synch and do educate your users about security
issues (i.e. passing passwords in the clear, etc.)
< What security packages does Dec offer and how relevant are they
<e.g. DecInspect etc? I'm currently running VMS 5.5-2 and VMS/AXP 1.5. Would
<upgrades to VMS 6.0/6.1 help?
Keep an eye on accounting and the operator log etc.
< Is there any sysadmin who experienced break-ins (attempted or
<successful) and probes and how often are such incidents? What steps
<can I adopt to trace probes/break-ins easily? Are there any papers/books/
<archives/articles dealing with these (VMS-specific)?
Go to DECUS and attend some of the security sessions.
=========================== END RESPONSES ======================================