From: SMTP%"LEEBP@ISCS.NUS.SG" 23-MAY-1994 21:38:27.71 To: EVERHART CC: Subj: VMS machine on Internet and security (Summary/Responses) X-Newsgroups: comp.os.vms Subject: VMS machine on Internet and security (Summary/Responses) Message-ID: <23MAY199414305506@dec7000.iscs.nus.sg> From: leebp@dec7000.iscs.nus.sg (LEE BOON PENG) Date: 23 May 1994 14:30 +0800 Reply-To: LEEBP@ISCS.NUS.SG Distribution: world Organization: Opus One NNTP-Posting-Host: dec7000.iscs.nus.sg News-Software: VAX/VMS VNEWS 1.41 Lines: 290 To: Info-VAX@CRVAX.SRI.COM X-Gateway-Source-Info: USENET Subject: Re: VMS machine on Internet and security A week ago, I asked the following and these are the responses I got. Carl pointed out that my questions were quite vague. I'm sorry I wasn't clear and I realized that this issue has to be carefully thought out and carefully examined, especially with regarding on system setup, configuration and the packages that one is running on the system. Anyway, thanks a lot guys! Paul > My VMS cluster has always been hiding behind a firewall > with no direct Internet access (ftp, telnet). There is a possibility > in the near future that one of my VMS machines may need to have direct > Internet access. > > I would be grateful if any experienced sysadmin can highlight the > issues of direct connectivity especially that of security and administration. > For example, what extra measures can I adopt to secure the VMS machine with > little inconvenience to my users? > How can I prevent mail/Decnet spoofing? > Are there packages to monitor incoming connections? > What security packages does Dec offer and how relevant are they > e.g. DecInspect etc? I'm currently running VMS 5.5-2 and VMS/AXP 1.5. Would > upgrades to VMS 6.0/6.1 help? > Is there any sysadmin who experienced break-ins (attempted or > successful) and probes and how often are such incidents? What steps > can I adopt to trace probes/break-ins easily? Are there any papers/books/ > archives/articles dealing with these (VMS-specific)? ================================================================================ From: Carl J Lydick =How can I prevent mail (spoofing) You can't really. =/Decnet spoofing? DECnet uses host addresses exclusively for communications. It does the translation from address to name locally (that's under DECnet Phase IV; things may have changed significantly under DECnet Phase V; since I don't manage any systems running DECnet Phase V [I'm avoiding that until either: 1) DECnet Phase-V supports host-based routing; or 2) We can allocate enough money for a dedicated router] At any rate, at least under DECnet Phase IV, it's difficult to do DECnet spoofing. To do it, you've pretty much: 1) Crash the machine you're intending to spoof (or a router between said machine and the machine you want to attack); then 2) Restart DECnet on your machine using the address of the machine you want to spoof; 3) Finish your spoofing before the real machine (or router) is up again. = Is there any sysadmin who experienced break-ins (attempted or =successful) and probes and how often are such incidents? Varies a great deal from site to site. =What steps =can I adopt to trace probes/break-ins easily? Are there any papers/books/ =archives/articles dealing with these (VMS-specific)? You can regularly check the security logs maintained by your system. Under VMS v5.4-2, there's no way in vanilla VMS to figure out where all sessions originate; I understand that that problem's been alleviated in more recent releases. RTFM! ================================================================================ From: Arne Vajhoej > My VMS cluster has always been hiding behind a firewall > with no direct Internet access (ftp, telnet). There is a possibility > in the near future that one of my VMS machines may need to have direct > Internet access. > > I would be grateful if any experienced sysadmin can highlight the > issues of direct connectivity especially that of security and administration. > For example, what extra measures can I adopt to secure the VMS machine with > little inconvenience to my users? VMS in standard/default setup is much more safe than UNIX in standard/default setup, so you will need to do much less. > How can I prevent mail/Decnet spoofing? > Are there packages to monitor incoming connections? If you setup your internet gateway to only route TCP/IP packages and not DECnet, then this problem is solved. > What security packages does Dec offer and how relevant are they > e.g. DecInspect etc? I'm currently running VMS 5.5-2 and VMS/AXP 1.5. Would > upgrades to VMS 6.0/6.1 help? Not much. VMS 6.x has got a security brand, but it is more a question of going through the test-procedure and make some procedures for testing of later changes. > Is there any sysadmin who experienced break-ins (attempted or > successful) and probes and how often are such incidents? What steps > can I adopt to trace probes/break-ins easily? Are there any papers/books/ > archives/articles dealing with these (VMS-specific)? Suggestions: - disallow DECnet and LAT packets through the router - check all usernames for easy to guess passwords (there are programs to do such a thing) - enable maximum logging - use time to examine those logs (can be partly automatic) - make sure that ver vey few usernames has privs and that they all have very very good passwords - consider shutting down incoming TELNET and FTP outside office hours - consider shutting down incoming TELNET and FTP at all time unless someone actually asks for it to be opened for a few hours Note: incoming TELNET can be disabled even though SMTP continues to work with a little effort ! ================================================================================ From: "Joseph B. Gill" Hi Paul, You might want to subscribe to "firewalls-request@GreatCircle.COM". Also, here's a press release from Digital about a new Internet security service they are offering. COMPREHENSIVE INTERNET SECURITY SERVICES ANNOUNCED BY DIGITAL EQUIPMENT CORPORATION MAYNARD, Mass. -- May 2, 1994 -- Digital Equipment Corporation today announced comprehensive Internet Security Services to help make private computer networks and databases more secure from intrusion from the Internet. Provided by Digital Consulting, a business unit of Digital, these Internet Security Services combine expert security consulting and software capabilities to deliver a protected and programmable "firewall" through a screened intelligent gateway that guards private networks, while giving users controlled links and access to the Internet and other networks. "These comprehensive security services are designed to allow our clients to tap the power of the Internet withou These services provide rel iable connectivity and a high degree of security between trusted private networks and the Internet or other potentially hostile TCP/IP networks. These services can also be used to protect sensitive areas of internal networks. Internet Security Services provide secured connections to and from the Internet through a number of "application gateways" to support popular applications like electronic mail, file transfer (FTP and Archie), remote terminal access (Telnet), client/server information services (Gopher, or World-Wide Web), and notes conferences. These services also support access to the World-Wide Web through trusted Mosaic browsers. Digital's Internet Security Services include: * SEAL (Screening External Access Link) - a combination of custom security consulting, Internet security policy development and rules definitions, installation and configuration of customized software, training in all facets of SEAL's operation, and post-delivery telephone support. * Optional components and consulting which include: additional customized application gateways; configuration of public domain software; cryptographic and authentication capabilities; and computer and network security consulting. In unveiling the new security services, McNulty said "the critical need for comprehensive security has become an ever-growing concern of major businesses around the globe - particularly as millions of new users seek data on the Internet and other information super-highways. "Those businesses and organizations need to feel confident that they have the best protection available from the networks and systems to which they seek connections. "Digital's Internet Security Services, customized to each client's needs, are cost-effective, and embody the capabilities required to provide the level of confidence and security clients seek," McNulty added. SEAL's customized software provides the best detection available today to unauthorized connections between a user's private network and the Internet. Digital's tested Internet Security Services deliver real-world benefits like high-level security, reliable connectivity, detection of unauthorized network probing, enhanced auditing, and on-line support. "Internet security is not new to Digital," McNulty also noted. "These services are the result of more than a decade of our research and practical use of the Internet. They have been extensively used to secure Digital's own Internet connections, and have already been delivered to major multi-national corporations and organizations. "It is very common for Internet users to have no security through a direct connection to the Internet, or some security which can be provided by routers," McNulty noted. "But, ultimately, users need the high level of security and connectivity provided by a 'programmable' firewall coupled with a screened intelligent gateway which is available today through Digital's SEAL." Internet Security Services are available immediately in the United States, Canada, Latin America and Europe, and will be available in Asia later this calendar year. These services are part of an extensive Digital portfolio of security products and services designed to secure clients' business and computing environments. Internet Security Services are custom quoted. Prices for SEAL services begin at $25,000. Digital Equipment Corporation is the world's leader in open client/server solutions from personal computing to integrated worldwide information systems. Digital's scalable Alpha AXP platforms, storage, networking, software and services, together with industry-focused solutions from business partners, help organizations compete and win in today's global marketplace. #### Note to Editors: Digital, the Digital Logo, and Alpha AXP are trademarks of Digital Equipment Corporation. Mosaic is a trademark of the National Center for Supercomputing Applications. CORP/94/441 ================================================================================ From: PW744412@PUCAL.BITNET DEC Polycenter Security Integrity Checker (SIC), Braintree Auditor Plus ... are two software packages that specialize in OpenVMS issues. ================================================================================ From: Steve Lembark check the current issue of SysAdmin, there is a book reviewed in it specifically about internet firewalls. 99.9% of it applies to vms as well as unix. also check the guide to system security in the big grey wall. steve lembark (@oxy.edu:lembark@workhorse.uucp) ================================================================================ From: CANTERA@CISV.JSC.NASA.GOV < I would be grateful if any experienced sysadmin can highlight the