openvms security update d.c. technical update day leo demers openvms product manager d.c. technical...
TRANSCRIPT
OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update
D.C. Technical Update Day
Leo Demers
OpenVMS Product Manager
D.C. Technical Update Day
Leo Demers
OpenVMS Product Manager
AgendaAgendaAgendaAgenda OpenVMS Government Compliance
– Security ratings– HIPAA, DMSO HLA, DII COE
OpenVMS Security Features– MUPS – Timeline of features (including Kerberos )
Plans and Futures – External authentication (EAK)– CDSA & IPSEC– ebusiness plans (PKI,Access control,IPSEC) – Questions & Answers
Price/Price/PerformancePerformance
ScalabilityScalabilityAvailabilityAvailability
ReliabilityReliability
SecuritySecurity
OpenVMSOpenVMS core values - the foundation of core values - the foundation of a successful e-business deploymenta successful e-business deploymentOpenVMSOpenVMS core values - the foundation of core values - the foundation of a successful e-business deploymenta successful e-business deployment
OpenVMS platform plus robust industry solutions guarantees your continued success
NonStop™
eBusiness solutions set the stage for the future while leveraging today’s investments
Award winning services expertise provides the right mix of services for your changing environment
OpenVMS StrategyOpenVMS Strategy
A note about OpenVMS Security TestingA note about OpenVMS Security TestingA note about OpenVMS Security TestingA note about OpenVMS Security Testing
Independent of a rating, the OpenVMS security testing procedure is as follows
– All new functionality & changes are documented
– Each is reviewed for impact to the security model
– Tests are created to assure security relevant changes behave as documented
– Each release must successfully complete the security test suite before it is released.
ITSEC Security RatingITSEC Security RatingITSEC Security RatingITSEC Security Rating
ITSEC Security Ratings “in progress” on target for a rating completion this year.
ITSEC E3/F-B1 SEVMS (with B3 claims) ITSEC E3/F-C2 VMS http://www.itsec.gov.uk/
– Targets: Alpha & VAX 6.2 7.x
Health Insurance Portability & Health Insurance Portability & Accountability Act of 1996 (HIPAA)Accountability Act of 1996 (HIPAA)
Health Insurance Portability & Health Insurance Portability & Accountability Act of 1996 (HIPAA)Accountability Act of 1996 (HIPAA)
Public Law 104-191
Based on the Kennedy-Kassebaum bill
Designed to:
– assure health insurance portability
– reduce health care fraud and abuse
– guarantee security and privacy of health information
– enforce standards for health information
HIPAA Security RequirementsHIPAA Security Requirements HIPAA Security RequirementsHIPAA Security RequirementsDictate general security safeguardsStandards Covered:
Access ControlAuthorization ControlData Authentication (Integrity)Entity AuthenticationTransactio
n Standards
& Code Sets
Privacy Legislation
Security Standards
Electronic Signature Standards
Administrative
Procedures
Physical Safeguards
Technical Security Services
Technical Security For
Network Communicatio
ns
Unique Health Identifiers
OpenVMS White paper on HIPAA compliance can be found athttp://www.openvms.compaq.com/solutions/healthcare/hipaa.html
What is DII COE?What is DII COE?What is DII COE?What is DII COE?
The Defense Information Infrastructure Common Operating Environment (DII COE) provides a foundation for building open systems. It is a "plug and play" open architecture designed around a client/server model.
http://spider.osfl.disa.mil/cm/cm_page.html
http://www.openvms.compaq.com/solutions/government/coe/index.html
US Military Aircraft teams want the DMSO (Defense Modeling and Simulation Office) to port the High Level Architecture (HLA) Run-Time Infrastructure (RTI) to OpenVMS.
Aircraft Simulation specification used in the design, production and modification of all U.S. military aircraft.
Many current and future Military aircraft use OpenVMS for design, simulation and production.
Solutions today: MAK Technologies VR-Link and the MAK RTI have been ported to OpenVMS/Alpha.
The DMSO will be porting to Alpha this year on Both Tru64 and OpenVMS.
Simulation HLA RTI Compliance
Security MUPs & ChangesSecurity MUPs & ChangesMUPs
OpenVMS Alpha 7.2–DEC-AXPVMS-VMS72_SYS-V0100--4–DEC-AXPVMS-VMS721_SYS-V0100--4
OpenVMS Alpha Security MUPALPSMUP01_070 (Versions 6.1,6.2 & 7.0)
OpenVMS VAX Security MUP VAXSMUP03 (All Versions prior to 6.1)
Security Changes Captive account can not spawn after V6.0.
–Change to Restricted, or use “$Spawn/Trusted” OpenVMS V6.1 MAVC - Alpha Proxy
OpenVMS 7.2 MUP detailsOpenVMS 7.2 MUP detailsOpenVMS 7.2 MUP detailsOpenVMS 7.2 MUP details
Non-Privileged System Crasher… Affects these OpenVMS Alpha releases.
– V7.2-1– V7.2 with UPDATE V1.0– V7.2 with HARDWARE V1.0
Which ECO do you need to apply– V7.2, V7.2-1 SYS ECO kits… or...– V7.2 UPDATE V2.0 ECO kit or higher
Merges UPDATE, HARDWARE, SYS
Q&A on Security MUPS & ChangesQ&A on Security MUPS & Changes..Q: Why Apply ALPSMUP01_070?
“Applications that creates accounts during installation may have those newly created accounts passwords compromised.”
Q: Where do I get it?
Part of OpenVMS V7.0 media distribution. The INTERNET Digital ECO FTP location is:
ftp://ftp.service.digital.com/public/vms/axp/v7.0/ TIMA/DIA/DSNLINK Keyword:ALPSMUP01_070 Digital Order number: AG-QUL0A-BE.
Q: Has VAXSMUP03 been applied to my system?If SYS$COMMON:[SYSUPD]VAXSMUP03_060_IMAGE.DAT exists, Yes it has.
–Q:Where is the Kit for V6.0? On CONDist or FTP(see ftp site)
–Q:What about pre V6? Contact digital support (U.S: 1-800-354-9000) Another system wide solutions to Captive users not being able to spawn is to change lib$spawn to always use
the trusted field by changing system sysgen security_policy to 71. To handle proxy management on an OpenVMS Version 6.1 Mixed Architecture
VAXcluster, manage proxies from the VAX. Alpha doesn’t see the net$proxy file.
OpenVMS Enterprise Security features OpenVMS Enterprise Security features
V7.1: – External Authentication with NT
V7.2– Per thread Security Profiles
– Authenticated COM (in V7.2-1) V7.3:
– LDAP V3
– Cluster wide intrusion detection
– Kerberos KDC & API’s (GSSAPI & KRB$) Ebusiness Security
Common UserAuthentication
Interface
Authentication and Credential Management
(ACM) Authority
OpenVMS ACM
ExtensionSYSUAF..DATLOGINOUT
OpenVMS External Authentication
and Credential Management Model
Native Authentication Agent
NT ACM Extension
Advanced Server
LANManager
External Authentication Agent
System Services OverviewSystem Services Overview
OpenVMS security system services: Proxy - ADD, DELETE, CREATE, VERIFY, DISPLAY Intrusion - SCAN, DELETE, SHOW Persona - CREATE, DELETE, ASSUME
– Fully implemented as of OpenVMS V6.2 Why?
“To enable applications to comply with the OpenVMS Security Policy”
PersonaPersonaPersonaPersona
Open VMS identity: User name UIC Privileges Rightslist Chains Mandatory auditing flag
Adopting a persona makes a process appear to be logged in as that user for access checking and auditing
Security Thread Model before 7.2Security Thread Model before 7.2
• The current model forces user threads to manage the security profile
• To really work the security profile must be switched by the scheduler
• A single profile fails with multiple threads actively using it
GenericSecurity Profile
(ARB,PCB,JIB etc.)
Thread1
Thread2
Thread3
Thread4
SecurityprofileDATA
SecurityprofileDATA
SecurityprofileDATA
SecurityprofileDATA
Profile
Execution
Per-Thread Security Profile ModelPer-Thread Security Profile Model
• New model solves pre-emption problem as the scheduler switches the security profile on a context switch.
• Now the operating system takes care of the switching of profile handles when scheduling.
Security Profile 3
(PSB)
Thread1
Thread2
Thread3
Thread4
Profile
Execution
Security Profile 2
(PSB)
Security Profile 1
(PSB)
Per-Thread Security: CompatibilityPer-Thread Security: Compatibility
PCB/ARB/JIB/PHD maintained while process has a single user-mode persona
System services now persona awareSDA understands persona structures Backward
Compatibility New
GenericSecurity Profile
(ARB,PCB,JIB etc.)
Security Profile 2
(PSB)
Security in OpenVMS V7.2-1Security in OpenVMS V7.2-1Security in OpenVMS V7.2-1Security in OpenVMS V7.2-1
Authenticated COM– Provide necessary NT security infrastructure
(kernel objects, interfaces, and protocols) to support strategic technologies
– OpenVMS 7.2-1 support for: Secure DCOM, RPC using NTLM-authentication (Authenticated RPC), select Win32 security APIs
– OpenVMS Alpha only!
NT Security Infrastructure ViewNT Security Infrastructure ViewNT Security Infrastructure ViewNT Security Infrastructure View
PWRK$LMSRVSAMSAM
AdvancedServer
ACME_SERVER
VMSACME
NTACME
SYS$ACMSystem Service
UAF
SSPI/NTLMSystem
Services
$PERSONASystem Services
RPCWin32 APIs
DCOM
[Cluster IPC to multiple servers]
Reservedinterfaces
in 7.2
Reservedinterfaces
in 7.2
Win32 Low-Level Security
Services
OpenVMS 7.3 Security ProjectsOpenVMS 7.3 Security ProjectsOpenVMS 7.3 Security ProjectsOpenVMS 7.3 Security Projects
LDAP V3 Cluster Wide Intrusion Detection Kerberos V5 Client and KDC
– GSSAPI V2 OpenSSL support for CSWS Future Work
– External Authentication (EAK) Required 7.3– Common Data Security Architecture (CDSA)– IPSEC Support
LDAP V3 in OpenVMS 7.3 LDAP V3 in OpenVMS 7.3 LDAP V3 in OpenVMS 7.3 LDAP V3 in OpenVMS 7.3
OpenVMS 7.3 includes an LDAP V3 API to enable access to LDAP directories anywhere in the enterprise.
LDAP supports multi-threaded 64-bit & 32-bit applications and is COM (Common Object Model) aware.
Certification efforts– Microsoft’s Active Directory
– Novell’s NDS
– Compaq’s X.500 V4.0
– As well as support for Kerberos V5 and Public Key Infrastructure (PKI).
Cluster Wide Intrusion DetectionCluster Wide Intrusion DetectionCluster Wide Intrusion DetectionCluster Wide Intrusion Detection
Prior to 7.3 Intrusion detection and breakin evasion is not applied cluster-wide. Intrusion detection and breakin
evasion data are volatile. CWID Requirements:
– Intrusion and breakin events will be visible across the cluster (both VAX and Alpha)
– Events from all nodes in the cluster will contribute to the detection and evasion mechanisms
– Events must persist across system reboots– Only backwards-compatible changes will be made to the
SYS$INTRUSION interfaces
Why change intrusion detection? Why change intrusion detection? Why change intrusion detection? Why change intrusion detection?
NODEB::
NODEC::NODEA::
LGI_BRK_LIM = 3
Username: REDPassword: wrongone
CWID: What are the Differences?CWID: What are the Differences?CWID: What are the Differences?CWID: What are the Differences?
Prior to 7.3 New in 7.3 . Where are the Records held? Security Server Logical Name
Process memory Table
When are the Records lost? Server Restart 1. Cluster Reboot*
2. Node Reboot
How are Intruder record Intrusions set to Allowed in
reset to allow login again? LGI_BRK_LIM Records retained
* Default setting (Nodes can be removed from CWID if required.)
Intrusion Detection exampleIntrusion Detection exampleIntrusion Detection exampleIntrusion Detection example$$ SHOW INTRIntrusion Type Count Expiration Source--------------- --------------- -------- ---------------- ----------NETWORK INTRUDER 7 11-MAY-2000 17:15:54.96 ALPHA::GREENNETWORK INTRUDER 7 11-MAY-2000 17:15:12.53 ALPHB::RED$
$ SHOW INTR/NODEIntrusion Type Count Expiration Source--------------- --------------- -------- ---------------- ------------NETWORK INTRUDER 7 11-MAY-2000 17:15:54.96 ALPHA::GREEN Node: NODEA Count: 1 Node: NODEC Count: 6NETWORK INTRUDER 7 11-MAY-2000 17:15:12.53 ALPHB::RED Node: NODEA Count: 1 Node: NODEB Count: 3 Node: NODEC Count: 3$
Interface ChangesInterface ChangesInterface ChangesInterface Changes
– DCL (adding /Node qualifier) DELETE INTRUSION SHOW INTRUSION
– System Services $DELETE_INTRUSION $SCAN_INTRUSION $SHOW_INTRUSION
– SYSGEN new bit in Security Policy
Kerberos VMS implementationKerberos VMS implementationKerberos VMS implementationKerberos VMS implementation Ships on 7.3 as a separately installable kit.
Support available back to V7.2 (VAX & ALPHA)(Web kit available when 7.3 ships)
GSSAPI V2 GUI & DCL interface KDC (Key Distribution Center) & API’s (Client)
In OpenVMS 7.3 FT2 Field Test Kerberos support for TCP/IP services for OpenVMS in 5.2
For more information on Kerberos see http://web.mit.edu/kerberos/www/
More Kerberos details at the end of this presentation
SSLSSLSSLSSL
SSL is the acronym for Secure Sockets Layer.
It was invented by Netscape Communications to provide a secure communications channel between web browsers and servers.
As the name implies, it was meant to work with the sockets layer of the TCP/IP protocol stack.
SSL FeaturesSSL FeaturesSSL FeaturesSSL Features It uses a combination of public key technology (eg. RSA,
DH), symmetric key technology (eg. DES, RC4), and message digests (eg. SHA1, MD5) to provide authentication, integrity, and privacy.
Its widespread use has made it a defacto standard for many users as an entry level into the Public Key Infrastructure (PKI). Users now wish to extend its use into such areas as directory services and single sign on functionality.
SSL V3 is a draft internet standard and is the version in most common use. TLS V1 is the IETF version of SSL being worked upon.
OpenSSLOpenSSLOpenSSLOpenSSL
OpenSSL from the Open SSL.Org does support VMS.
OpenVMS Engineering has ported this to VMS for use in Apache and other project in VMS engineering.
We would like to deliver an Public OpenSSL API
But this will need to wait for a future release of OpenVMS.
ACME LoginACME LoginACME LoginACME Login
SYS$ACM will be published in a follow-on kit to 7.3 as an Early Adopters Kit (EAK).
The Early Adopters Kit kit will be for Testing and Field Test exposure. Additional Loginout image How to write an ACME guide. SYS$ACM System services manual
Common UserAuthentication
Interface
Authentication and Credential Management
(ACM) Authority
OpenVMS ACM
ExtensionSYSUAF..DATLOGINOUT
OpenVMS Common User Authentication
and Credential Management Model
Native Authentication Agent
NT ACM Extension
PATHWORKS
LANManager
External Authentication Agent
KerberosACM Extension
X.509 Public-Key ACM Extension
The ability to have alternate external agents supported by the OpenVMS Common User Authentication Model will be in a future release.
SYS$ACM
ACME LOGIN
The CDSA SolutionThe CDSA SolutionThe CDSA SolutionThe CDSA Solution
Common Data Security Architecture (CDSA)
Security Service Modules
CSSM Security API
Common Security Services Manager
Service Provider Interfaces
CDSA defines aCDSA defines afour-layer architecturefour-layer architecturefor cross-platform,for cross-platform,high-level security serviceshigh-level security services
CSSM defines aCSSM defines acommon API & SPIcommon API & SPIfor security servicesfor security servicesand integrity baseand integrity base
Service ProvidersService Providersimplement selectableimplement selectablesecurity servicessecurity services
Layered Security Services
Applications
http://developer.intel.com/ial/security/
CSSM Security API
CSPManager
SPI DLICLITPI
TP ModuleManager
CL ModuleManager
DL ModuleManager
Security ContextsCommonSecurityServicesManager
EMI
ElectiveModule Mgr
EM-API
Integrity Services
New Category
of Service
Applications in C and C++
CDSA FrameworkCDSA FrameworkCDSA FrameworkCDSA Framework
ServiceProviderModules
CryptographicServiceProvider
Smartcard
CertificateLibrary
Trust PolicyLibrary
Data store
Data StorageLibrary
Remote CAs
CDSA AdoptersCDSA AdoptersCDSA AdoptersCDSA Adopters
IPSEC supportIPSEC supportIPSEC supportIPSEC support
IPSEC as part of IPV6– Tru64 UNIX - SSH Contract for IPSEC provider
– VMS to follow same model
– CDSA for Cryptography
OpenVMS Ebusiness Security directionOpenVMS Ebusiness Security directionOpenVMS Ebusiness Security directionOpenVMS Ebusiness Security directionInvestigation focusing on gauging the VMS need for:
– Access Control /Policy Management – SSL HW assist (AXL 300 support)– Application Level cryptography S/Mime?– PKI Client? CA?
System 1System 1
NetworkNetworkNetworkNetwork
TransportTransportTransportTransport
ApplicationApplicationApplicationApplicationApplicationApplicationApplicationApplication
Web serverWeb serverWeb serverWeb server
NetworkNetworkNetworkNetwork
KernelKernelKernelKernel
S/MIMES/MIMES/MIMES/MIME
SSLSSLSSLSSL
IPsecIPsecIPsecIPsec
System 2System 2
ApplicationApplicationApplicationApplication
Web serverWeb serverWeb serverWeb server
NetworkNetworkNetworkNetwork
KernelKernelKernelKernel
Client/ServerClient/ServerApplicationsApplications
Host/InteractiveHost/InteractiveAuthenticationAuthentication
CryptographyCryptographyConsumersConsumers
Future OpenVMS Security/Cryptography Map
COM, Browsers Logon, FTP, Rlogin
Common Data Security Architecture APICSSM
CryptographicServices Provider
• RSA BSAFE
Trust Policy• ENTRUST•VERISIGN
CertificateLibrary
•RSA BCERT• ENTRUST
Data Storage Library
LDAP
PKI, IPSEC
$ACM
KerbACME
NTACME
VMSACME
RPC
SSPI
NTLM
Kerb5Run Time
SSL/TLS SSP
Kerb5SSP
SNEGO
GSSAPI V2
SSL/TLS Run Time
KEY= Public
= Internal
= Example
SASL LDAP
GSSAPI other?
Kerberos for OpenVMSKerberos for OpenVMSKerberos for OpenVMSKerberos for OpenVMS
Kerberos AgendaKerberos AgendaKerberos AgendaKerberos Agenda
What is it? A Cryptographic Authentication protocol
History Benefit How it works OpenVMS Specific details
Kerberos AuthenticationKerberos Authentication What’s in a name? What’s in a name? Kerberos AuthenticationKerberos Authentication What’s in a name? What’s in a name?
Kerberos is from Greek Mythology and is the three headed guard dog to Hades
– Cerberus is the Roman spelling. Kerberos project History
– Developed in 1984 at M.I.T. in Project Athena
– Versions 1-3 M.I.T. Internal Athena use only
– Version 4 (Available to the public) ~1988
– Version 5 (Commercial ready) ~1997
Authorization vs. AuthenticationAuthorization vs. AuthenticationAuthorization vs. AuthenticationAuthorization vs. Authentication A system administrator Authorizes someone to use a
computer by creating them an account.– Example: UAF> CREATE ASTRO
The person proves that they are the authorized user of the account by Authenticating themselves typically with a password.
Example:
Username: ASTRO
PASSWORD: itsadogeatdogworld
So what’s the problem?So what’s the problem?So what’s the problem?So what’s the problem?
Distributed computing forces the user to authenticate themselves to remote machines by having their passwords travel over the network.
– A simple packet sniffing tool on a PC could read the password on it’s way to the destination system
So how can you solve the Remote So how can you solve the Remote Authentication problem?Authentication problem?So how can you solve the Remote So how can you solve the Remote Authentication problem?Authentication problem?
Solutions:– Standards: IPSEC (Part of the IPV6 protocol)– SSH Secure Shell
SSH server for VMShttp://kcgl1.eng.ohio-state.edu/~JONESD/ssh/DOC/ SSH client for VMS http://www.free.lp.se/fish/ Info on SSLEayhttp://www.free.lp.se/openssl/
Kerberos for OpenVMS
How does Kerberos work? How does Kerberos work? How does Kerberos work? How does Kerberos work?
Authentication using cryptographic tickets.
Client
KDC
Key Distribution Center
TGS
Ticket Granting Service
Remote Host
Kerberos ComponentsKerberos ComponentsKerberos ComponentsKerberos Components
Key Components:– KDC (Key Distribution Center)
Grant Principle Account & Service Account Administration of the Kerberos Users Keytab files (Securely distributed to every node)
– TGT (Ticket Granting Ticket)
– TGS (Ticket Granting Service)
– Valid account on the Remote Host
VMS GUI KDC VMS GUI KDC VMS GUI KDC VMS GUI KDC
VMS GUI User FeaturesVMS GUI User FeaturesVMS GUI User FeaturesVMS GUI User Features
Client (HOST1)Login:ODIEPassword:$
A sample Kerberos Authentication WalkthroughKDC (HOST2)
TGS
Remote Server (Host3)
TGT Request 2
KDBODIE: Password1
TGS: Password2
host: Password3
JSMITH@host1 time [SID1]
JSMITH@host1 time [SID1]PWD1 PWD2
KINIT
JSMITH@host1 time [SID1]
JSMITH@host1 time [SID1]
encryptencrypt
4
Password:
JSMITH@host1 time RLOGIN
JSMITH@host1 time [SID1]
1encryptdecrypted
encryptencrypt
3
TGS Request
Encrypted TGT
JSMITH@host1 time RLOGIN
JSMITH@host1 time [SID1]SID1
PWD2
Encrypted SRT
[SID1] Created
$ SET HOST /RLOGIN /AUTHENTICATE HOST3
JSMITH@host1 time RLOGIN
PASSWORD3 [SID2]
[SID2] Created
PWD3
SID1 PWD2
SID1 PWD3
SID2 PWD3
HOST3> communications Authenticated!
decryptedencrypt