| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1471.1 | | CSC32::BUTTERWORTH | Gun Control is a steady hand. | Wed Jan 22 1997 14:32 | 30 |
| > PCM has a big security problem due to missing port protection
> on the Terminal Server side.
This is a subjective viewpoint. I don't consider it that big of a
problem considering it's been this way for over 9 years (this includes
VCS of course) and this is the first time a customer has ever said they
were going to get rid of the product because of it.
I'm *not* saying that it wouldn't be a nice feature but it's not up
to PCM alone to implement this functionality. Until the terminal
server software implements some form of password protection there is
nothing PCM can do.
> An easy approach seems to restrict remote access to the
> Terminal Server for authorized Clients (IP Addresses) only, this
> needs only modification for the Terminal Server code but not to PCM.
I agree completely. Now if you can just get *all* the terminal server
manufactures to implement it!
> Can anybody provide more Information if we or CA are working on
> this Problem.
To the best of my knowledge noone is working on this because there has
not been enouugh demand for it.
Regs,
Dan
|
| 1471.2 | the problem increased with TCP/IP Telnet | GENIE::TANNER | | Thu Jan 23 1997 11:08 | 24 |
| Hi Dan
are you shure that all the customers using PCM (VCS) are aware of
this problem ? it's nowhere mentioned in the doc as a "security hole"
even as a small one only.
The Swiss PTT wants to build a centralyced control center for there
Systems spread all over Switzerland and connected to there WAN (routing
TCP/IP, DECnet Backbone) therefore they have to use TCP/IP Telnet
connections to the Terminal Servers and the IP address and the listener
number are more simple to guess then server and port names and with LAT
the problem was on the local Network only.
I can only repeat the customer point of view and they told me not to use
PCM for this Project if this problem cant be fixed.
Dave Nelson's entry 3411.3 in the TERMINAL_SERVERS conference mentioned
the use of a remote access password for DNAS Terminal Servers, can
PCM be modified to use a password for the connect ? if we can show
a solution the customer will buy Terminal Servers supported with DNAS.
regards Peter
|
| 1471.3 | | CSC32::BUTTERWORTH | Gun Control is a steady hand. | Fri Jan 24 1997 12:11 | 42 |
| > Hi Dan
>
> are you shure that all the customers using PCM (VCS) are aware of
> this problem ? it's nowhere mentioned in the doc as a "security hole"
> even as a small one only.
Again it's been this way for many years and I've never had *ONE SINGLE
CUSTOMER* complain so loudly that they wouldn't buy the product nor
have I ever heard of one single report of a a security breach because
of this issue. In my opinion they are making a mountain out of a
molehill.
> The Swiss PTT wants to build a centralyced control center for there
> Systems spread all over Switzerland and connected to there WAN (routing
> TCP/IP, DECnet Backbone) therefore they have to use TCP/IP Telnet
> connections to the Terminal Servers and the IP address and the listener
> number are more simple to guess then server and port names and with LAT
> the problem was on the local Network only.
> I can only repeat the customer point of view and they told me not to use
> PCM for this Project if this problem cant be fixed.
> Dave Nelson's entry 3411.3 in the TERMINAL_SERVERS conference mentioned
> the use of a remote access password for DNAS Terminal Servers, can
> PCM be modified to use a password for the connect ? if we can show
> a solution the customer will buy Terminal Servers supported with DNAS.
It's going to take some work to make this work. It's not something
thats just going to happen because one customer demands it right now!
I also have a question: Have you found some other package that utilize
the password protection on DNAS servers?
Regs,
Dan
regards Peter
|
| 1471.4 | Take it serious | GENIE::TANNER | | Mon Jan 27 1997 04:48 | 40 |
| Hi Dan
> Again it's been this way for many years and I've never had *ONE SINGLE
> CUSTOMER* complain so loudly that they wouldn't buy the product nor
> have I ever heard of one single report of a a security breach because
> of this issue. In my opinion they are making a mountain out of a
> molehill.
I still believe that many PCM (VCS) customers ar not aware of
the security impact, but I dont want to wake up a sleeping dog
by discusing this with PCM customers.
We have now at least two customer complaining about this and I'm
shure to see more in the near future.
Product security complains should be always taken seriously specially
if they are true AND before DIGITAL is mentioned in TV or Radio
Broadcasts because of Hackers gaining access to Systems consoles.
> It's going to take some work to make this work. It's not something
> thats just going to happen because one customer demands it right now!
since PCM is owned by Computer Associates they should answer all
the question regarding enhancements made to new versions, I have
forwarded this discussion to CA Steve Englert ([email protected])
I hope CA will be a bit more sensitive about customer complains in
the area of security and the potential on miss use of system consoles.
> I also have a question: Have you found some other package that utilize
> the password protection on DNAS servers?
No I havnt, but why sould PCM not provide this security enhancement ?
regards Peter
|
| 1471.5 | | CSC32::BUTTERWORTH | Gun Control is a steady hand. | Mon Jan 27 1997 12:14 | 75 |
| >> Again it's been this way for many years and I've never had *ONE SINGLE
>> CUSTOMER* complain so loudly that they wouldn't buy the product nor
>> have I ever heard of one single report of a a security breach because
>> of this issue. In my opinion they are making a mountain out of a
>> molehill.
> I still believe that many PCM (VCS) customers ar not aware of
> the security impact, but I dont want to wake up a sleeping dog
> by discusing this with PCM customers.
> We have now at least two customer complaining about this and I'm
> shure to see more in the near future.
> Product security complains should be always taken seriously specially
> if they are true AND before DIGITAL is mentioned in TV or Radio
> Broadcasts because of Hackers gaining access to Systems consoles.
You tell me to take it seriously, well I put it to you that you are
taking it a bit too seriously! A hacker would have to know the IP
address but also know the listener numbers that are used by the
terminal servers. Since there are at least 9999 listener numbers it's
going to take some doing to get in.
>> It's going to take some work to make this work. It's not something
>> thats just going to happen because one customer demands it right now!
> since PCM is owned by Computer Associates they should answer all
> the question regarding enhancements made to new versions, I have
> forwarded this discussion to CA Steve Englert ([email protected])
> I hope CA will be a bit more sensitive about customer complains in
> the area of security and the potential on miss use of system consoles.
FYI, Steve Englert is not the person to contact as he is not the
product manager. Since you deem this so important I would contact Chris
Daugherty who is CA's Client Base Owner for all POLYCENTER products.
You may reach him at "[email protected]".
Also, I've never said that this feature shouldn't be included. I simply
said this is going to take some work to do and it's not going to happen
overnight. I can tell you this because I have the endorsement of CA to
perform code maiantenance/enhancement on PCM in concert with the other
engineers. As a matter of fact since you posted your original note I did
some research to determine how much work this will take and what the
challenges are. FYI here's what I've come up with:
Constraints:
Feature is limited to DNAS supported terminal servers. The feature
ought to work work with either LAT or TELNET.
Implications:
Existing customers with older servers will have to upgrade them should
they desire this feature.
PCM Components that have to be modified:
Configuration editor must implement encrypted password entry and
verification.
Line controller daemons must implement the ability to actually use the
password to "login" to the ports in question.
>> I also have a question: Have you found some other package that utilize
>> the password protection on DNAS servers?
> No I havnt, but why sould PCM not provide this security enhancement ?
Again, I never said it shouldn't. I still feel that based on 9 years of
experience with these kinds of products that you are blowing this out
of proportion.
Regs,
Dan
|
| 1471.6 | its the customer who want it | GENIE::TANNER | | Tue Jan 28 1997 01:35 | 15 |
| Hi Dan
it is actually the customer who wants the port protection, not me.
I agree with you that the risk to miss use the port is low but it
exists.
If we (or CA) can enhance PCM to work with password protected remote
ports all the customers who need the additional security will buy DNAS
Terminal servers (additional business for DIGITAL) without any
discussion.
Do you feel that PCM will have this nice security feature in the near
future ?
If I can show the customer that CA and DIGITAL are aware of this and
willing to work on a solution he may come back to his decission.
regards Peter
|
| 1471.7 | H/W solution ?? | TIMABS::OBERLE | | Tue Jan 28 1997 01:44 | 8 |
| since it seems there will be no (fast) S/W solution, maybe this may be
solved by adding additional H/W like a encryption black-box ??
So the customer would have the required security plus data-encryption.
Just a wild guess ...
Bernd
|
| 1471.8 | limited number of telnet listener ports | GENIE::TANNER | | Tue Jan 28 1997 07:50 | 53 |
| re .5 Hi Dan
> You tell me to take it seriously, well I put it to you that you are
> taking it a bit too seriously! A hacker would have to know the IP
> address but also know the listener numbers that are used by the
> terminal servers. Since there are at least 9999 listener numbers it's
> going to take some doing to get in.
As far as I know telnet listener on the DECserver 300 are
limited to 23, 2001 to 2016 (at least the DS300 seems to have fix
listener ports from 2001 to 2000+n where n is the number of Ports)
and I havn't found any way to change telnet listener numbers
in the terminal server. Anybody who has acces to a terminal server
or the manual my know that.
See the output from Local> help set telnet on a DS300
DEFINE/SET/CHANGE TELNET LISTENER
Enables a Telnet listener. The listener is associated with one or more physical
terminal server ports.
{DEFINE} TELNET LISTENER tcp-port {CONNECTIONS} {ENABLED }
{SET } {PORTS {ALL }} {DISABLED}
{CHANGE} {port-list}}
{CONSOLE }}
{IDENTIFICATION id-string}
tcp-port identifies the Telnet listener. The accepted range
is 23, 2001 - 2016 decimal.
CONNECTIONS enables or disables the listener to receive
connections. The default is disabled.
PORTS specifies the terminal server physical ports where the
ALL associates the listener with physical ports 1 - 16 and
disassociates it from the console port.
port-list can include any combination of ports 1 - 16. This
will disassociate the listener from the console port.
CONSOLE associates the listener with the console port and
disassociates it with all other ports.
IDENTIFICATION id-string descriptive text associated with the listener for
show displays only.
regards Peter
|
| 1471.9 | | CSC32::BUTTERWORTH | Gun Control is a steady hand. | Tue Jan 28 1997 10:54 | 22 |
| I'm well aware of the range of listener numbers. My point was that
whoever was trying to get in would have to know that. Obviously if they
do know that then it's much easier to guess. I have serious doubts
that most hackers would know that. It's too obscure. Sure a disgruntled
former employee of a company could get in and cause some damage because
they know about the management platform and how it works. I have not
yet run into a customer that was using "the public internet" for
managing their systems. This would be a rather unintellignet thing to
do in my opinion. I haven't yet run into a site that didn't have
firewall security to prevent unauthorized access into the intranet
especially where TELNET protocol is concerned. Certainly someone could
get access to modem phone numbers but there are numerous security
measures and packages to prevent unauthorized modem access.
I would like to understand your customers specific situation better.
If you could tell me about their network and environment it would
help a lot.
Regards,
Dan
|
| 1471.10 | sent by Mail | GENIE::TANNER | | Wed Jan 29 1997 04:58 | 5 |
| Hi Dan
I will send you the answer by Mail
regards Peter
|