Conference atps::sevms

508.0. "Security/Authentication" by NETRIX::"[email protected]" (Richard Quan) Thu Feb 20 1997 20:08

Does anyone have any ideas an appropriate products/strategies:
Outer Eastern Institute of TAFE has had a major security breach on campus, 
where Police are involved and doing internal investigation. This issue stem 
from the fact that someone has broken into their Digital VAX (admin) and 
accessed sensitive data. It appears from their internal investiagtion that 
someone has sniffed the network and picked up the main admin login and 
password. This information is sent over the Net as ASCII Text, so can easily 
be picked up by anyone having access to the right equipment and with the 
right knowledge.

They are currently reviewing security and would like to look at Security 
Options on the VAX running VMS.
I have suggested Kerberos which encrypts data over the network , so a 
sniffer cannot decode it. Previous discussions indicated that this can be a 
administration headache.

Can you advise what Digital Products we can recommend to the Tafe to enhance 
Security ? They have a Vax supporting Lat and TCP-IP, and DECServers 700 
Terminal Servers. This has become priority one for the TAFE.


Richard Quan
CSF - Tech Support
Melbourne
[Posted by WWW Notes gateway]

DEC ACB at this stage appears to be a possible solution SPD 39.53.02

Richard Quan
[Posted by WWW Notes gateway]

   There's a discussion of this topic going on via e-mail, and it's
   not at all clear what the exact source of the breach was...
   (Other than apparently allowing untrusted users direct access to
   a portion of a trusted system -- the LAN.)

   As I've recommended in e-mail, these systems should have had a
   firewall, and there should be one-time passwords and/or tunnels
   and/or crypto-keys used from the unsecure side of the firewall.