From: MERC::"uunet!CRVAX.SRI.COM!RELAY-INFO-VAX" 29-SEP-1992 06:04:34.87 To: info-vax@kl.sri.com CC: Subj: VMS security tools This is a very lengthy posting. It presents my thoughts on a VMS security assessment tool, a report on my assessment tool review project (following previous postings here and elsewhere) and some personal notes. This is a review of the LJK/Security security assessment tool for VMS. If you don't want to read it - just blow on by. If you think that future blurbs of this ilk should be posted somewhere besides here, please send me mail. No flames, please. Cross posted to Newsgroups: comp.os.vms, comp.security.misc, alt.security DECUServe (DECUS BBS): SECURITY conference (with pointer in 3rd party sw) Various other lists Preface Recently, Digital News magazine was sold to Canners and has been incorporated into Digital Review to become Digital News and Review. Some things got lost in that process - including some of the work that many freelance writers had in progress. Since I write for the trades for other than purely financial reasons - I am upset that so much of my work (and that of others) got lost in the high dollar shuffle of the sale (not to mention the people that got dumped!). I've complained to Pat McGovern (Chairman of IDG - parent of the defunct Digital News), but expect no answer. In deference to this, I've decided to post some of my work - especially the things that I think may be useful to you. Tool Review Project I'm pleased to have been accepted as a security columnist for the Digital News and Review. I'm even more pleased to report that my editors are not only technically oriented, but willing to consider some of my proposals for specific projects such as an extension of the security tool review project which I began in the March/April issue of ISPNews. Digital News and Review seems very interested in what their readers want - so I suggest that you can influence how soon this security tool review project gets going by sending mail to them. The top guy is Jack Fegreus - digrev!jack@eddie.mit.edu. My editor over there is Michele Clarke. On the tool review front, things are mucking along. I'll be glad to be able to work on a comprehensive review of all of the products since (as perhaps you know) Digital News and Review's DRLABs (now dn&r Labs) likes to beat on things and measure things. I'm very much looking forward to a toe-to-toe comparison of the various tools in this space. The general report is that UIS has apparently finally revived their UIS PATROL security tool. ITI (a group of escapees from DEMAX) sold their tool (EZsecurity) to UIS (which made it into UIS PARTOL) last year and then had the bad taste to file bankruptcy - leaving UIS holding the bag. Very embarrassing for a company to be advertising a product that they don't have, ay? At any rate, rather than having one less product to consider, we now have one more to consider. Sigh. DEC is shipping their Compliance Manager (VMS, ULTRIX and SUN OS) and their Intrusion Detector. I've finally tracked down the linage of their "intrusion detection" technology and will look forward to chatting with you about it. Meanwhile, according to Scott Charney (U.S. Justice Department computer crime guy) in his address to the recent USENIX Security meeting in Baltimore, intrusion detection systems are going to redefine the game. Recently, intrusion detection working group at SRI studied a tool that found 342 actual intrusions out of 111K sessions on a LAN at a University over three months time. The astounding fact - only 3 (three) of these were noticed by the systems staff -- and those were all fortuitous (i.e.: they stumbled across them!). On a sad note, my relationship with DEMAX has deteriorated badly. They've been going around saying that I work for RAXCO and unbelievably, they continue to refuse to send me demos of their products. (I AM AN INDEPENDENT - I WORK FOR ME!) Pity, I actually have several chances to get all of these tools all up and running on systems where there are live break-ins happening - now, THERE is the way to compare tools, ay? At any rate, it looks as if DEMAX is preparing to sell their company. While I certainly don't have a problem with the "exit strategy" of venture capital, I'm not sure that their dumping the company will be good for the game or not. Stay tuned - I'll be exploring this. Meantime, if you (or someone you know) wants to chat about DEMAX and their products - please send mail. I'm reduced to begging to find out about their company and their products :( A personal note Sad to say that my Views on DEC (formerly Views on VAX) newsletter went belly up. It has been replaced by a freebie called The Ray. Send me your paper mail address if you want a copy of it. Please let me know what you think of what follows. RayK 8) ----- Policy, policy - who has the policy? LJK/SOFTWARE helps implement security policy with LJK/Security LJK/Security Boldly Goes Where No Tool Has Gone Before by Ray Kaplan Security policy compliance - a specialty LJK/Security is a security assessment tool that is sharply focused on solving the significant and subtle problems of the design, implementation and enforcement of security policy in large VMS-based computing infrastructures. Its sharply enough focused to actually do some good for the beleaguered and often tenuous relationship between the security office (where the Electronic Data Processing (EDP) auditors live) and system manager's office (usually found buried under a large pile of other things to do). LJK/Software sticks to its job of security policy compliance assessment reporting. In fact, it is so well focused on this significant problem area that it is actually can help you quickly build a security policy for your VMS systems where there isn't currently one. Building the VMS-specific elements of an operable security policy from scratch might take 1 personweek with LJK/Security but it can take considerably longer or not even be doable with some of the other tools on the market. Consider that a mature, production system that has been managed (or not as the case may be) with little or no attention to security is generally awash in problems. Some of these problems are usually not even technical in nature. Most security departments are run by EDP auditors and there is usually a distinct difference in technical security knowledge between them and the work-a-day system/network management. LJK/Security turns out to be very useful by both the audit department and the front line system management. It provides a solid, comfortable common ground where everyone can meet to get on with the task at hand - better securing the VMS system at hand. The LJK/Security tool itself is carefully crafted from ADA by Cambridge, MA- based DEC Independent Software Vendor LJK/Software with the occasional, necessary call to a low level assembly language routine to get information from the system that is not readily available from standard VMS system service calls. I suggest that ADA is a good choice for an implementation language because it helps force good software engineering habits. Since you should worry about the impact of bugs in the security tools that you buy, knowing that there is careful software engineering in LJK/Security should be a comfort. At the very least, I argue that its ADA source makes it more supportable by its vendor than the piles of different languages in which some products are written. OK, lets get to work I've run LJK/Security on many, many different configurations - big and small. The test configuration that I choose for this report is a simple one to permit several quick runs for comparison purposes. As you'll see, the process of running a security policy compliance tool is an iterative one. The test configuration was a 5 node Local Area VAXCluster with two shared 600MB disks which were about 3/4 full and 300 user accounts. Each node had local page and swap files and there were user files on the system disk. The standard install of the product seems much to easy until you understand that its designed to be used by computer security auditors (who are not generally known for their intimacy with the operating system specifics necessary to install most products). You'll notice that it refuses to accept a default UIC for the ownership of its files despite its obvious use of the VMSINSTAL auto-answer facility to remember the selections that were made in previous installs in suggesting the value that it reports as having been chosen by a previous installation. Since LJK/Security is intended for use in large networks, I am glad that it understands the reality that few networks have organization-wide standards for UIC numbering - even though we might wish it different. I was not surprised to find that it started its detached main process cleanly and automatically, but I was pleasantly surprised to find that it put its startup procedure where DEC says that they should go - in the LPMAIN section of the SYSMAN startups. Initially, I was very annoyed that the install put its' files into the DEC system directories (as opposed to keeping them in its own, separate disk area). However, talking with the vendor, I had to admit that this might not be a bad idea, after all. I was swayed even though I understand that conventional system management wisdom (and simple sanity) demand that you carefully separate a third party's layered product's files from DEC's disk areas. Consider that DEC has not yet announced its layered product integration strategy for VMS, that LJK/Security has a REMOVE command to remove it from the system (how many times do you wish your third party products had one of these!), and - most importantly - a recurring theme: LJK/Security is designed to be installed and run by the security office (which generally has no technical understanding of VMS or DECnet). Given these reasons, I could hardly argue with the fact that the install left its 11,000 blocks in the right places on the system disk. If you are not convinced, consider that the system disk is about the only common thing in a VMS configuration that you can count on - especially across the huge collections of machines for which LJK/Security is designed to integrate security policy. Now, for the first run Settling in for your first run of the tool, you'll notice that like the others of its ilk, LJK/Security's job is to assess the state of the security of the system. Like other products it does so by assembling the rules against which a node's security is to be evaluated into a collection called a POLICY. Your first job is to configure a POLICY for the node or nodes that you are interested in assessing. LJK/Security claims to come with a reasonable set of defaults in the form of a DEFAULT POLICY which I found to be very, very picky. By typing commands at the LJK/Security program you can create a new POLICY of any name you choose based on the DEFUALT POLICY and then modify it as you see fit. Most people, including me, loosen up the default settings considerably to accommodate the target system's inability to live up to the stiff standards of LJK/Security's DEFAULT POLICY. That's fine by me - I'd rather have this than a weak-kneed policy that left the system wide open to compromise. The rules that make up your POLICY are described in TESTS in which you describe the details of a target node's security configuration. For instance, you can tell LJK/Security to report user passwords that can be guessed in 10 or less tries. These specifics of each TEST are called LIMITS and they can be adjusted as you see fit. A POLICY's TESTS are grouped into FACILITIES. Each FACILITY is devoted to measuring a particular segment of VMS's security configuration. LJK/Security can assess the security configuration of ACCOUNTING, SECURITY AUDITING, DECnet, DEVICES, the VMS file system, terminals, the User Authorization File (UAF) and VMS SYSGEN parameters. Once you have tailored a POLICY to your needs, you then create a run-time unit called an ASSESSMENT which produces a RESULTS file where LJK/Security holds its findings for you. For the initial run, I left everything set as it came in the DEFAULT POLICY. You can selectively enable or disable the FACILITIES in a POLICY as you see fit. Herein lies the first mistake that you can very easily make. LJK/Security will dutifully try to report every single violation of the POLICY's TESTs that it finds. Thus, you have to be careful since the fact that most systems are run with little attention to security management virtually guarantees that they are awash in reportable security violations. Given how tight the DEFAULT POLICY is, you may have a surprise awaiting you. On the test configuration, I blindly ran my copy of the DEFAULT POLICY only too find that it ate up almost 5 hours of CPU time and produced a resultS file of over 36,000 blocks! Either this system is hopeless or I've asked for far to much detail in the initial run. Unfortunately, LJK/Security builds its temporary RESULTS file on the system disk, but I'm glad that it regularly checks the free disk space from time to time during the run of an ASSESSMENT. Thank goodness it will not consume more than 1/3 of the available free space. Despite the huge amount of CPU time and disk space, my initial run with the DEFAULT POLICY terminated less than half way through its TESTS. It was busily reporting every single file protection problem that it found when it quit due to its tmporary RESULTS file exceeding 1/3 of the available free space on the system disk (thank you, masked man). The clear lesson was for me to disable the VMS file system checking (the DISK FACILITY) in my policy for this target node. In LJK/Security parlance, this is known as effecting the DISABLE of a FACILLITY in a POLICY. While LJK/Software councils its customers on the operational sanity of a DISABLE for the DISK FACILITY for the first few runs in its direct interactions with their technical support, the manual only illudes to this important time and resource saving operational detail. Since LJK/Security will dutifully report every violation of a given POLICY's TESTS, the idea is to build a policy which will allow the ASSESSMENT to report no violations when it is run against systems whose security security configuration complies with their POLICYs. This is an iterative exercise wherein one "tunes" the POLICYs to exactly fit their target nodes. Given a part of the security configuration that is out of whack with the desired policy, the worst thing you can do is to ignore it by tuning the policy's LIMIT for this item such that it no longer reports a violation. For instance, you'll quickly want to relax the DEFAULT POLICY's LIMIT that causes LJK/Security to complain about users being allowed 24 hour access if no such hourly access restrictions to your computing resource are applicable. In addition, you recognize the fact that an item needs attention by explicitly making it an EXCEPTION so that it can be noted as such in the POLICY. exemptions are for the specification of long term situations that are not to be counted as violations of the current POLICY. Consider that the fact that the VMS SYSTEM user should be an EXEMPTION in the report that lists the privileged users on the system. Such subtleties are the stuff of contentment for the EDP audit community. The trick to this tuning effort is to adjust the POLICY by applying proper LIMITS, DISABLES and EXEMPTIONS. Experience shows that this tuning effort takes about a personweek for a typical VMS system amid the usual background noise level of a typical system management or EDP auditor's normal workload. The finished product is an ASSESSMENT which reports where the target nodes are out of line with the organization's security policy - but only if time has been spent to configure LJK/Security's TESTS to reflect that desired result. Otherwise, the results of an assessment are simply a huge assembly of violation reports. My first- blush tuning efforts.of simply turning off the DISK FACILITY in my initial policy resulted in an huge and immediate savings of resources. The assessment with the tuned policy which had the DISK FACILITY disabled ran in 17 minutes and produced a RESULT file of only 759 blocks! Further refinements resulted in minimum run times of as little as 15 minutes and a RESULTS file as small as a few hundred blocks. A huge pay back for a minimal investment in telling the tool what I was interested in and what I didn't care about. LJK/Security offers many unique features Like other products in the space, an LJK/Security master node assembles the results from all of the nodes being assessed (called tributary nodes in LJK/Security parlance). One key difference between LJK/Security and other products is that tributary nodes can be local VAXCluster nodes, those connected to a common DECnet network OR those that are not even connected to the master node. This, since LJK/Security supports delivery of assessment results from tributary to master node via magnetic tape. Just the thing for those systems that are kept "behind closed doors" or those that are carefully disconnected from any network. Changes are made to LJK/Security's policYs and ASSESSMENTs are made in a controlled manner in accordance with commonly accepted practices in the EDP auditing community. As such they produce an audit log which is stored in the affected POLICY or ASSESEEMANT along with the VMS process identification of the process that made the modification and the comments of the person that changed them. Unlike other products that claim to be protecting the transfer of their their assessment results from remote nodes to their master nodes with some sort of unspecified "scrambling", LJK/Security offers you the choice to encrypt the results with the VAX Encryption Utility, which is based on the Data Encryption Standard (DES) encryption algorithm. Since DES is not exportable except under tight control, it is important that there is absolutely no question about the exportability of LJK/Security. Despite the fact that LJK/Security offers a callable interface for the product itself, it does not currently offer the ability to call out the the encryption algorithm of your choice. To the delight of its users, LJK/Security features interface dejour: VMS standard DCL command lines, VMS Screen Management Routine based menus with key pad and control key support and the first fully functional DECwindows interface that we have seen from any vendor (including DEC) in this family of tools. Adequate help is available everywhere in the standard ways that are appropriate to each interface. As you might expect from the DEC Independent Software Vendor that LJK/Security is, the ample 8 1/2 x 11, three ring binder format documentation is VAXDocument-based. The pleasant surprise in the documentation department was the fact that its DECwindows interface comes complete with a BOOKREADER accessible version of the manual. Its all comprehensive, easy to read, well endowed with both copious screen representations and graphics, and it is well indexed, to boot. Although I had some trouble in following the flow of what it tells you to do in some cases, I think that this is exclusively due to the scant 6 pages of material that they supply in the introduction sections. Since this is such a complicated problem area, I think that there should be significantly more introductory material in the manual. LJK/Software sports the only electronically-based technical support service among vendors in this family of products. LJK/Software provides a dial-in VAXNotes- based conference where customers can interact with LJK/Software's technical support at their leisure in a way that does not revel their organization-specific questions to other participating companies. This anonymities is key since the open, attributable discussion of security-related problems can be a serious security breach in and of itself. In the same vein, LJK/Software would not supply me with a list of current LJK/Security users to talk with despite the fact that I know that there are currently a number of large users of the product. Despite my irritation at this, I do have to admit that an open discussion of what security assessment tools one uses can be a serious security breach in itself. Their licensing scheme is a bit unique (see insert). Since they absolutely don't want any unsupported software in the field, LJK/Software only sells LJK/Security on the basis of an annually renewable license which includes technical support for the year. At least I'm glad that they have an inexpensive one-month-at-a-time license available that I can buy as I need it in my work as an independent security consultant. Since I'm not completely happy with any of the handful of products in this policy assessment arena, its no surprise that I have some bones to pick with LJK/Security. Currently, LJK/Security provides no summary or history information about how a current assessment's results compare to the those from the last time that it was run. I continue to Despite the fact that the product is almost 4 years old, I had some minor problems with what I think is some missing flexibility in the user interface - but then again, I've met very few of them that I liked! By its own characterization, LJK/Software is a tiny company and its important to note that it does not pretend to be anything else besides what it is. Despite my difficulties with the product, I find that LJK/Security is a very well designed policy compliance tool with a pace- setting, advanced architecture and features that mandate your exploration. You'll want to do this before you invest in such a tool for your VMS shop. While I am not yet sure that LJK/Software has succeeded in their stated goal of producing the very best policy compliance tool that is available, I am sure that you'll want to take a close look at it. ******* Technical Summary - Runs on virtually any VAX configuration - The same product version runs on and accommodates all VMS versions from V4.2 - V5.5 - First released 1988 - Current version released January, 1992 - Measures how well the security-relevant settings of VMS conform to a set of user-defined rules for: Accounting, Security Auditing, DECnet configuration, Device protection, the VMS file system, Terminal protection, User Authorization File parameters and SYSGEN parameters - Can communicate policy compliance assessments from remote nodes to a master node via DECnet or magnetic tape in plain ASCII text or encrypted using the VMS VAX Encryption utility - Requires 11,000 blocks on the VMS system disk by default, can require up to 1/3 of the available free space on the system disk for temporary storage by default, can require several thousand blocks of additional storage for options such as BOOKREADER documentation files, requires several thousand blocks for the storage of policy compliance assessment results. - Provides three compatible user interfaces: DCL command line, VMS Screen Management facility (SMG), and a fully featured DECwindows interface - Paper-based VAXDocument and BOOKREADER formats of documentation are supplied - Pricing: (no perpetual licenses available - all licenses include technical support - license prices are based on numbers of nodes) 1 node -- $2,400/year -- $200/month 10 nodes -- $12,000/year -- $1,000/month 100 nodes -- $60,000/year -- $5,000/month Special discounts available for longer terms and larger numbers of nodes ******* Executive Summary - Assesses how well large numbers of VMS systems comply with security policy - Can measurably assist in the effort to build a VMS platform-specific security policy where none currently exists - Tracks security policy compliance by making comparisons between security- relevant conditions on the target system and limits that you describe to the software. - Sophisticated architecture specifically designed to accommodate any number of node-specific policies which can be arbitrarily grouped into run-time units - Consolidates node-specific security policy compliance assessments from very large numbers of VMS nodes - Provides common ground between EDP audit and system/security management - Requires the active involvement of organizational security management to relax the stringent default standards with which it is shipped in a node-specific manner according to organizational security policy - Technical support available via telephone, FAX and dial-in VAXNotes conferenceing (with appropriate anonymity) LJK/Software One Kendall Square Suite 2200 Cambridge, MA 02139 (617) 558- 3270 FAX (617) 558-3277 ******* More information on VMS security assessment tools: Security Assessment Tools for VAX/VMS INFOSecurity Product News March/April 1992 issue 498 Concord St Framingham, MA 01701-2357 FAX (508) 872-1153 Greg Blummers (Sverdrup Technology, Inc.) wrote a comparison between RAXCO, Braintree, DEMAX and DEC offerings in a posting to comp.os.vms (INFO-VAX) on 3/25/92. If you missed it, I'll send you a copy. Send me mail. kaplan@mis.arizona.edu. RayK 8)