[Info-vax] OpenVMS Security (was Re: VSI strategy for OpenVMS)
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Sun Sep 19 14:20:36 EDT 2021
On 2021-09-19 13:42:41 +0000, chris said:
> Back in the days of NT4, there were some very good NSA documents on how
> to secure windows. Downloadable from their website, but as you say,
> every new generation seems fated to make the same mistakes of the
> past...
Checklists and security guidance docs are still created, updated, and
available from US NIST CSRC and US NSA.
https://ncp.nist.gov/repository
https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/
Y'all will find security guidance for older OpenVMS versions at the
first link, too.
Little guidance is available in the OpenVMS documentation, when
developers are tasked with creating a modern, networked apps, and what
is present in the docs and in the APIs is scattershot and incomplete.
Create an app that uses either a purchased commercial or a private
certificate chain, and certificate authentication on both ends, and
with secure connection encryption, with DNS and over IPv6 and, well, go
ahead, I'll wait...
Or create a network-accessible app product that will be targeted,
harden its parser, isolate it using available OpenVMS mechanisms
including its own username and UIC, and including detection and
recovery from a hypothetical future breach of the app. Being a product,
you'll need to do all of this setup in the app and at install-time via
PCSI. Okay, so making this example app a product and having to harden
the app and perform all of the security the setup automatically via
PCSI is completely unfair. Ignoring that automation and having vendor
product support do the install is easier, or in the end-user
documentation, but all of that tends to have issues with difficulty and
with reproducibility.
There really aren't any simple ways to do any of this on OpenVMS of
course, and the existing OpenVMS security model and the associated
product-install model is "fun", and all with some bolted-on pieces
including OpenSSL.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list