Solutions Newsletter - Winter 2006/2007 - Volume 11 Issue 3

On-Demand OpenVMS Security Webcast

Don't risk unauthorized users gaining access to vital information!

Learn how you can secure your OpenVMS systems and data with the latest technology from Process Software.

What you will learn:

Protect applications from unauthorized users
Authentication and encryption options used for securing data
Product overview of VMS Authentication Module and SSH Solutions
Best practices for securing your OpenVMS systems

http://www.process.com/webinar.html

VMS Authentication Module (VAM) v2.0 is now available

VMS Authentication Module (VAM) provides an added layer of security for protecting mission critical applications running on OpenVMS. The features include:

Support for RSA SecurID and LDAP logins. It provides controlled access to both user-written applications and the OpenVMS system overall.
Enhanced access restrictions - additional access restrictions can be implemented using information in a system User Authorization File (UAF), such as allow login based on certain days and times. This can be used in addition to the restrictions defined in the RSA ACE/Server(aka SecurID). These parameters can also be more restrictive than the RSA ACE/Server.
Automatic failover authentication – If VAM authentication fails because the LDAP or RSA server is unreachable, normal VMS authentication can be used as a backup.
Support for LDAP directories with the V3 protocol , including Microsoft Active Directory and OpenLDAP.
Encrypted/Unencrypted LDAP transactions - All traffic including username and password between VAM and LDAP server can be encrypted.
VMS UAF passwords may be synced with the LDAP server password (the default behavior).
Multiple searches may be specified for any supported LDAP server, and multiple LDAP servers may be searched. The system manager specifies the servers and searches on those servers in the VAM configuration file.
Fetch specified attributes from an LDAP directory upon successful completion of LDAP authentication to a centralize repository of information on each user. For example, users can login and get their printer access information. This way, an administrator does not have to keep multiple copies of access privilege information in the OpenVMS system and LDAP
SSH single sign-on access to VAM v2.0 using MultiNet, TCPware, or SSH for OpenVMS (see eco requirements). Note, VAM 2.0 is supported on: VAX 7.3, AXP 6.2 and higher, I64 8.2 and higher.

New SSH ECO's
MultiNet 4.4 (SSH-130_A044)
MultiNet 5.0 (SSH-070_A050)
MultiNet 5.1 (SSH-040_A051)
TCPware 5.6-2 (SSH_V562P100)
TCPware 5.7-2 (SSH_V572P030)
SSH for OpenVMS 2.2 (SSHVMS-040_A022)

For more product information, go to http://www.process.com/VMSauth/index.html.

PreciseMail Anti-Spam Gateway v2.4-2 is now available

The new features include:

URL Reputation Filter - Process Software actively analyzes several million web sites for over 20 indicators that a site is being used by spammers and phishers. Sites are also analyzed for adult content. Each analyzed website is given a reputation score, based on how “bad” it is. PreciseMail Anti-Spam Gateway obtains reputation scores for URLs contained in incoming email messages, and uses the reputation data to help determine if a message is spam.
Web-based Content Filters - Users and administrators can use the graphical web interface to create their own message filtering rules that can allow, block, tag, or quarantine a message based on any part of the message body or headers.
Clam Anti-Virus - PreciseMail Anti-Spam Gateway’s web administration interface makes it easy to enable Clam AntiVirus, the leading open-source anti-virus software. Clam AntiVirus is supported on the Linux and UNIX platforms in the standalone SMTP proxy configuration.
Performance Enhancements - The rules can be compiled to improve the performance for OpenVMS deployments. Also, user quarantine interface performance has been enhanced on all platforms.
RHSBL (Right-Hand-Side Blackhole List) support – RHSBL servers maintain lists of domain names that do not conform to all of the Internet RFCs. The PMAS PTSMTP proxy server includes support for accessing RHSBL systems to identify incoming email that is being sent by one of these known non-compliant systems.
Anti-Relay Plugin – Prevents third-party systems from using your system as a mail relay, e.g., to route their email to other third-party systems through your system (requires PreciseMail Anti-Spam Gateway V2.4-1 ECO released October 4, 2006).
Other Web Enhancements :

Administrators can create system wide allow/block lists using the web interface.
Administrators can customize any aspect of the email quarantine notification that is sent to users.
A user action report has been added to the administrator’s web interface.
Support for allowing users to disable acknowledgement emails from the PreciseMail email interface.
Clicking on navigation icons on the allow/block list pages, results in a warning popup if you have changed the lists but have not saved.

For more information, go to http://www.process.com/precisemail/antispam.html.

Case Study - Delta Telecom Chooses PreciseMail Anti-Spam Gateway to Eliminate Spam and Provide Greater Subscriber Satisfaction

Background

Delta Telecom, the first mobile telecoms operator in the Russian market, was established in Saint Petersburg in September 1991. They offer high quality voice services, high-speed (up to 2.4 Mbps) Internet access using mobile stations (cell phones), and ISP services covering a large territory including Saint Petersburg, most of the Leningrad, Novgorod and Pskov regions, as well as the Republic of Karelia. Delta Telecom is the largest mobile operator in Russia using an advanced CDMA-2000 network.

The Situation

Ruslan Laishev, Delta Telecom's system administrator, found that spam was flooding their mail servers and consuming their network. "We were processing 150,000 messages per day between our two mail servers, and around 80% of it was spam," said Laishev. He added, "If we didn't address our spam problem soon, Delta Telecom would need to invest in additional equipment to handle the mail load. In addition, our abuse team experienced a surge of complaints about spam from our subscribers. It was my responsibility to work with the abuse team to get this problem under control."

A spam filter was implemented to reduce their junk mail. However, Laishev found that over time the filter was unable to keep up with the large percentage of spam they were receiving. "The technology used in this spam filter was not sophisticated enough to stop the many diverse types of spam message content," said Laishev.

The Solution

As a long-time customer of Process Software, Laishev decided to evaluate PreciseMail Anti-Spam Gateway. He deployed the PreciseMail Anti-Spam Gateway SMTP proxy server, which receives the email from the Internet, filters out spam, and then relays the filtered email to the destination email servers. Filtering email for spam before it is received by the email server reduces the email server's load and improves its performance. Laishev decided to implement all of the filtering technology available in PreciseMail, which includes DNS blacklists, heuristic analysis, reputation filtering, Bayesian analysis, Verify Mail From (VMF), and allow and block lists. "The sophisticated multi-layered filtering technology offered in PreciseMail Anti-Spam Gateway eliminated over 90% of our spam problem out-of-the-box. It took me only 15 minutes to get it up and running, and I saw an immediate improvement in our mail server performance. The mail abuse team also reported that there were less complaints about spam," said Laishev.

The ability to tune and write rules was important to Laishev so that he can respond to special service requests. PreciseMail's web-based administrator interface provides the ability for customers to write spam filtering rules, create allow and block lists, and enable or disable the various spam filtering layers. Laishev said, "I have now used PreciseMail Anti-Spam Gateway for the past few years. The Process Software development team has consistently updated the filters to stay ahead of all the latest spamming tricks."

Overcoming the Challenges of Spyware in Your Enterprise White Paper

What if a competitor gained access to one of your company’s secured systems residing behind a firewall that contains all your trade secrets without your knowledge? Sounds impossible? Not according to law enforcement authorities in Israel who detained 18 people in connection with a malicious code attack in 2005. The attackers allegedly used spyware to commit industrial espionage against a competitor. This is just one example of how spyware can potentially impact your business. Many businesses are susceptible to spyware unknowingly including businesses that take all the precautions with the deployment of firewalls, virus and web filters, and anti-spam technology. This whitepaper identifies the affects of spyware in an enterprise and the enterprise anti-spyware deployment options. Download it now at http://www.process.com/spycatcher/SpywareChallenges.pdf.

New Spyware ROI Calculator

Calculate the cost of spyware in your organization with the Process Software ROI calculator at http://www.process.com/spycatcher/spy-roi_calc.html.

New Web Resources

VMS Authentication Module v2.0 SPD

VMS Authentication Module v2.0 Manuals

PreciseMail Anti-Spam Gateway Technical Overview

On-Demand Webcast - Overcoming the Challenges on Spyware in an Enterprise

You will learn answers to questions like:

How can spyware impact your organization?
What are the sources of spyware?
What spying techniques are used to collect and distribute confidential information,interrupt users,
and circumvent othersecurity products leaving your enterprise vulnerable in other areas?
Why conventional antispyware technologies are ineffective at eliminating hyper-mutating and custom-coded spyware?
What solutions are the most effective?
Case Brief: Learn how a disgruntled employee used key logging for revenge and was caught.

Roadmap

MultiNet v5.2 beta test just started. You can still sign-up to participate in the beta test at http://www.process.com/tcpip/mnbeta.asp. The release is scheduled for the end of 1Q07.

The new features include:

BIND9 server
IPSEC (with layer 3 VPN tunneling and IKE)
SSH upgrade
NTP v4.2
IPv6 support
Kernel performance improvements

PMDF v6.3-1 for Integrity only is now shipping. Please contact sales at sales@process.com to obtain a CD.

PMDF v6.3-2 Linux beta test will begin in February. You can sign-up to participate in beta at http://www.process.com/tcpip/pmdfbeta.asp. We are also investigating adding support for SPF in an eco.Check our website for updates.

TCPware v5.8 beta is scheduled to begin in first half of 2007. New features include:

BIND9 server
SSH upgrade
NTP v4.2

SSH for OpenVMS v2.4 will be available in calendar year 1Q07

Logging for number of maximum password attempts
Compiled from an unaltered cryptographic source certified to comply with Department of Defense PKI
New SSH-CERTTOOL to create PKCS#10 certificate requests
Compatible with OpenSSH SCP
SSH CERTVIEW displays more certificate extensions.
Restrict operations the user can perform
Confine users to a specific directory tree

PreciseMail Anti-Spam Gateway Next is planned for the summer of 2007. The features in the next release are in the planning stages. We are investigating adding support for SPF in an eco prior to the release. Check our website for updates.

Patch Corner (October - December 2006)

MultiNet v5.1

RCDDRIVER-010_A051.zip - Correct an error in memory management on Itanium; Correct an error in formatting the ACCPORNAM information on VMS V8 (Oct 6)

RMTDRIVER-010_A051.zip - Correct an error in memory management on Itanium; Correct an error in formatting the ACCPORNAM information on VMS V8 (Oct. 6)

UCXDRIVER-020_A051.zip - Correct potential system crash on Itanium; Correct a timing window in deassign operations (Oct 6)

UCX_LIBRARY_EMULATION-021_A051.zip - Update GSMATCH and entry points for OpenVMS V8.3 (Oct 12)

KERNEL-UPDATE-134_A051.zip - Performance improvements for telnet

SSH-040_A051.zip - SSH/VAM integration (Dec 13)

TCPware v5.7

DRIVERS_V572P022.zip - Provide a new version of UCX$IPC_SHR for OpenVMS V8.3 and later (Oct 13)

SSH_V572P030.zip - SSH/VAM integration (Dec 13)

SSH for OpenVMS v2.2

SSHVMS-040_A022 - SSH/VAM integration (Dec 13)

PreciseMail Tech Tip - PMAS sites using the OSU web server

Sites using the OSU HTTP web server for the PreciseMail GUI should run PMAS_COM:OSU_SETUP.COM after PreciseMail upgrades. This procedure creates support command procedures needed for the OSU server. Re-running OSU_SETUP.COM after PreciseMail installations ensures that all the necessary OSU support procedures are in place.

FAQs

PreciseMail Anti-Spam Gateway

Q. Is it possible for an administrator to set a specific domain as opt-in rather than setting it up by specific users?

A. Yes, using the administrator's GUI, log in as "$default$@whatever.com", click "Opt-in", and save. That will create a "$default$" user database entry that will get loaded for everyone in that domain that doesn't have a user database record already.

23-AUG-2006 08:49:30.67: Looking up user database info for goaok@bogus.com

23-AUG-2006 08:49:30.68: User database info lookup status for goaok@bogus.com: 1

23-AUG-2006 08:49:30.68: From db: email: $default$@bogus.com, quar_thres = 0.000

23-AUG-2006 08:49:30.68: Address goaok@bogus.com has opted out of PMAS testing

In this example, $default$ was opted out, but you can see that it looks for the $default$ record when there isn't one for the user.

Q. Can I use a full email address for authentication?

A. Yes, but usage of full email addresses for authentication is not-quite-standard. It's not part of the POP3 and IMAP4 RFCs, though several newer packages are using it to provide support for virtual domains.

When authenticating against POP3 and IMAP4 servers, "/virtual" can be specified after the server host name to indicate that the server provides virtual domain support and that the entire email address should be used for authentication instead of just the username portion of the address.

Here are two examples of the configuration variables in

/pmas/data/pmas_config.dat:

auth_pop3_hosts pop3.example.com/virtual,backup.example.com

auth_pop3_hosts other.example.com/virtual

Q. Is there a way to limit the authentication tests so that, for example bob@pop.example.com is authenticated only against pop.example.com and bobexample@aol.com is authenticated only against imap.aol.com?

A. You can use the fourth parameter in the alias file to specify the authorization method for a particular address. The system checked is determined by the domain name of the authorization alias (the 3rd parameter), so if you specify these lines (or something like them), you should get what you want.

bob@pop.example.com bob@example.com bob@pop.example.com pop3 bobexample@aol.com bobexample@aol.com bobexample@imap.aol.com imap4

MultiNet

Q. What do I do if MultiNet fails to start on an Integrity system?

A. Check the granularity hints memory.

$ SHOW MEM/G

MultiNet V5.1 requires the following amounts of VMS executive memory on Integrity platforms:

Execlet code region 87 pages

Execlet data region 375 pages

To insure that there is sufficient for MultiNet to load put the following lines in SYS$SYSTEM:MODPARAMS.DAT and do an autogen:

MIN_GH_EXEC_CODE = 4183

MIN_GH_EXEC_DATA = 1399

For MultiNet V5.2, the requirements are:

Execlet code region 83 pages

Execlet data region 472 pages

Q. Is there a way to tell what process owns a connections?

A. You can use the MU SHOW/CONN=PID or MU SHOW/CONN=PROC commands to list the connections and the PID or name or the process that owns them.

MultiNet and TCPware

Q. How can I configure MultiNet's (or TCPWare’s) SSH server to ignore requests from addresses which are not in some sort of "approved" list? I can add hosts to the SSH configuration file but it seems that the SSH server doesn't check the client address until *after* it's accepted the client connection. I want it to completely *ignore* such clients.

A. You can use packet filtering to block those. The following set of rules would only allow connections from the 192.42.95.0/24 subnet and the host 198.115.48.1 -

permit tcp 192.42.95.0 255.255.255.0 0 0 eq 22

permit tcp 198.115.48.1 255.255.255.255 eq 22 drop tcp 0 0 0 0 eq 22

Q. Is there a way to identify whether a user's current interactive session is connected via SSH protocol v1 rather than v2 so that a message can be displayed?

A. The existence of the MULTINET_SSH_<PID>_DEVICE logical (where <PID> is the PID of the process) in the LNM$SSH_LOGICALS table indicates the connection is via ssh1 rather than ssh2.

Note: for TCPware users, substitute TCPware for MultiNet in the above answer.

Q. Can you change the port the SSH server listens on?

A. Yes, for MultiNet customers, use the following sequence of commands

$ MULT CONFIG/SERVER

SERVER-CONFIG> SELECT SSH

SERVER-CONFIG> set param

It will now ask about deleting each parameter, just hit <CR> as long as the parameter doesn't mention "port". When it asks for new parameters type:

port <new_port_number>

then a blank line to terminate the dialog. Exit and save the configuration and then restart SSH with -

$ mu netcontrol ssh restart

If you are using SSH for OpenVMS, you can change it by executing the SSH_CONFIGURE.COM again and entering the new port number when prompted.

If you are using TCPware, you have to change it by doing a @TCPWARE:CNFNET SSH and entering the new port number when prompted.

Q. I'm using NTP and would need to know what to do to account for the new timezone rules coming up in 2007.

A. There will be a patch that will address this by February 1, 2007.

Contacting Process Software

E-mail:
info@process.com - General information
sales@process.com - Sales
international@process.com - International Sales information
support@process.com - Technical Support
careers@process.com - Human Resources
webmaster@process.com - Webmaster

Phone/Fax/Address:
U.S.A./Canada - (800)722-7770

International - (508)879-6994

Fax - (508)879-0042

Mail:
959 Concord Street
Framingham, MA 01701-4682