Here's an unusual idea that wouldn't occur to most people: consider
using a OpenVMS server as the bastion host for this type of access.
Why? A few of the numerous reasons:
- Alpha and Itanium are not as popularly exploited as x86 is
- OpenVMS is pretty secure with good defaults out of the box
- OS is extremely well documented (HTML, PDF, CD/DVD?, paper?)
- Has its own *VERY* good audit and intrusion detection subsystem
- Privileges (30+ of them, each one for a specific purpose) are
easily fine-grained on a per-user/per-group/per-app basis
- There are *tons* of freeware tools to do all sorts of things
(system management tools, utilities, apps, you name it...)
written over the last 32 years so no need to reinvent a lot of
things from scratch
- HP provides a 361 page manual on OpenVMS system security alone
- No Y2038 issue -- HP tested the OS and apps with dates through
the year 9999. The timestamp is good through 31-JUL-31086, but
OpenVMS will likely have a Y10K issue. Good for the next
7,991 years. ;-)
- Supports ssh
In particular, there's something cool in OpenVMS called captive accounts.
Basically, you create a compiled program to provide some kind of menu
(or whatever you want the user to be able to do). If an user [or
attacker!] figures out how to obtain any shell escape or execute
anything outside of the captive utility, OpenVMS instantly shuts down
the entire login session on the spot and logs this as a security alarm.
Just about impossible to subvert this. If anyone can subvert this, I'll
consider donating my next paycheck. ;-)
It's got a *very* good security subsystem. At DEFCON 9, nobody was
able to compromise the VMS server in the fun Capture The Flag contest:
http://www.bunkerofdoom.com/defcon/defcon9.html
(Written up by a VMS team member. According to the write-up, all other
systems' privileged password were compromised except for the VMS server.)
Filesystem ACLs in OpenVMS is rather interesting. They can provide
access to specific users, groups, or even specific 'rights' (application
specific, and handed out with the GRANT utility).
You can even easily set up ACEs (access control entries) on specific
files or directories such as an alarm ACE -- where access to it will
generate a security alarm message (and subsequently processed however
you specified logging be done).
ACEs can be placed on not just files or directories; can also be put on
devices, on queues (print, batch), on resource domains, system global
sections, on volumes, on capabilities, on devices, amongst others.
The learning curve is made easier given the fact DCL (the OpenVMS
'shell') is very orthogonal. HP also very helpfully supplies a
two-volume system management book (available as HTML or PDF) which
assumes no prior knowledge of the OS. The first volume is essentials and
an intro to OpenVMS system administration, and second volume is for
performance tuning and more complex topics.
DCL is just as scriptable as sh is. The only thing I disliked learning
about DCL was the slightly funky quoting rules but one gets over that quickly.
Newer OpenVMS versions supports RSA SecurID (via a commercial add-on
option from a extremely experienced third party certified by RSA), LDAP,
DCE, and Kerberos, in addition to local user accounts.
There's also been tons of ported software from UNIX in addition to the
base OS, add-on licensed software, and freeware tools. So even from a
strong UNIX (and OpenVMS) background, I never really felt lost on either
platform with certain tools present.
The main downsides to OpenVMS:
- HP's new OpenVMS hardware costs a pretty penny, compared to a
typical Windows or UNIX server
Cheaper options would include the smaller Alpha boxes such as a DS15,
though that would have to come used from a third party dealer.
- It's not easy to find someone 'off the street' who has any
familiarity with OpenVMS system management, aside from out-of-work
longtime VMS system managers (I know of a few)
There are freeware OSS VAX and commercial non-OSS VAX/Alpha emulators.
HP generously makes the OpenVMS OS license and 104 commercial
applications' license keys available for free, for hobbyist use.
CD images for the OS installations can be found for free via
friends (HP blesses this) or for $30.
We're talking hundreds of thousands of dollars in license keys
given out via a webpage. Helps a lot with learning how to install
and maintain the OS. Thus, you can personally evaluate VMS to
get a general feel for it without committing any up-front money.
- The OpenVMS ISV market has been shrinking -- it's pretty clear that
OpenVMS has passed its commercial heyday, though still solid
technically
Now, I do realize the odds of someone using OpenVMS for a bastion host
these days is about zero, but thought it'd be fun to play the devil's
advocate for a *very* uncommonly offered suggestion. More fun to root
for the little guy. ;-)
OK, back to my 17 year UNIX hat. ;-)
-Dan
P.S. No, I don't work for any OS or hardware vendors, whether now or in
the past. I work in a completely unrelated field.
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
