topic Re: TCPIP port security (IP blacklist) in Operating System - OpenVMS

TCPIP port security (IP blacklist)

Dolezel Vaclav — Tue, 21 Jul 2009 12:29:43 GMT

Hello.

Is there a way to defined (somewhere in TCPIP configuration) some IP address, which will not have access to specific port on OpenVMS? So far I didn't find anything. Thanks in advance.

Re: TCPIP port security (IP blacklist)

Ananth S — Tue, 21 Jul 2009 12:42:39 GMT

does tcpip > set communication /reject=() meet your requirements ?

Re: TCPIP port security (IP blacklist)

Steven Schweda — Tue, 21 Jul 2009 12:45:42 GMT

> [...] to specific port [...]

TCPIP HELP SET SERVICE /REJECT

As usual, output from "TCPIP SHOW VERSION"
might be helpful.

Re: TCPIP port security (IP blacklist)

Dolezel Vaclav — Tue, 21 Jul 2009 13:04:29 GMT

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
on a COMPAQ AlphaServer DS20E 833 MHz running OpenVMS V7.3-2

Re: TCPIP port security (IP blacklist)

marsh_1 — Tue, 21 Jul 2009 13:17:41 GMT

hi,

stevens post still stands :-

tcpip> set service /reject=host=

tcpip> disab serv

tcpip > enab serv

fwiw

Re: TCPIP port security (IP blacklist)

Steven Schweda — Tue, 21 Jul 2009 13:25:14 GMT

And "ECO 7" is available, too (but I doubt
that it would make any difference on this
question).

Re: TCPIP port security (IP blacklist)

Hoff — Tue, 21 Jul 2009 13:37:32 GMT

Blocking IP subnet ranges?

No available TCP/IP Services software release for OpenVMS provides that capability.

OpenVMS V8.4 might change that, according to the last roadmap I checked; there was a firewall planned for that release. (Though the UI and the capabilities of that software firewall have not AFAIK been disclosed yet.)

In general, I prefer to use an external firewall with OpenVMS when connecting to an untrusted network.

Depending on the network traffic load involved with this OpenVMS box, these firewall boxes can be quite inexpensive and very effective.

And even a low-end firewall can easily block the problem CIDR ranges.

(The next "wrinkle" here tends to be the lack of a syslogd on OpenVMS, but that can be addressed in various ways. OpenVMS can be integrated with a syslog-based network, but it requires adding syslog client or syslogd daemon software to OpenVMS.)

Re: TCPIP port security (IP blacklist)

Steven Schweda — Tue, 21 Jul 2009 13:48:27 GMT

> Blocking IP subnet ranges?
>
> No available TCP/IP Services software
> release for OpenVMS provides that
> capability.

Hmmm. That's exactly how I would have
described

TCPIP SET SERVICE /REJECT = NETWORKS = [...]

For each network, you can optionally specify
the network mask. The default net mask equals
network's class number. For example, for
network 11.200.0.0., the default mask is
255.0.0.0.

Dosn't that qualify as some kind of IP subnet
range?

Of course,
Maximum is 16.
can be rather limiting.

Re: TCPIP port security (IP blacklist)

Hoff — Tue, 21 Jul 2009 14:34:19 GMT

OpenVMS does not offer an IP firewall.

Work for a while with ipfw or ipchains or a comparable-recent host-based firewall, or work with an external commercial mid-grade server firewall or a dual-NIC x86 open-source firewall (eg: m0n0wall or smoothwall), and call me back.

With most any of those solutions, hundreds or thousands of CIDR-based port-range blocks are trivial. Far more important (as you get into this stuff) are the adaptive firewall blocks; whether based on Spamhaus Zen DNSBL or otherwise. Static CIDR blocks aren't a practical solution with IPv4, much less with IPv6.

I do hope that the host-based firewall from the V8.4 roadmap is at least as capable as the ipchains firewall. That is, that the new firewall will have capabilities commensurate with the typical value of a target box running OpenVMS.

Re: TCPIP port security (IP blacklist)

Richard J Maher — Wed, 22 Jul 2009 10:59:28 GMT

Hi Steve,

> OpenVMS does not offer an IP firewall.

Really?

This is what I have/had from one of the guys that wrote it: -

> BTW, delivery of IPSEC also provides
> host-based firewall capability, which
> is another important feature that would
> also be delayed if IPSEC is further
> delayed.

Are you now seperating (for the customer delivery expectations) IPsec and VMS firewall capabilities?

> I do hope that the host-based firewall
> from the V8.4 roadmap is at least as
> capable as the ipchains firewall.

Which V8.4 roadmap are you talking about???

IPsec and VMS firewall functionality were (after several prominant years) erased from the 8.4 (after the 8.3 :-( ) roadmap at the mere stroke of the pen. What say you now?

Cheers Richard Maher

Re: TCPIP port security (IP blacklist)

Hoff — Wed, 22 Jul 2009 11:26:56 GMT

Thanks for the update. I hadn't noticed that the firewall feature was dropped from the V8.4 roadmap. Ah, well.

I'd not been waiting for V8.4 here regardless, and am presently running external firewall boxes for the OpenVMS servers both for the direct control and for various other capabilities that a firewall can provide.

Re: TCPIP port security (IP blacklist)

cdan — Thu, 30 Jul 2009 17:49:07 GMT

Waiting for the update, if the need for blocking a specific port is really important, you can do it the "dirty way": implement in sylogin a procedure to lookup the BG device of the incoming connections, harvest the local or remote tcpip port from output of tcpip sho dev and logout the "hacker".
Or I can do it for you for 5 czech beers :)

Re: TCPIP port security (IP blacklist)

Warren_Kahle — Wed, 02 Nov 2011 15:03:11 GMT

System Detective, which I develop at PointSecure, has the capability, among many others, of deleting processes with a specific string in the port field of their terminal. The source of a session connection is frequently listed in the port field. Security events are recorded, notifications may be made, reports may be generated, etc. You can see information about System Detective at www.PointSecure.com.