If Your System Will Be Connected to the Internet

Because OpenVMS can run full-featured TCP/IP products, you can connect it to the Internet. You may host one or more domains, including Web sites and FTP sites or use your OpenVMS system as an e-mail server for your personal computers.

However, if you are planning to connect your OpenVMS system to the Internet, you should take several things into consideration before making the connection. You must realize that your OpenVMS system will, like any computer on the Internet, come under attack from malicious users around the world. Because OpenVMS can act as a full network server, it will be of particular interest to certain kinds of attackers.

This section is not intended to frighten the reader, but to point out that malicious users wishing to make illicit use of your resources will probe your systems. Before flipping the switch, you should take the appropriate precautions.

Educate yourself about TCP/IP in general and the activities of malicious network users in particular. Read books, explore Web sites, and join mailing lists or newsgroups related to Internet security. Read the documentation set for your TCP/IP product. The more you know, the better prepared you will be to handle any situation that arises.

The author would suggest doing the following before establishing connectivity. Some of the terminology will be foreign to those not familiar with TCP/IP. If necessary, use the resources suggested above to become familiar with the terminology used in these suggestions:

Disable any services you will not need. These may include Telnet, FTP and the "r" services, such as rlogin. The more unnecessary services you have running, the more opportunities you give malicious users.

For those services you plan to use, consider moving them to different network ports from the defaults. This will prevent at least some probes from finding an active service on your machine.

Consider replacing FTP with SCP and Telnet with SSH. FTP and Telnet send unencrypted data, whereas SCP and SSH provide similar services using encrypted communication. Unencrypted data stand a small, but real, chance of being intercepted by malicious users.

If you will be using your OpenVMS system as an e-mail server, ensure that your SMTP server is not configured as an open relay. An open relay is a system that will forward mail messages from any source, not just from internal users. Senders of unsolicited e-mail ("spam") will attempt to use your system to send their unwanted messages. If they are successful, some of the messages will be traced back to you. Some of the recipients and their e-mail managers will send you unkind messages, and your ISP may threaten to take action against you.

Do not maintain more user accounts than you need. Do not allow accounts to log in from remote locations unless necessary.

Now for the good news: As an OpenVMS network manager, you will spend much less time applying security patches than administrators of other operating systems. This is because OpenVMS is less vulnerable to "buffer overflow" attacks, a particularly popular kind. You will still need to pay attention to security alerts, particularly from the maker of your TCP/IP product.

The list of suggestions presented above is far from complete, but following these recommendations will prevent some of the common mistakes made by inexperienced network managers. Continue to monitor your system for anything out of the ordinary and continue to educate yourself about the latest threats.