RE: HP TCP/IP for OpenVMS IPsec EAK - VMS

This is a discussion on RE: HP TCP/IP for OpenVMS IPsec EAK - VMS ; Not being that conversant in TCP/IP issues, so I will ask: Does this mean that we will have SSL based FTP access (ftps) on VMS in the [near] future? (And maybe a better, more robust SSH based FTP (sftp)? TIA ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: RE: HP TCP/IP for OpenVMS IPsec EAK

  1. RE: HP TCP/IP for OpenVMS IPsec EAK

    Not being that conversant in TCP/IP issues, so I will ask:

    Does this mean that we will have SSL based FTP access (ftps) on VMS in
    the [near] future? (And maybe a better, more robust SSH based FTP
    (sftp)?

    TIA

    Mike FArrell

    -----Original Message-----
    From: Rich Jordan [mailto:jordan@ccs4vms.com]
    Sent: Thursday, August 30, 2007 2:49 PM
    To: Info-VAX@Mvb.Saic.Com
    Subject: Re: HP TCP/IP for OpenVMS IPsec EAK

    On Aug 30, 10:36 am, Sue wrote:
    > Dear Newsgrou,
    >
    > Great news the TCP/IP team just sent mail that the IPsec Early
    > Adopters Kit (EAK) is now available for download (Alpha and
    > Integrity). Details are below
    >
    > Warm Regards,
    > Sue
    > ------------------------------------------------------
    >
    > http://h71000.www7.hp.com/openvms/pr...sec/index.html
    >
    > Announcing the HP TCP/IP Services for OpenVMS IPsec T5.7 Early
    > Adopters Kit (EAK) available
    >
    > IPsec functionality has been incorporated into and will be distributed
    > as part of the HP TCP/IP Services for OpenVMS V5.7 release for
    > Integrity and Alpha systems. The EAK is being delivered as a complete
    > HP TCP/IP Services for OpenVMS T5.7 kit that includes an early version
    > of the IPsec functionality. Below is a brief overview.
    >
    > HP TCP/IP Services for OpenVMS IPsec
    >
    > OpenVMS IPsec provides an infrastructure to allow secure
    > communications
    > (authentication, integrity, confidentiality) over IP-based
    > networks
    > between systems and devices that implement the IPsec protocol
    > suite.
    > OpenVMS IPsec offers protection against replay attacks, packet
    > tampering, and spoofing -- and it keeps others from viewing
    > critical
    > data such as passwords and financial information sent over the
    > Internet.
    >
    > Features and Benefits
    >
    > Some of the benefits of OpenVMS IPsec are:
    >
    > - Adheres to all relevant IPsec standards, including IKE (Internet
    > Key Exchange) for automated key generation.
    >
    > - Allows secure tunnels between business partners to be set up and
    > torn
    > down quickly and easily
    >
    > - Easily adopted and transparent to existing applications.
    > Protects
    > the customer's investment.
    >
    > - Demonstrated multi-vendor interoperability (future)
    >
    > - Thwarts attacks by encrypting data transmitted between two
    > authenticated servers
    >
    > - Host-based authentication:
    > - preshared keys
    > - Digital certificates (future)
    >
    > - Full stateful packet inspection firewall
    >
    > - Command line interface (CLI) for policy configuration:
    > - ipsec_config configuration utility based on the HP-UX
    > IPSec ipsec_config utility
    > - profile file to provide default parameter values that can be
    > modified by the user
    > - flexible rule-based security attribute and access control
    > policy configurations -- allows combinations of IP
    > addresses,
    > prefix lengths, ports, and protocols in specifying security
    > attributes configuration and packet filtering
    > - dynamic configuration and batch mode for bulk configuration
    >
    > - Focused on end-system IPsec. OpenVMS IPsec can communicate with
    > other end-systems (transport mode) or VPN gateways (tunnel
    > mode).
    >
    > ===========



    Thank you, Sue. We've been looking for this to happen (I wish I had
    time to start looking at it now).


  2. Re: HP TCP/IP for OpenVMS IPsec EAK

    Farrell, Michael wrote:
    > Not being that conversant in TCP/IP issues, so I will ask:
    >
    > Does this mean that we will have SSL based FTP access (ftps) on VMS in
    > the [near] future? (And maybe a better, more robust SSH based FTP
    > (sftp)?
    >


    No or even better: IPsec will avoid to have all those individual S*
    programs and protocols. IPsec authenticates and encrypts at the IP
    level, and all applications like rsh,telnet,ftp can use it transparently.
    I wished it would have existed before all those individual S* utilities
    have been introduced.

    But it probably will be a looong time until all installations I
    communicate with introduce IPsec ...

    --

    Joseph Huber - http://www.huber-joseph.de

  3. RE: HP TCP/IP for OpenVMS IPsec EAK

    Sure...contact Process Software...

    At 06:05 AM 8/31/2007, Farrell, Michael wrote:
    >Not being that conversant in TCP/IP issues, so I will ask:
    >
    >Does this mean that we will have SSL based FTP access (ftps) on VMS in
    >the [near] future? (And maybe a better, more robust SSH based FTP
    >(sftp)?
    >
    >TIA
    >
    >Mike FArrell
    >
    >-----Original Message-----
    >From: Rich Jordan [mailto:jordan@ccs4vms.com]
    >Sent: Thursday, August 30, 2007 2:49 PM
    >To: Info-VAX@Mvb.Saic.Com
    >Subject: Re: HP TCP/IP for OpenVMS IPsec EAK
    >
    >On Aug 30, 10:36 am, Sue wrote:
    > > Dear Newsgrou,
    > >
    > > Great news the TCP/IP team just sent mail that the IPsec Early
    > > Adopters Kit (EAK) is now available for download (Alpha and
    > > Integrity). Details are below
    > >
    > > Warm Regards,
    > > Sue
    > > ------------------------------------------------------
    > >
    > > http://h71000.www7.hp.com/openvms/pr...sec/index.html
    > >
    > > Announcing the HP TCP/IP Services for OpenVMS IPsec T5.7 Early
    > > Adopters Kit (EAK) available
    > >
    > > IPsec functionality has been incorporated into and will be distributed
    > > as part of the HP TCP/IP Services for OpenVMS V5.7 release for
    > > Integrity and Alpha systems. The EAK is being delivered as a complete
    > > HP TCP/IP Services for OpenVMS T5.7 kit that includes an early version
    > > of the IPsec functionality. Below is a brief overview.
    > >
    > > HP TCP/IP Services for OpenVMS IPsec
    > >
    > > OpenVMS IPsec provides an infrastructure to allow secure
    > > communications
    > > (authentication, integrity, confidentiality) over IP-based
    > > networks
    > > between systems and devices that implement the IPsec protocol
    > > suite.
    > > OpenVMS IPsec offers protection against replay attacks, packet
    > > tampering, and spoofing -- and it keeps others from viewing
    > > critical
    > > data such as passwords and financial information sent over the
    > > Internet.
    > >
    > > Features and Benefits
    > >
    > > Some of the benefits of OpenVMS IPsec are:
    > >
    > > - Adheres to all relevant IPsec standards, including IKE (Internet
    > > Key Exchange) for automated key generation.
    > >
    > > - Allows secure tunnels between business partners to be set up and
    > > torn
    > > down quickly and easily
    > >
    > > - Easily adopted and transparent to existing applications.
    > > Protects
    > > the customer's investment.
    > >
    > > - Demonstrated multi-vendor interoperability (future)
    > >
    > > - Thwarts attacks by encrypting data transmitted between two
    > > authenticated servers
    > >
    > > - Host-based authentication:
    > > - preshared keys
    > > - Digital certificates (future)
    > >
    > > - Full stateful packet inspection firewall
    > >
    > > - Command line interface (CLI) for policy configuration:
    > > - ipsec_config configuration utility based on the HP-UX
    > > IPSec ipsec_config utility
    > > - profile file to provide default parameter values that can be
    > > modified by the user
    > > - flexible rule-based security attribute and access control
    > > policy configurations -- allows combinations of IP
    > > addresses,
    > > prefix lengths, ports, and protocols in specifying security
    > > attributes configuration and packet filtering
    > > - dynamic configuration and batch mode for bulk configuration
    > >
    > > - Focused on end-system IPsec. OpenVMS IPsec can communicate with
    > > other end-systems (transport mode) or VPN gateways (tunnel
    > > mode).
    > >
    > > ===========

    >
    >
    >Thank you, Sue. We've been looking for this to happen (I wish I had
    >time to start looking at it now).


    ------
    +-------------------------------+----------------------------------------+
    | Dan O'Reilly | "There are 10 types of people in this |
    | Principal Engineer | world: those who understand binary |
    | Process Software | and those who don't." |
    | http://www.process.com | |
    +-------------------------------+----------------------------------------+



  4. Re: HP TCP/IP for OpenVMS IPsec EAK

    In article , Joseph Huber writes:
    > Farrell, Michael wrote:
    >> Not being that conversant in TCP/IP issues, so I will ask:
    >>
    >> Does this mean that we will have SSL based FTP access (ftps) on VMS in
    >> the [near] future? (And maybe a better, more robust SSH based FTP
    >> (sftp)?
    >>

    >
    > No or even better: IPsec will avoid to have all those individual S*
    > programs and protocols. IPsec authenticates and encrypts at the IP
    > level, and all applications like rsh,telnet,ftp can use it transparently.
    > I wished it would have existed before all those individual S* utilities
    > have been introduced.


    Not better. Not worse. Different. It's usually done at the router or
    firewall level rather than at the end nodes. The application doesn't
    know that anything special is going on. You could, for instance use
    unencrypted telnet or unencrypted ftp. Routers in the middle take
    care of encrypting the resulting traffic before it is passed onto the
    insecure network.

    With IPSEC you tend to statically configure an encrypted link connecting
    a set of networks at one end and a set of networks at the other. Traffic
    coming in from the near side that matches the "interesting traffic" access
    list is encrypted and encapsulated and addressed to the far side's
    crypto endpoint. The far side endpoint then de-encapsulates, decrypts
    and delivers. And vice versa -- traffic on the far side that matches
    the inverse "interesting traffic" list is encrypted, encapsulated and
    addressed to the near side endpoint.

    The "interesting traffic" lists must be inverses. They are used to
    build individual network to network security agreements (SA's) for
    each network pair. Each encrypted packet sent across the link must have
    a matching SA at both ends.

    [So if I had 192.168.0 and 192.168.2 on my side and you had 10.1.0 and
    10.1.2 on your side, that's four SA's:

    192.168.0 <=> 10.1.0
    192.168.2 <=> 10.1.0
    192.168.0 <=> 10.1.2
    192.168.2 <=> 10.1.2]

    The configuration procedures for IPSEC links vary from vendor to vendor
    and from platform to platform. There are a fair number of settings
    that must match to get the things running. It can be finicky work.

    Some implementations may be able to streamline the configuration
    process in a homogenous environment, saving the network administrator
    the scut work of figuring out an appropriate topology and configuring
    every single encrypted link in the resulting mesh. One common
    case where this streamlining takes place is with VPN client network
    access. [The client and the concentrator can bring up an IPSEC connection
    without requiring each possible client connection from each possible
    hotel room on the Internet to be statically configured in advance]

    From what I read, the initial VMS offering is fairly simplistic and
    requires manual static preconfiguration with agreed-upon "shared secrets"
    at both ends of each encrypted link.

  5. Re: HP TCP/IP for OpenVMS IPsec EAK

    In article , briggs@encompasserve.org writes:
    > In article , Joseph Huber writes:
    >> Farrell, Michael wrote:
    >>> Not being that conversant in TCP/IP issues, so I will ask:
    >>>
    >>> Does this mean that we will have SSL based FTP access (ftps) on VMS in
    >>> the [near] future? (And maybe a better, more robust SSH based FTP
    >>> (sftp)?
    >>>

    >>
    >> No or even better: IPsec will avoid to have all those individual S*
    >> programs and protocols. IPsec authenticates and encrypts at the IP
    >> level, and all applications like rsh,telnet,ftp can use it transparently.
    >> I wished it would have existed before all those individual S* utilities
    >> have been introduced.

    >
    > Not better. Not worse. Different. It's usually done at the router or
    > firewall level rather than at the end nodes. The application doesn't
    > know that anything special is going on. You could, for instance use
    > unencrypted telnet or unencrypted ftp. Routers in the middle take
    > care of encrypting the resulting traffic before it is passed onto the
    > insecure network.


    Doing that at an intermediate node, in particular a node at the ISP,
    was proposed some years ago by some large ISPs...

    ....with the backing of the US National Security Agency.

    Those interested in privacy from all fought hard to establish that
    "end to end" encryption was the desired target.

    Now if you don't trust your own system manager you might see a problem
    in system-level encryption and want it at the application level, but
    ultimately the system manager has access.

+ Reply to Thread