Tandem Security SIG Minutes


November 15, 1996 - ROYAL BANK OF CANADA

MEETING PLACE: 315 Front St. West Auditorium A,
Toronto, Ontario, Canada
DATE: 11/15/96
PARTICIPANTS: See end.

These minutes have been put together as a joint effort by John Fong of Royal Bank & John Leeson of SNS. We do not guarantee accuracy. (But we tried). Concerns, complaints, suggestions & corrections can be sent to either John. See end of minutes.

Notes re: minutes

-- A couple of updates to the minutes have been made since the meeting. See "** Update" marks.

-- These minutes are being sent to all attendees, and anyone else who would like a copy. Send requests to either "author". They are also being posted in the ITUG Security Hyper Forum & distributed to anyone attending the ITUG Security SIG at Santa Clara in October.

-- A list of attendees, with phone, fax & email addresses are being distributed to those attending the Toronto meeting.

Attendees:

Clement Lee, Royal Bank of Canada
John Fong, Royal Bank of Canada
Bill Simpson, Computer Security Products
Rick Teeuwsen, Computer Security Products
Tom Chung, Bank of Nova Scotia
Cindy Carefoote, Bank of Nova Scotia
Richard Mazi, Bell Canada
Paul Van Hee, Bell Canada
Anne Osso, Bell Sygma
Grant Lowe, Royal Bank of Canada
Richard Cheng, Toronto Stock Exchange
Colin Walkington, Toronto Stock Exchange
John Wildfong, ACCI
John Leeson, SNS Shared Network Services
Mark Wilson, SNS Shared Network Services
Caroline Woo, Bank of Nova Scotia
Cathie Searle, Tandem
Jack McAuley, Tandem
Ray McTier, Computer Associates

Absent:

Kien Truong, Canadian Imperial Bank of Commerce
Kevin Bloska, Canadian Imperial Bank of Commerce


1.0 INTRODUCTION/ Bill Simpson, Computer Security Products

- Significant changes in Security world (Tandem & non-Tandem) e.g., Internet

- Can see security as enabling rather than restricting e.g., something which can provide users more access to information they need

OPENING REMARKS : Management View of Tandem Security /Clement Lee (on behalf of Nazir Khan), Royal Bank of Canada

- Emphasized importance of clients joining in a united front to "pressure" vendors for product enhancements / fixes.

- Royal Bank's years of "failure" dealing with Tandem to get changes made.

- Benchmarking practices.

- Importance of information sharing. E.g., avoid everyone repeating the same problems.

Computer Security Products "Roadmap" / Bill Simpson:

Protect:

The Future:

Discussion:

How to cleanup old userids through the "wizard".

- e.g., how to change or give file ownership.

Protect interfaces to Safeguard.

Is FUP needed (e.g., FUP GIVE, etc)

Who should have ownership of objects?

- Single administrator?
- Various (e.g., application) User ID's (e.g., for User Accounting.)

Is there a utility to change passwords on all systems for a user?

- New Protect allows Security Administrator to do this.
- Will not allow a standard user to do this for his/her own passwords.

Note: see end for Summary of CSP's presentation.

1.1 Tandem Security Direction / Jack McAuley, Tandem Computers

- More complex, LAN, Internet, etc.
- New products needed.
- Can't develop "the best possible product" for many different areas on multiple platforms of the network.
- CA Unicenter...
- Safeguard: now a "mature" product.

Discussion

- Q: Possibility of offering "Command logging?"
- A: Probably not. Some 3rd party software offers this.

CA Unicenter / Ray McTier, Computer Associates

- Policy-based system. (e.g. Safeguard: ACL-based system).
- Better defaults
- Universal calendar (across many functions)
- SQL objects
- "Set & forget" philosophy. E.g., Security attributes are not set on the file, but "above" the file level. Thus if an old version of the file is restored it will not restore old security attributes.
- Safeguard ACL is purged when file is purged.
- Rules are defined, compiled & kept in memory.
- Can restrict SUPER.SUPER from accessing certain "objects".
- Safeguard is NOT required.
- Comes with Safeguard SEEP - has hooks into Guardian & uses SEEPs to communicate.
- Can (should?) eliminate Safeguard with CA325
- Not C2-certified
- If CA Security is down, only SUPER.SUPER or SUPER.CAMGR allowed
-Question: What if those userids are normally frozen?
-Conclusion: you're toast(!?)
- Tandem and CA to arrange for product presentation at Markham site to demo the CA product.
- Resp. Jack McAuley /Ray McTier

2.0 Open Discussion:

2.1 Network security (TCP/IP, X25),broad enough topic, "nominated" as an agenda item for the next meeting. Tandem communications analyst to attend.

Resp. Jack McAuley

2.2 Paul Van Hee asked a question :

If a volume is a added to Safeguard with an ACL, are any of the Guardian rules for disk files on that volume ever consulted?

Response from Bill Simpson, CSP:

Adding a Safeguard protection record for a volume, setting an ACL and setting CHECK-VOLUME=ON has the effect of causing Safeguard to disregard the Guardian security settings on a disk file.
However, there is one case where a volume record can be used, and the Guardian security settings are still consulted. This is for the CREATE authority.

Three Safeguard global options control Safeguard's intervention in disk file CREATE requests. These are CHECK-DISKFILE, CHECK-SUBVOLUME, CHECK-VOLUME. If these options are set to ON, then the ACL for the object - volume, subvolume or DISKFILE, controls creation. CREATE authorities are however, enforced even when the CHECK global is OFF. This behaviour supports continued enforcement of Guardian authorities while CREATE to be the only authority enforced by Safeguard.

For example, many shops disallow the creation of files on $SYSTEM except to trusted users. Setting the CHECK-VOLUME global to OFF allows the configuration of a VOLUME protection record WITHOUT affecting the use of the Guardian RWEP settings on existing files. Depends also on "direction" of evaluation of rules.

2.3 Password quality program "SEEP"?

Can we get this password program (even though not an official product)?
Does SEEP exist or not , now that CA Unicenter is out?

Resp. Jack McAuley

2.4 Authenticate-fail-freeze "on", 255,255 is undeniable...

should not be frozen according to Tandem documentation...

255,255 went into frozen state.

Suggested workaround by Clement Lee, RBC.... create common userid such as \*.SEC.ADM, who would own the 255.255 userid on all systems, allow for REMOTEPASSWORDs for SEC.ADM to thaw all remote 255.255 userids.

Alternative suggestions by John Leeson, SNS...

Keep aliases) associated with SUPER.SUPER, SUPER.SUPER may be frozen, but the alias can logon. PROGID backdoor.

2.5 Individual userids concepts:

Accountability via alias (D30) or PROGID of programs.

Aliases don't work with RMPCCOM.

Additional communication:

2.6 Internet newsgroups alt.comp.tandem-users

Soon to change.

** Update: 1/13/97 above newsgroup now has been succeeded by comp.sys.tandem.

Both this and the ITUG hyper forums are highly recommended as source of information exchange.

2.7 Netbatch deficiencies:

Group option for sharing access to files is not supported with Netbatch.

A TPR has been raised for this flaw,

Resp. Jack McAuley to investigate, get more info from John Wildfong, ACCI

Netbatch Plus & D30.02 compatibility issues:

Requires 0,0 userid to be created and frozen?

Follow-up with RBC and ACI to gather more facts to eliminate 0,0

--> Update: findings 01/09/96 ...the attributes "audit-user-action-fail" and "audit-user-action-pass" being set to "NONE" allows the deletion of the NULL.NULL userid to be performed without affecting the password validation function in NBP.

3.0 Next Meeting: Feb/97 Friday afternoon??

CIBC has graciously volunteered to host.

Suggested presenters:

- XYPRO (Lisa Partridge 805 583-2874)

- Representative from auditing firm

Resp. Bill Simpson, Mark Wilson.

- Network communications analyst from Tandem

Resp. Jack McAuley.

-----------------------------------------------------------------------------------------------------------

Highlights from CSP's presentation by Bill Simpson:

(Note: the following summary was provided by Bill).

Introduction., I referred to meetings of other Security SIGS that I had attended in Australia and in the UK and talked of their success in bringing together individuals interested in Tandem security - managers, auditors, administrators and others - to share their knowledge and experience. In particular, I stressed the importance of exchanging technical Information.

CSP - a roadmap. Computer Security Products is well known to everyone at the meeting. Many are user of our Safeguard management tool PROTECT, audit report writer AUDITVIEW and the TSA (Tandem Security Analyzer.)

CSP is working to bring all of these products together under one common interface. In particular, CSP is working with its customers to upgrade these tools to have "Wizards" to carry out special, pre-defined tasks.

These Wizards are specified by the user and then implemented by CSP for that user's special use. A Wizard, which follow the general look and feel of Windows 95 wizards, prompts the user for the necessary information to carry out a special task, and then implements it on the Tandem.

An example is deleting a user from Safeguard, which might include removing the user from all ACLs.
Some interest was expressed in extending the scope of a wizard to include certain FUP security commands, which are otherwise time-consuming and troublesome.

CSP's newest product is SDTC, which is a Tandem client for the Security Dynamics SecureID authentication token. SDTC is implemented as a Pathway Server, or may be incorporated into TACL and Safeguard logon dialogues as a D30 SEEP.

CSP expressed its confidence in the future of Safeguard, following announcements at the 1996 ITUG that Tandem had affirmed its commitment to support Safeguard for the foreseeable future.

Authors:

John Leeson, SNS Shared Network Services, Inc.
Phone: 905 238-3719
Fax: 905 602-7362
Email: john_leeson@sns.ca

John Fong, Royal Bank of Canada
Phone: 416 348-2485
Fax: 416 348-5460
Email: carbcf95@ibmmail.com