The Question is:
We want to make our VAX cluster available on the Internet. We have a VAX
4000-200 and a VAX 4000-400 running Decnet, no TCP-IP. We are thinking of
using another machine as the "front end" to the Internet. It can be either a
VaxStation 4000VLC or a Micr
oVax 3100 Model 10, or we can buy whatever system is necessary. The front end
would take care of receiving the TCP-IP from the Internet and passing it to
the cluster as Decnet. Any suggestions or ideas greatly appreciated!
The Answer is :
Route-through from IP to DECnet is the least of your considerations.
Making your OpenVMS Cluster available on the Internet may well mean
you are (unintentionally) providing more access than you had intended.
Get a (reputable) firewall router. Keep its filters current.
Get to the current OpenVMS version.
Get to the current OpenVMS ECOs.
Get to the current TCP/IP Services version, and ECO.
Disable SMTP route-through or configure the provided filter on any
system exposed to the internet.
Acquire SSL or SSH or other encrypting transport.
Consider one-time passwords for remote logins -- you will definitely
want to look at encryption, and particularly look at the information
(sensitive documents, passwords, etc) that might be in cleartext.
You will want to enable and periodically review auditing.
You will want to harden your environment -- consider the use of CD-R
based system disks or other non-writable media -- and you will most
definitely want to archive anything you care about at regular intervals.
Segment your network into a trusted and an untrusted zone, and
potentially a "hot" zone in between these. While you will obviously
not want to trust any systems outside your firewall, you will also
want to avoid trusting systems behind your firewall -- if these are
Educate your users on appropriate security and particularly appropriate
Read and follow the directions in the OpenVMS Guide to System Security,
and specifically the appendix on configuring for NCSC Class C2 security.