The Question is:
Restricting remote host access in DECnet-Plus
Two OpenVMS Alpha systems "FLASH" and "LICKER" are
in communication across the Internet using DECnet-Plus.
We would like to set up a mechanism on one of those
systems (LICKER) which ensures that it will only accept
connections from the other system (FLASH). I.E. if a
machine other than FLASH attempts to connect to
LICKER, the connection attempt will fail.
I was hoping the DECnet-Plus documentation might
describe where a list of acceptable hosts could be
specified, but I didn't see this.
In DECnet-IV we could have achieved the desired result
using these NCP commands on LICKER:
NCP> SET EXEC DEFAULT ACCESS OUTGOING
NCP> SET NODE FLASH ACCESS BOTH
My understanding of the above is that it would ensure
that *only* FLASH would be able to initiate a connection
to LICKER; any other node attempting to do so would be
rejected. I can't find similar behaviour for DECnet-Plus.
The Answer is :
Use an IP firewall, and filter the traffic on the firewall.
DECnet-Plus over the Internet is assumed to be using the IP
transport, thus an IP firewall is the most obvious and easiest
While an attempt to secure the host could be made (and any such
attempt is also beneficial), the IP firewall itself provides
better security and reduces the likelyhood that host users or
host software changes could inadvertently or even deliberately
expose the host itself.
The OpenVMS Wizard views securing a dedicated IP firewall as
easier than securing a general-purpose host, regardless of the
host software, vendor, applications, and system and network
and security management abilities.