Don't Change That Channel
Article Date: 3/95
A recent news headline reported an apparent break-in at a (non-Stratus) secure computer site by a hacker who apparently made his way through a "firewall" machine intended to keep unauthorized remote users out. Someone once said that the only secure computer was kept in a locked room along with its terminals. That, however, could make it rather inconvenient to use. In real life, our Stratus modules have terminals in exposed areas and probably have some modems for remote access. This recent attack should remind us to check security on our terminal lines. Some of the configuration attributes on communications channels have a direct impact on security.
The devices.table file is used to control the attributes of terminal-type devices. The attributes can be changed in real-time by using the update_channel_info command. There are several attributes that have security implications, so let's take a look at them.
The login_slave attribute tells VOS whether to put a pre-login process on the line to "listen" for a user attempting to login. If a particular terminal is supposed to only run under the control of an application program, make sure the line is configured as not a login line (a slave to an application). If someone walks up to the keyboard and tries to login, they will not get any response from VOS.
The privileged attribute tells VOS whether to allow a privileged user to execute privileged commands from this device. Even if the user is privileged, they can't perform privileged operations on this terminal unless this attribute is on. Keeping it off allows you to control where privileged operations are done (such as in the computer room, in the Administrator's office, etc.).
The dialup attribute tells VOS whether to expect a dial-in modem on the channel and to log off the process immediately if the line is disconnected.
The force_listen attribute tells VOS whether it should continue to "listen" on a terminal line after data carrier detect (DCD) and data set ready (DSR) have been lost. For instance, if your telephone carrier loses your call while you are logged in, VOS will log off the process unless force_listen is on. In that case, VOS will continue to listen for activity on the line. The next user who dials in on that line is reconnected to the process which was already there, without going through a login for a new process! Never set the force_listen attribute on a dialup line.
Once you have configured your terminal attributes correctly through your devices.table, you know you will be safe after a module start up. However, don't forget to monitor your channel settings from time to time to make sure that no-one has changed them from their boot values with update_channel_info!
| 
