More and more security and network administrators are prohibiting the use of telnet. Unfortunately, the Stratus RSN requires that the Stratus module run a telnet server. That, however, does not mean that you cannot meet the spirit, if not the letter, of the telnet restriction.
The spirit is to restrict the use of telnet because all information including confidential information like passwords is sent as clear text and may be intercepted by someone with a protocol analyzer. The Stratus RSN runs over the maintenance network which is wholly contained within the Stratus cabinet. If someone without proper authorization is able to connect a protocol analyzer into that network you have far bigger problems than the use of telnet. The issue then is how to restrict the use of telnet to just the maintenance network.
There are three ways:
1) Use the built in features of telnetd, listening only on the RSN input port (which is not a login port) and listening only on the maintenance network.
2) Use TCP Wrappers to prevent any host but the RSN terminal server from making and keeping a telnet connection.
3) Use IPsec to prevent any host but the RSN terminal server from even making a connection
Using the built in features of telnetd:
The RSN software uses port 85, not the standard port of 23. If no one but the RSN is using telnet you do not need to listen to any port but 85. You can stop telnetd from listening to the standard port with the command
telnet_admin delete -service telnet
This will also remove the telnet service from the >system>stcp>services file. That will prevent the telnet client command from working in its default mode. You will still be able to run the telnet client but you will need to provide a port number along with the host name you want to connect to. If someone tries to telnet to port 85 they will get a TCP connection but they will not get a login banner. The connection just hangs effectively ignoring what they type. After a few minutes it will be closed. Starting in release 17.0 you can configure telnetd to only listen on the maintenance network interface. You can do that with the command
telnet_admin modify -service rsn_incoming -device_prefix in_rsn_m2 -no_login -privileged -services_port 85 -local_ip 10.20.1.1
You will need to substitute your own device prefix and IP address. For this to work you must make sure that IP forwarding is turned off. The command for that is
IP_forwarding off
The telnet_admin command modifies the >system>stcp>telnetservice file, so you only have to run the above commands once to permanently configure telnetd. Documentation on the telnet_admin command and the telnetservice file can be found in the OpenVOS STREAMS TCP/IP Administrator’s Guide R419 at http://stratadoc.stratus.com/.
Using TCP Wrappers:
TCP Wrappers is a filter that telnetd will check after the TCP connection is made but before sending or accepting any data over the connection. If the connection is not allowed by the filter it will be closed. A user will see a connection complete message followed almost immediately by a connection closed by foreign host message (assuming the telnet client shows these kinds of messages).
Adding the line
>system>stcp>command_library>telnetd.pm : 10.10.1.200
In the >system>stcp>hosts.allow file and the line
>system>stcp>command_library>telnetd.pm : ALL
In the >system>stcp>hosts.deny file and starting the telnetd server with the arguments -tcpwrapper_check -no_numeric will allow only users logged into the 10.10.1.200 host access to telnet. I am assuming here that the RSN terminal server has an IP address of 10.10.1.200.
This method has the added benefit that you can review the >system>stcp>logs>tcpddeny file to see who has been trying to make telnet connections. Entries will look like
09-04-29 13:15:05 mst telnetd: refused connect from 172.30.77.50
The disadvantage of this method is that at the TCP level a connection is established so auditors that review just connection information will ding you for having an open telnet port.
Documentation on TCP Wrappers, the hosts.allow, hosts.deny and tcppdeny files can be found in the OpenVOS STREAMS TCP/IP Administrator’s Guide R419 at http://stratadoc.stratus.com/.
Using IPsec;
I have blogged about IPsec before (http://community.stratus.com/blog/openvos/host-based-firewall-vos). You can set up a security policy to allow only 10.10.1.200 access to port 85 with the following statements
{saddr 10.10.1.200 ulp tcp dport 85 dir in} bypass {}
{saddr 0.0.0.0/0 ulp tcp dport 85 dir in} drop {}
The biggest advantage to IPsec is that once the policies are in place connections to the port from other hosts are just dropped – the auditors will be pleased. The disadvantage is that IPSec is a product that must be purchased separately and may not be available on your system.
Documentation for IPsec can be found in the Software Release Bulletin: IPsec for VOS R602 at http://stratadoc.stratus.com/.