                 Software           Product            Description              Safety V1.2 9           Comprehensive Data Safety for your VMS systems.   -           from General Cybernetic Engineering              Executive Summary:  J           There are many perils your data faces, and loss of data can costD           time, money, and jobs. Intruders, disgruntled insiders, orI           hidden flaws in installed software can destroy records. What is 1           more, mistaken losses occur constantly.   E           Safety protects your system and your critical data in three            ways:   L           1. A comprehensive security system adds extra checks for access to8 	  VMS files so that access by intruders or by people inC 	  non-job-required ways can be regulated or prevented. This allows @ 	  your business - critical data to finally be protected againstE 	  misuse, tampering, or abuse. Access from programs doing background = 	  dirty work (viruses, Trojans, worms, and the like, or even E 	  programs with security holes which can be exploited remotely (like C 	  Java browsers)) can also be blocked without damaging normal use. A 	  This active protection works three ways: by checking integrity ? 	  of your files against tampering, by preventing of  untrusted E 	  images from  gaining privilege, and by regulating what other parts % 	  of the system an image may access.   J           2. A deletion protection system provides a way to undelete filesE 	  which were deleted by mistake and to optionally copy deleted files < 	  to backup facilities before removal. Unlike all other VMSD 	  "undelete" programs on the market, this facility does not rely onE 	  finding the disk storage that contained the file and reclaiming it D 	  before it is overwritten. Rather, it changes the semantics of theD 	  file system delete to use a "wastebasket" system and captures theD 	  file intact. Thus, this system works reliably. No others do. ThisC 	  facility is also useful where you have a requirement to keep all D 	  files of a certain set of types, since the backup function can be? 	  used to capture such files while permitting otherwise normal > 	  system function. The shelving or linking functions are also> 	  available for moving copies offline if this is desired. The? 	  Safety protection features are fully integrated with the DPS E 	  subsystem, so that deletion protection does not involve destroying  	  file security.   L           3.  When space runs out, hasty decisions about what to keep onlineD 	  often must be made, and the risk of accidentally losing somethingD 	  important is high. Safety protects you from running out of space.D 	  Space can be monitored and older items in the wastebasket deletedC 	  if it is becoming low, without manual intervention. In addition, D 	  Safety is able to "shelve" files so that they are stored anywhere9 	  else desired on your system, and they are brought back C 	  automatically when accessed. Thus no manual arrangements need be = 	  made for reloading them. Safety can also keep the files on A 	  secondary storage, keeping a "soft link" to the files at their B 	  original site so they will be accessed on the secondary storageA 	  instead. Also, Safety can store files compressed, or can store ? 	  them on secondary storage so that read access is done on the C 	  secondary storage, but write access causes the file to be copied E 	  back to its original site. Standard VMS utilities are used for all A 	  file movement, and moved files are also directly accessible in @ 	  their swapped sites with standard VMS utilities. The VMS fileC 	  system remains completely valid at all times. This is not a full B 	  blown HSM system, and files so shelved or moved should be movedD 	  back after manual action if you choose to enable these functions,A 	  but it can defer the time when such system cleanup needs to be E 	  done so that critical system operation schedules are not impacted.   L           Safety gives you a full complement of tools for dealing with space< 	  issues automatically according to your site policy. These> 	  facilities are safe and easily understood.  A comprehensiveB 	  utility is provided by which you set your site policy to selectE 	  which files are and are not eligible for automatic shelving.  Also A 	  you are provided with screen oritented utilities for selecting E 	  files to shelve at any time. Access to the shelved files of course A 	  causes unshelving if the normal shelving-by-copy mode is used. B 	  Also, a simple set of rules permit locating shelved or softlinkC 	  target files at any time, even without Safety running. Safety at : 	  no time invalidates your file structures for normal VMS$ 	  access...not even for an instant.  H           In addition Safety contains functions to speed file access and%           inhibit disk fragmentation.   ?           The major subsystems of Safety will now be described.   '           The Security Function System:            Summary:E           Managing access to data critical to your business using ACL A           facilities in native VMS can be cumbersome and still is E           vulnerable to intruders or people acting in excess of their            authority.  I           Want to be sure your critical records can't be accessed save at B           authorized places, times, and with the programs that are>           supposed to access them (instead of, say, COPY.EXE)?  E           Want to have protection against privileged users bypasssing            access controls?  ?           Want to be able to password protect individual files?   ?           Want to be able to invisibly hide selected files from !           unauthorized intruders?   J           Have you read that attacks on machines can happen because a JavaF           browser points at a web site that damages the system (as hasI           been reported in the press)? Want to be able to protect    your            systems?  G           The Safety security subsystem builds in facilities permitting J           all of these, and is not vulnerable to intruders who disable theJ           AUDIT facility as all other commercial packages which purport to           monitor access are.   G           Description: When your business depends on critical files, or =           when you are obliged by law or contract to maintain C           confidentiality of data on your system, in most cases the J           options provided by VMS for securing this data can be cumbersome%           and far too coarse-grained.   G           The problem is that certain kinds of access to data are often J           needed by people in a shop, but other access should be preventedJ           and audited. Moreover, the wide system access that can come as aH           result of having system privileges often does not mean that itI           should be used to browse or disclose data stored on the system. E           A system manager will in general not, for example, have any G           valid reason to browse the customer contact file, the payroll G           database, or a contract negotiation file, save in a few cases I           where these files need to be repaired or reloaded from backups. I           Likewise, a payroll clerk may need read and write access to the J           payroll file, but not in general with the COPY utility, nor fromG           a modem, nor in most cases at 4AM. Finally, a person who must J           have privileges to design a driver and test it should ordinarily6           not have the run of the file system as well.  B           Given examples like these, it is easy to see that simpleJ           authorization of user access to files is inadequate. While it isJ           possible to build systems that grant identifiers to attempt someD           extra control, these can be circumvented by privilege, andJ           create very long ACLs which become impossible to administer over-           a long period as users come and go.   A           What is needed is a mechanism that is secure, cannot be E           circumvented by turning on privileges, and which provides a E           simple to administer and fine grained control that lets you G           specify who can get at your critical files, with what images,oJ           when, from where, and with what privileges. It is also desirableH           to be able to control what privileges the images ever see, andB           to be able to check critical command files or images forI           tampering before use, so that they cannot be used as back doorsn?           to your system. It should be possible to demand extra G           authentication for particular files as well, and to prevent a F           malicious user from even seeing a particularly critical file,           unless he can be permitted access.  H           The Safety security subsystem is a VMS add-in security packageF           which provides abilities to control security problems due toB           intruders, to damage or loss by system "insiders" (usersC           exceeding their authority), and to covert code (worms andoE           viruses). It provides a much easier management interface to @           handle security permissions than bare VMS and providesA           facilities permitting control over even privileged fileuD           accesses, for cases where there are privileged users whoseG           access should be limited. Unlike systems which only interceptiF           the AUDIT output, EACF can and does protect against ANY fileJ           accesses, and can protect files against deletion by unauthorizedD           people or programs in real time as well as against access.  J           The Safety security subsystem offers the following capabilities:  I           * Files can be  password protected individually. If a file openoI           or delete is attempted for such a file and no password has beenl,           entered, the open or delete fails.  J           * Access can be controlled by time of day. Added protections canF           be in place only some of the time, access can be denied someI           times of day, write accesses can be denied at certain times, orr<           various other modalities of access can be allowed.  J           * You can control  who may access a file, where  they may be (orH           may not be),  with what images  they may or may not access theI           file, and with what privileges  the file may be accessed. Thus,fD           for instance, it is trivial to allow a clerk access to theI           payroll file with the payroll programs, but    not with COPY oriF           BACKUP, not on dialup lines, and not if they have unexpectedI           privileges. The privilege checks can be helpful where there aremH           consultants working on a system who should be denied access toD           sensitive corporate information but who need privileges toI           develop programs, or in similar circumstances. You specify what J           privileges are permitted for opening the file, and     a processJ           with excess privileges is prevented  from access. Vital businessD           data access should not always be implied by someone havingF           privilege. With this system you can be sure your proprietaryF           plans or data stay in house, and are available only to thoseE           with business reasons to need them, not to everyone needingsH           system privileges for unrelated reasons. Unlike packages usingG           the VMS Audit facility's output (which can be silently turnedeI           off by public domain code),   Safety cannot  be circumvented byeJ           well known means. Its controls are designed to leave evidence of*           what was done with them as well.  H           * You can  hide files from unauthorized access. If someone notJ           authorized to access a file tries to open it, they can be set toI           open instead some other file anywhere on the system. Meanwhile,iH           Safety generates alarms and can execute site specific commandsJ           to react to the illegal access before it can happen. This can beC           helpful in gathering evidence of what a saboteur is up tosH           without exposing real sensitive files to danger. Normal access%           goes through transparently.   J           * You can arrange that opening a file  grants identifiers to theA           process that opens it and that closing it revokes theseiH           identifiers. Set an interpretive file to do this and set it toF           be openable only by the interpreter and you have a protectedJ           subsystem capability that works for 4GLs which are interpretive.G           (Safety identifier granting, privilege modification, and basee=           priority alteration is protected by a cryptographic ;           authenticator preventing forging or duplication.)a  J           * You can actively prevent covert code ( viruses and worms) fromI           running in two ways. First,   Safety can attach a cryptographic G           checksum to a file such that the file will not open if it has I           been tampered with. Second,  Safety can attach a privilege maskcJ           to a file which will replace all privilege masks for the processJ           that opens it. By setting such a mask to minimal privileges, youB           can ensure that an untrusted image will never see a veryD           privileged environment, and thus will be unable to performH           privilege-based intrusions into your system even if run from a$           privileged user's account.  I           * You can  control base priority by image. Thus, a particularlyeJ           CPU intensive image can be made to run at lower than normal base3           priority even if it is run interactively.t  H           * You can run a site-chosen script to further refine selectionH           criteria. (Some facilities for doing additional checking while$           an image runs exist also.)  J           * You can have "suspect" images set a "low-integrity-image" modeJ           in which all file opens are checked with a site script which canF           report or veto access. This can be used to track or regulateH           what a Java applet can do, in case someone happens to browse aF           web site which exploits a Java hole to browse your system or           damage it.  A           Safety  allows you to exempt certain images (e.g., diskiH           defragmenters) from access checks, and it is possible to put aG           process into a temporary override mode also (leaving a record I           this was done) where this is needed.     Safety  facilities areeJ           controllable per disk, and impose generally negligible overhead.H           Safety  will work with any VMS file structure using the normalH           driver interfaces. Also,   Safety  marking information residesE           sufficiently in kernel space that it cannot be removed fromgD           lower access modes, yet it uses a limited amount of memory$           regardless of volume size.  J           Best of all, the Safety  protection is provided  within the fileD           system  and does not depend on the audit facility. Thus itH           prevents file access or loss   before it happens, and does notG           have to react to it afterwards.      Safety allows all of its @           security provisions to be managed together in a simpleI           screen-oriented display in which files, or groups of files, canhC           be tagged with the desired security profiles or edited as.J           desired.  Safety  protections are in addition to normal VMS fileF           protections, which are left completely intact. Therefore, noJ           existing security is broken or even altered. Safety  simply addsE           additional checking which finally provides a usable machineWD           encoding of "need to know" for the files where it matters.        3           The Safety Deletion Protection Subsystem.m    K           Description: The Safety Deletion Protection System is designed to ? 	  provide protection against accidental deletion of file types D 	  chosen by the site, and to allow files to be routed by the systemC 	  to backup media before they are finally removed from the system. C 	  This is accomplished by an add-in to the VMS file system so that < 	  security holes are not introduced by the system's action.  I           The user interface is an  UNDELETE command which permits one or D 	  more files to be restored to their original locations provided itC 	  is issued within the site-chosen time window after the undesiredlC 	  deletion took place. In addition, an EXPUNGE command is provided A 	  which allows files to be deleted at once, irretrievably, whereiC 	  space for such is required. Provision for automatic safe-storingsB 	  of files prior to final deletion is present also in Safety DPS.  E           Safety DPS is implemented as a VMS file system add-in which.B 	  functions by intercepting the DELETE operation and allowing the@ 	  file to be deleted to be copied or renamed to a "wastebasket"@ 	  holding area pending final action, and to be disposed of by aA 	  disposal agent. The supplied agent will allow a site script torB 	  save the files if this is desired, and then finally deletes anyE 	  files which have been deleted more than some number N seconds ago. > 	  If the UNDELETE command is given, the file(s) undeleted areD 	  replaced in their original sites. The supplied system can also beC 	  configured to rename files to a wastebasket area or to copy themeB 	  directly, for undeletion by systems people only. (These options1 	  are faster than the site command file option.)n  F           Safety DPS can be configured to omit certain file types from> 	  deletion protection (for example, *.LIS* or *.MAP* could beD 	  omitted), to include only certain files in the protected sets, or? 	  both. This can reduce the overhead of saving files which areo? 	  likely to be easily recreated, or tailor the system for suchs; 	  actions as saving all mail files (by selecting *.MAI for  	  inclusion).  J           In addition, Safety DPS monitors free space on disks, and when aC 	  file create or extend would cause space exhaustion,   Safety DPSe> 	  runs a site script. By setting this script to perform finalA 	  deletions, Safety DPS can be run in a purely automatic mode in D 	  which deleted files are saved as long as possible, but never less4 	  than some minimum period (e.g., 5 or 10 minutes).  K           Safety DPS files can be stored in any location accessible to VMS.cC 	  If they are renamed, they must reside on the same disk they camek; 	  from. Otherwise they can be stored in any desired place.a  H           Safety DPS is installed and configured using a screen orientedD 	  configuration utility to set it up, and basically runs unattended 	  once installed.        0           The Safety Storage Migration Subsystem               Description:  G           Safety has the ability to move files to secondary storage and C 	  automatically retrieve them when they are accessed. This backing D 	  can be similar to what HSM systems call "shelving", though it can? 	  be done in multiple levels, or it can be done in a way which C 	  permits files moved to secondary storage to be accessed there as C 	  though the files remained online. This resembles what are called E 	  "soft links" in Unix systems, in that file opens are transparentlyb> 	  redirected to a file stored somewhere else reachable on theC 	  system, and the channel reset to the original device on close. AeB 	  "readonly link" mode acts like a soft link for readonly access,D 	  and like an unshelve operation where a file is opened read/write,> 	  should this be desired. Full control over this shelving and 	  unshelving is provided.  L           This provides a great deal of flexibility in reclaiming space whenE 	  the Safety space monitoring function detects that space is needed. C 	  Not only can previously deleted files be finally moved to backup > 	  destinations and deleted, but the system can migrate seldomD 	  accessed files to nearline storage transparently. The site policy= 	  can drive this, or utilities provided can be used instead.   H           Where it is chosen to run Safety in a lights-out fashion (withC 	  Safety reacting to low disk situations by emptying older deleted > 	  files from the wastebasket and/or file migration to backingD 	  store), the policy chosen for controlling such setting is handledD 	  by a full-screen, easily used, tool which sets the policy. ShouldE 	  still greater flexibility be needed, the scripts used for a numbersE 	  of operations are supplied together with a full description of thep: 	  command line interface of the underlying software. ThisC 	  facilitates linking  Safety file management functions with otheriC 	  packages should such be desired. It should be noted that storagetE 	  migration handled by Safety is not a full HSM system, and while ituB 	  allows transparent migration, this should not be used for largeD 	  numbers of files without some manual intervention and cleanup; an@ 	  interface for doing this is provided. What Safety provides is? 	  designed to make it possible to operate continuously withouthD 	  having space emergencies; you can operate knowing that storage is; 	  efficiently used, and cleanup operations can be run when ? 	  convenient for you, not when a device size boundary makes itu
 	  necessary.   L           Safety can be run in a mode where there is essentially no overheadE 	  at all imposed (just a few instructions added along some paths andnE 	  no disk access) for any files except those which need softlinks or'@ 	  possible unshelving.  A fullscreen setup script allows one toE 	  select the Safety run modes. Even the most overhead-expensive modenA 	  of Safety adds only a small CPU overhead and no extra I/O.  IntB 	  addition, Safety can be turned off or back on at any convenientA 	  point should this be desired. (This must be done using specialgB 	  tools provided for use by those specially authorized to do so.)             Support:  J           Safety runs on VAX VMS 5.5 or greater or AXP VMS 6.1 or greater.C           The same facilities exist across all systems. HSM must beoJ           installed on each cluster node of a VMScluster where it is to beI           used but imposes no restrictions on types of disk it works for.hJ           Safety will work with any file structure used by VMS, so long asH           a disk class device is used to hold it. It is specifically NOT*           limited to use with ODS-2 disks.    F           Safety  is available for 45 day trial use licenses or can beH           licensed permanently. Safety is available for 45 day trial useI           licenses or can be licensed permanently.  Safety is required oneG           every node of a cluster using it, or its benefits will not berH           available on nodes not having the software running. Apart fromJ           this, there are no problems with having Safety available on only            part of a VMS cluster.      &           Safety  is brought to you by  (           General Cybernetic Engineering           18 Colburn Lanee           Hollis, NH 03049           603 465 9517 voice           603 465 9518 fax  A           For orders, contact the above address or Sales@GCE.COM.o8           For technical information contact Info@GCE.Com    -           For support contact Support@GCE.Com 