OECrouter 200 Security Features

The DECrouter 200 product has two types of security features for you to use as man-agement tools: passwords and the dial-back feature.

3.5.1 Passwords

For security, you can enter these passwords in the router's permanent database:

• Privileged password for the router

• Nonprivileged password for the router

• DECnet service password for the router

• Transmit passwords for nodes

• Receive passwords for nodes

With the exception of the service password, you can also set and change these pass-words in the router's operational database.

3.5.1.1 Privileged and Nonprivileged Passwords - The router's privileged and nonprivileged passwords protect the router's operational database from unauthorized access by NCP users.

If you define both of these passwords, all NCP commands that affect the router require a password. If you set just the privileged password, all NCP SET, CLEAR, ZERO, and LOOP commands accessing the router require the privileged password. In this case, anyone can display the information in the router's operational database.

If you set only the nonprivileged password, all NCP SHOW commands executing at the router require an exact match with this password. However, in "this case, anyone can modify the database!

NOTE

It does not make sense to protect the router's database from users who may try to view it if you simultaneously allow them to change it. Digital suggests that, if you want to restrict access to the router's operational database, define:

• Both passwords for complete protection

• The privileged password for protection against changes and deletions

In addition, you must specify one of these passwords when you run the Remote Monitor.

3-6 DECrouter 200 Management Guide, Vol. I

3.5.1.2 OECnet Service Password - The DECnet service password prevents unauthorized access to the router by remote maintenance requests, for example, issu-ing the NCP LOAD and TRIGGER commands. If you define a DECnet service pass-word in the router's permanent database, anyone, including you, at another node who tries to access the router by issuing a LOAD or TRIGGER command usually must include this password.

Remote maintenance activities are usually performed by the DECnet NCP utility. A load host's DECnet database contains several facts about the router, including the DECnet service password. When you or the DECrouter 200 software installer first creates the router entry in the DECnet database, the value for the DECnet service pass-word is O.

The router's default DECnet service password is O. A value of 0 means that the router does not check the DECnet service password when it receives remote maintenance requests. Changing this password to anything other than 0, however, instructs the router to check that the DEC net service password in its database and the DECnet serv-ice password stored in the load host's DECnet database are identical before the router accepts any remote maintenance activity.

To illustrate, the following example initiates a down-line load from a VAX/VMS load host to a router with the DECnet node name ROBIN and whose service password is FF44:

NCP>LOAD NODE ROBIN SERVICE PASSWORD FF44

The router does the password check. If the DECnet service password on the command line is absent or if it differs from the password defined in the router's database, the router rejects the request. If the passwords are identical, the router accepts the request.

When you type a command such as the one above to specify that the DECnet service passwords in both databases are equal, you are overriding the load host's existing DECnet service password value of 0 to make the two values match.

Even if you define a DEC net service password in the router's database for security reasons, as Digital recommends, there is still a way that someone could avoid the pass-word specification with LOAD and TRIGGER commands. Specifying the passpass-word is not required if you defined the DEC net service password in the load host's DECnet database to the same value as the DECnet service password in the router's database.

In this case, they also match when the router does a password check.

Therefore, to maintain adequate security for the router, Digital strongly advises:

• In the router's database, change the default value of 0 for the DECnet service pass-word. Define a new DECnet service passpass-word.

• Do not store the new DEC net service password in the load host's DECnet database.

Introducing the DECrouter 200 Management Tools 3-7

3.5.1.3 Transmit and Receive Passwords for Nodes - The receive password con-trols access from an adjacent node connected by an asynchronous circuit and works as a security feature with the access verification feature.

The VERIFICATION parameter determines whether the router checks the receive pass-word for the adjacent node that is requesting access. If you enable access verification, the node must send a matching transmit password to the router before communica-tions proceed. If the node does not supply the identical password, the router rejects the connection request.

If an adjacent node connected by an asynchronous circuit has set up a receive pass-word, the router must supply a transmit password to gain access to that node. Your router must send the transmit password you specified for this node to match the node's receive password before communications proceed.

If a node has not set up a receive password, you do not have to specify a transmit password for this node.

3.5.2 DECrouter 200 Dial-Back Feature

This is perhaps the router's most important security feature. You can define a dial-back phone number (DTEADDRESS) for a node in the router's database and you can configure lines on the router to be dial-back lines.

Whenever a node sends a connection request to the router over a dial-back line, the router immediately breaks the connection and then phones that node. The router calls the number specified in the database as that node's DTEADDRESS. If the number is correct, that node is reached and the router initializes the connection. On the other hand, if the number is not correct, the router never allows that node to connect, thus eliminating unauthorized access by possible intruders.

Nodes on dial-back lines must be connected to the router by one of the modems sup-porting the dial-back feature: the Digital DF03, DFl12, and DF224 modems, the Codex 2233 and 2260 modems, and the Hayes Smartmodem 2400 modems for non-PTT soft-ware kits. If you have a PTT software kit, only PTT V.25 bis modems support the dial-back feature.

3-8 DECrouter 200 Management Guide, Vol. I