Forcing the Use of Encrypted Connections
Encryption is the generally accepted way to protect an organization’s confidential information whether in transit or at rest. State and federal laws and regulations recognize that information that is encrypted is properly protected and safe to store and transport. To exchange confidential data between a central computer system and a remote computer system used by a person to access the central computer in a secure way, an encrypted connection is appropriate. Data that is not confidential need not be protected and may or may not be encrypted. Sometimes even public information is best protected in order to maintain the integrity of that information. Sometimes it is appropriate to force those who exchange confidential information with a central computer to use encrypted protocols while allowing unencrypted protocols to be used by those who handle only public information. OpenVMS systems may contain both information requiring encrypted protocols and information not requiring encrypted protocols.
System Detective may be configured to force some users to use encrypted protocols while allowing the use of unencrypted protocols by other users. A System Detective rule may be configured to compare the appropriate user’s terminal name with the device type for an unencrypted interactive connection and delete the user process when the rule is violated by a match. A second rule may be configured in such a way as to trigger on the image associated with an unencrypted file transfer and delete the agent process which would have transferred the file unencrypted. Thus, the unencrypted transfer of confidential data is prohibited.
For example, if the OpenVMS system was using HP TCPIP Services for OpenVMS, a rule could be constructed to look for the characteristic “TNA” in the TELNET terminal name and delete the process when it is found. The second rule would trigger on the FTP child image and do the same. The combination of these two rules would disallow the use of the unencrypted TELNET and FTP services for the specified users and meet the objective of preventing the use of those unencrypted protocols for those users.