On Sat, 4 Aug 2007 18:29:21 +0900, Timothy Sipples <[EMAIL PROTECTED]> wrote:
>A policy of "we don't enable TCP/IP on our mainframe for security reasons" >inevitably results in...less security. :-( > Hear hear! Yet many shops refuse to use what they are paying for. There are plenty of solutions to allow TCP/IP access to the mainframe. I love the policy that stops me from using a tn3270e client at home to get on a system that I have to logon to. This even dates back to when windows 98 was used in an office environment and while you had to logon to the pc, anybody could logon with a brand new userid and set their own password and see everything on the pc. People were not allowed to use TCP/IP FTP to get data from their mainframe so they used windows cut and paste. Stopping FTP did not stop the transfer of data. Real security mitigates whether TCP/IP or SNA is your only path to data. Truly secure data is never recorded in any fashion. Not very useful but very secure. Once it is recorded in any form you have risks and you take measures. Just having an IP network connection makes you vulnerable to attacks to everything on your network. Not just the mainframe. Think about that. They get into some little server or someone's desktop and start siphoning off your data and you have no indication of it. Why can those boxes be on the network? A truly secure machine has no netwrok conenction of any type, no monitor, and no peripherals. Used to be the latch on a floppy drive was welded shut to prevent someone from putting a floppy disk in and copying files off or having a virus get on. I am not the external IP security expert, but can steer you to look reasonable ways to filter denial of service at the edge of your network ISP connection. I heard of a PIX box as a way to have an outside ip address map to an internal address. Use alternate ports for common services to add a little extra effort on a hackers part to find. Hard core hackers are going to find them. Any information you have to configure or tell someone to configure is already compromised. Back to never record any data and it is secure. By the way, saying it aloud means someone elses brain can record it and repeat. If you want your data secret, do not write it, say it, type it, and even thinking it exposes it to someone with telepathic powers. Or find your exposures and the solution that minimizes the risk. As hard as you try to protect it there is some schnook willing to work harder to get at it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html