Carmen Vitullo wrote: >I'll also add, in spite of being flamed, SNA networks >we're pretty secure....
I'm going to push back on this one a bit, and not in a flaming way I hope. "Classic" SNA can encrypt connections using DES or TDES, assuming your past self/selves implemented it (not a given, certainly). That was advanced stuff for its day and even a little beyond, but the world was/is racing ahead, properly so. Fortunately, with Enterprise Extender, you can take advantage of current encryption standards and exploit Crypto Express, too. (Please do that.) Several years ago I met a bank's CIO and senior IT leaders. Their view at the time (and prior) was that SNA was secure, and that newfangled TCP/IP stuff wasn't. (The Internet was/is scary, after all.) So they adopted a security policy that "thou shall never implement TCP/IP on the mainframe." And they didn't; they obeyed their policy faithfully. Of course, business still needed to get done. Therefore, the bank installed and ran about 20-odd Microsoft Windows servers with Microsoft SNA Server -- remember that? The SNA Servers did two things: (1) they handled all SNA to/from TCP/IP traffic, and (2) they handled all authorizations. Yes, that's right, the bank had effectively disabled RACF entirely because they created 20=odd RACF IDs for each one of the SNA Servers, and then the SNA Servers (Windows) had carte blanche to do anything they wanted to do with their system of record, with core banking data, card data, etc. They delegated all mainframe authorization decisions to Microsoft Windows. Together we sketched a picture of all this on a whiteboard so I could understand what they had done. After we drew the picture, I asked this simple question: "Is this secure?" After a very little bit of side discussion, very quickly, they did two things: (1) they changed their "security" policy, and (2) they went immediately to work to change everything I just described. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE -------------------------------------------------------------------------------------------------------- E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
