But, should you have to have an external security manager for a system where the majority of users are disconnected guest operating systems? Most of today's z/VM systems have a bare minimum of real human users. CP is the security manager for us, and it's sufficient to control the wild ramblings of, oh, say, the four people who need access. The dollars are needed for other things with a much higher priority before we'd ever get an ESM to control our more wild moments.
And, plugging a cable into a switch generally does get you connectivity, because someone put that switch there for the express purpose of providing that connectivity in the first place. If I walk into an office on campus, and there's an Ethernet jack on the wall, I have the reasonable expectation that I should be able to plug my laptop into it and have a connection to the network. The same thing holds true if I see a wireless antenna on the ceiling here. I shouldn't have to call the Network Operations Center and give them my name and password and the jack number to get them to let me in; If that were the case, we'd have a lot of ticked off doctors running around here. (Much the same as I get ticked off every time I have to go grant a virtual machine into the virtual switch.) We even have jacks and wireless in the patent waiting areas so that they can get internet access, and they don't need to be granted in either. The vSwitch grant is not in any way mimicking a real life scenario. It doesn't compare to the real world in any way. Networking gets set up, and once it's set up, you plug things into it and they simply work, as long as you know the IP range and netmask, or your computer does a reasonable job of DHCPing you an address. You don't have to be granted into it. -- Robert P. Nix Mayo Foundation .~. RO-OC-1-18 200 First Street SW /V\ 507-284-0844 Rochester, MN 55905 /( )\ ----- ^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 12/8/10 12:38 PM, "Alan Altmark" <alan_altm...@us.ibm.com> wrote: > On Wednesday, 12/08/2010 at 08:31 EST, RPN01 <nix.rob...@mayo.edu> wrote: > >> Is there anyone out there that actually gains security from CP users not >> being granted onto their vSwitches? How many people would like to be > able to >> define a vSwitch as "open to the public" or not requiring a grant to be >> accessed? > > In the same way plugging an ethernet cable into a switch is not sufficient > to gain connectivity, so defining a virtual wire is not sufficient to gain > connectivity to a virtual network. This is just the way networking is > done. Virtualizing the wires doesn't change anything. > > Assuming you have RACF and generic profiles active, you can allow access > to all VSWITCHes while denying access to all user-created Guest LANs. > RDEFINE ** CL(VMLAN) UACC(NONE) > RDEFINE SYSTEM.** CL(VMLAN) UACC(UPDATE) > > Without an ESM, Class G Guest LANs can be disabled by putting VMLAN > TRANSIENT 0 in SYSTEM CONFIG. > > I've been saying for several years, "You need an ESM." More and more > z/VM security management will be focused on ESMs, not native CP. If your > fave ESM doesn't simplify things for you, gripe to the vendor. > > Alan Altmark > > z/VM and Linux on System z Consultant > IBM System Lab Services and Training > ibm.com/systems/services/labservices > office: 607.429.3323 > alan_altm...@us.ibm.com > IBM Endicott