On Wednesday, 12/08/2010 at 03:11 EST, RPN01 <nix.rob...@mayo.edu> wrote: > But, should you have to have an external security manager for a system where > the majority of users are disconnected guest operating systems?
Yes. > Most of > today's z/VM systems have a bare minimum of real human users. CP is the > security manager for us, and it's sufficient to control the wild ramblings > of, oh, say, the four people who need access. Those four people know all the passwords. There is no accountability and no plausible deniability. You have de facto password sharing, something I have yet to see countenanced by any IT organization. > The dollars are needed for > other things with a much higher priority before we'd ever get an ESM to > control our more wild moments. That's certainly a fair decision to make. Understand that the ESM is not there to protect the system from rogue sysprogs. It is there to enforce policy and to demonstrate that you *have* a policy and the evidence to demonstrate its enforcement. > And, plugging a cable into a switch generally does get you connectivity, > because someone put that switch there for the express purpose of providing > that connectivity in the first place. If I walk into an office on campus, > and there's an Ethernet jack on the wall, I have the reasonable expectation > that I should be able to plug my laptop into it and have a connection to the > network. You have a policy in place that "unused" ports are enabled. Whether the port was opened on demand or in advance of use doesn't really matter. It isn't by *your* choice that you are allowed to plug into the network. > The same thing holds true if I see a wireless antenna on the > ceiling here. I shouldn't have to call the Network Operations Center and > give them my name and password and the jack number to get them to let me in; No, but you may require a certificate. But even if you don't, there was still a policy in place to open the ports. > If that were the case, we'd have a lot of ticked off doctors running around > here. (Much the same as I get ticked off every time I have to go grant a > virtual machine into the virtual switch.) We even have jacks and wireless in > the patent waiting areas so that they can get internet access, and they > don't need to be granted in either. > > The vSwitch grant is not in any way mimicking a real life scenario. It > doesn't compare to the real world in any way. Networking gets set up, and > once it's set up, you plug things into it and they simply work, as long as > you know the IP range and netmask, or your computer does a reasonable job of > DHCPing you an address. You don't have to be granted into it. You are making my point for me, demonstrating that it is NOT sufficient to just plug into a wall port. Someone has cabled/authorized/opened those ports. They have set up the DHCP servers or given you a considered IP address. Those public ports very likely have different access rights than those in offices and exam rooms. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott