On Wednesday, 03/30/2011 at 12:03 EDT, Ron Foster at Baldor-IS <rfos...@baldor.com> wrote:
> Our company has recently been acquired by another company. We are at > the point of having to get our two networks to talk to each other. > Before we can do that, we have to comply with certain security rules. > One of them being that the mainframe cannot be exposed to the internet. Terminology. Most non-mainframers (and not a few mainframers!) believe "mainframe" = "z/OS". It's just ignorance, not stupidity. I don't know of anyone who would put MVS on a direct connection to the outside world, but it's not because it's a "mainframe", it's because it's in a security zone that doesn't permit such a connection. > We have a couple of zLinux web servers that are running in a couple of > z/VM guests that are connected to our DMZ. The new folks say this is a > show stopper as far as hooking up the two networks. > > The questions I have are: > > Is this a common restriction? That is, you have to have your DMZ based > web servers running on some other platform so that your mainframe is not > exposed to the internet. I'll say that it's not UNcommon, given the history of "mainframe" at some companies. And it's usually more along the lines of "but we already have a DMZ infrastructure that we've certified and have made manageable. We're happy." Hey, if The Powers That Be are happy, I'm happy. Far be it from ME to create an undulation, or one of a series of undulations, on the calm, placid sea of TPTB's existence. > Or, the new folks just don't understand the built-in security provided > by the z10 and z\VM 6.1. You undoubtedly went through this once before when you decided to put the DMZ on z. You have some education to do, or you can discuss with your IBM rep the various ways to get the new folks educated. If you don't nip this in the bud, however, the FUD will spread and affect other multi-zone uses of a single CEC. > I know that we will end up conforming to the rules that the new folks > have, but I was just wondering if the new folks really know what they > are talking about. Sure, they know what they're talking about. They just don't know what *you're* talking about! Moving the DMZ outboard isn't the end of the world, but it needs to be for considered reasons, not an uninformed panic reaction. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/