Re: Enable TCP/IP function in mainframe
A policy of we don't enable TCP/IP on our mainframe for security reasons inevitably results in...less security. :-( Yes, if you put all your corporate information in a vault and send it to the deepest trench in the bottom of a major ocean, your information will be secure. It will also be inaccessible. Duly authorized and authenticated individuals still need access to (and even must update) corporate information. So how are they going to do that if you insist on disabling TCP/IP on your mainframe? Through gateway servers, of course. And how are the security mechanisms set up in such cases? Most often, inevitably, with super-permissive whole-server IDs and passwords. And you've now taken the world's most sophisticated and robust security system, the z/OS Security Server, and effectively disabled it, pushing authentication and even authorization to, say, Microsoft Windows?!?!?!?! Not to mention all this corporate information flowing in the clear, through PC memory and internal (sometimes external) networks Check this narrative in comparison with your own organization's current installation. About a month ago I visited a bank, and this is exactly the pattern that developed in their current architecture. The bad architecture also happened to be far more expensive to implement and to operate. The solution is pretty simple in concept at least. First, get rid of the blanket policy, now. If there's an end user or application that has a TCP/IP link to somewhere and ultimately accesses mainframe-hosted transactions or data, then it's hard to imagine why you wouldn't have TCP/IP enabled on your mainframe. In 2007 this probably describes everybody. (Or do you have hardwired real terminal tubes? Or encrypted SNA-type connections to terminal emulators that human beings use directly? If you've got only those access paths, you might be a special exception.) Second, as with any other TCP/IP connection, secure it using encryption and the other security facilities available, depending on your requirements. (You can use unique client certificates, for example. And virtual firewalls. And choose non Internet-routable addresses if appropriate.) Third, take a good, hard look at authorization and authentication and where it's happening. In many cases you'll be horrified at what's actually going on, whereupon you can take remediation steps. Again, the mainframe has all the cool, hip stuff -- like an in-built LDAP server in z/OS, to pick an example -- so you've got lots of security implementation choices. Fourth, establish good security review procedures, audit procedures, and monitoring mechanisms. This is a lot easier and more potent when you can focus on centralized computing infrastructure. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Enable TCP/IP function in mainframe
On Sat, 4 Aug 2007 18:29:21 +0900, Timothy Sipples [EMAIL PROTECTED] wrote: A policy of we don't enable TCP/IP on our mainframe for security reasons inevitably results in...less security. :-( Hear hear! Yet many shops refuse to use what they are paying for. There are plenty of solutions to allow TCP/IP access to the mainframe. I love the policy that stops me from using a tn3270e client at home to get on a system that I have to logon to. This even dates back to when windows 98 was used in an office environment and while you had to logon to the pc, anybody could logon with a brand new userid and set their own password and see everything on the pc. People were not allowed to use TCP/IP FTP to get data from their mainframe so they used windows cut and paste. Stopping FTP did not stop the transfer of data. Real security mitigates whether TCP/IP or SNA is your only path to data. Truly secure data is never recorded in any fashion. Not very useful but very secure. Once it is recorded in any form you have risks and you take measures. Just having an IP network connection makes you vulnerable to attacks to everything on your network. Not just the mainframe. Think about that. They get into some little server or someone's desktop and start siphoning off your data and you have no indication of it. Why can those boxes be on the network? A truly secure machine has no netwrok conenction of any type, no monitor, and no peripherals. Used to be the latch on a floppy drive was welded shut to prevent someone from putting a floppy disk in and copying files off or having a virus get on. I am not the external IP security expert, but can steer you to look reasonable ways to filter denial of service at the edge of your network ISP connection. I heard of a PIX box as a way to have an outside ip address map to an internal address. Use alternate ports for common services to add a little extra effort on a hackers part to find. Hard core hackers are going to find them. Any information you have to configure or tell someone to configure is already compromised. Back to never record any data and it is secure. By the way, saying it aloud means someone elses brain can record it and repeat. If you want your data secret, do not write it, say it, type it, and even thinking it exposes it to someone with telepathic powers. Or find your exposures and the solution that minimizes the risk. As hard as you try to protect it there is some schnook willing to work harder to get at it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Enable TCP/IP function in mainframe
It depends on what the network connects to. Our mainframe is on a network with a few dozen work stations but the network never leaves our office. Other mainframes are connected to the internet. The issues are very different between the two. -Original Message- From: Lanny Niu [mailto:[EMAIL PROTECTED] Sent: Friday, August 03, 2007 3:16 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Enable TCP/IP function in mainframe Hi guys, If I want to enable the TCP/IP function in our z/os(z800) enviroment; what matters (risk) I sholud be concern? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Enable TCP/IP function in mainframe
I would worry most about the security people at your company. g For some reason managers seem to feel the mainframe is a more vulnerable machine for outside access than the other systems in the same room. On Fri, 3 Aug 2007 11:37:07 -0700, Schwarz, Barry A [EMAIL PROTECTED] wrote: It depends on what the network connects to. Our mainframe is on a network with a few dozen work stations but the network never leaves our office. Other mainframes are connected to the internet. The issues are very different between the two. -Original Message- From: Lanny Niu [mailto:[EMAIL PROTECTED] Sent: Friday, August 03, 2007 3:16 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Enable TCP/IP function in mainframe Hi guys, If I want to enable the TCP/IP function in our z/os(z800) enviroment; what matters (risk) I sholud be concern? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Enable TCP/IP function in mainframe
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Stitt Sent: Friday, August 03, 2007 1:43 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Enable TCP/IP function in mainframe I would worry most about the security people at your company. g For some reason managers seem to feel the mainframe is a more vulnerable machine for outside access than the other systems in the same room. Well, you know all those CERT alerts targetting z/OS just scare the willies out of mangement. I mean, it's not as if it is a reliable Windows server, ya know. (sacrasm in case somebody didn't realize it). -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Enable TCP/IP function in mainframe
-Original Message- From: IBM Mainframe Discussion List On Behalf Of McKown, John -Original Message- From: IBM Mainframe Discussion List On Behalf Of Matthew Stitt I would worry most about the security people at your company. g For some reason managers seem to feel the mainframe is a more vulnerable machine for outside access than the other systems in the same room. Well, you know all those CERT alerts targetting z/OS just scare the willies out of mangement. I mean, it's not as if it is a reliable Windows server, ya know. (sacrasm in case somebody didn't realize it). But z/OS probably wouldn't be a reliable Windows server, anyway. I'd bet Windows would still crash even if it was running on z/OS. Probably more often, since z/OS is a little more protective of its underlying environment than the normal Wintel environment is of itself. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
