Re: Strange Auditor Questions

2005-06-14 Thread John S. Giltner, Jr.
I have to agree with Hal's post.  When we first started to use Host 
OnDemand one of the PC guys traced the traffic and was amazed that IBM 
by default would encrypt TN3270 traffic.  I was amazed because I did not 
know that HOD supported encryption at that time, we are talking V1.


Well fast forward a couple years and I am tracing the same HOD traffic 
and its not encrypted.  I asked the PC guy why he thought it was 
encrypted and he said when he looked at it, it was not in clear text.  I 
showed him the trace and he said see look its garbage so it must be 
encrypted.  I said, no is EBCDIC, using Ethereal I clicked on the EBCDIC 
button and magically it was clear text.  He had been using MS network 
trace tool and had never seen EBCDIC before.


I have also had somebody show me how they were using SSH to encyrpt 
XWindows.  ssh to remote box and then start KDE, without redirecting to 
the ssh session.  He thought that X-Windows would know to use the ssh 
session that he issued the command from.  That is until I showed him 
that it was using port 6000 on his box and not the ssh session.




Terry Linsley wrote:

The organization we service is suffering through an audit at the moment.
One of the things the auditors looked at was the secure file transfer proces I
had setup for that organization (OpenSSH based).  They explained it
sufficiently, but the auditor had one last requirement.  She wanted proof that
the data was actually being encrypted. 
 It is my understanding that OpenSSH encrypts the file in transit and does
not leave an encrypted copy of the data file lying around anywhere.  So, I
cannot show them a copy of the encrypted file.  I ran a transfer using the
most verbose debug level and it does not say anything like now encrypting
file.
 So, to satisfy the auditor (and my own curiosity), does anyone know how
to prove that OpenSSH is really encrypting the file?  Of course one could hang
a sniffer on the network and sniff the datastream, but I did not want to go
that far.  Thanks.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


Re: Strange Auditor Questions

2005-06-13 Thread Hal Merritt
Not so strange. Other posters suggested asking what is 'proof', and that
is excellent advise. Do that. 

I once heard of a situation where the data was thought to be encrypted
but turned out to be open. I have seen trace messages that suggested
encryption but turned out to be misleading. 

For your own curiosity, see info APAR II12014 on how to do a packet
trace. You can format and print the trace with IPCS (see below). If the
data is compressed then the trace may not prove anything. 

//IPCS EXEC PGM=IKJEFT01 
 //IPCSDDIR DD   DSN=My.DDIR,DISP=OLD 
  //IPCSPRNT DD   DSN=My.WORK.TXT,DISP=(OLD,KEEP,KEEP) 
 //SYSTSPRT DD   SYSOUT=*  
 //SYSTSIN  DD   * 
IPCS NOPARM
SETDEF NOCONFIRM PRINT NOTERM  
SETDEF DSN('SYS2.CTRACE1') LIST NOCONFIRM  
PROFILE NOPAGESIZE LINESIZE(80)
CTRACE COMP(SYSTCPDA) SHORT OPTIONS((FORMAT,DUMP)) 
SETDEF CONFIRM NOPRINT TERM
 END 

HTH.   





-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Terry Linsley
Sent: Thursday, June 09, 2005 12:24 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Strange Auditor Questions

The organization we service is suffering through an audit at the moment.
One of the things the auditors looked at was the secure file transfer
proces I
had setup for that organization (OpenSSH based).  They explained it
sufficiently, but the auditor had one last requirement.  She wanted
proof that
the data was actually being encrypted. 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


Re: Strange Auditor Questions

2005-06-10 Thread Perryman, Brian
You could get IP/Trace from TDSLink (www.tdslink.com). It's free, and installs 
in about 20 minutes. It's not a sniffer.

It will show you all the IP packets in a series of 'dump' type formats using 
your favourite web browser. Use it 'before and after' you flick your encryption 
switch, and  it's dead obvious.

Brian

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED]
Behalf Of Terry Linsley
Sent: 09 June 2005 18:24
To: IBM-MAIN@BAMA.UA.EDU
Subject: Strange Auditor Questions


The organization we service is suffering through an audit at the moment.
One of the things the auditors looked at was the secure file transfer proces I
had setup for that organization (OpenSSH based).  They explained it
sufficiently, but the auditor had one last requirement.  She wanted proof that
the data was actually being encrypted. 
 It is my understanding that OpenSSH encrypts the file in transit and does
not leave an encrypted copy of the data file lying around anywhere.  So, I
cannot show them a copy of the encrypted file.  I ran a transfer using the
most verbose debug level and it does not say anything like now encrypting
file.
 So, to satisfy the auditor (and my own curiosity), does anyone know how
to prove that OpenSSH is really encrypting the file?  Of course one could hang
a sniffer on the network and sniff the datastream, but I did not want to go
that far.  Thanks.
This e-mail message is for the sole use of the intended recipient(s)and may 
contain confidential and privileged information of Transaction NetworkServices. 
 
Any unauthorized review, use, disclosure or distribution isprohibited.  If you 
are not the intended recipient, please contact thesender by reply e-mail and 
destroy all copies of the original message.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


Re: Strange Auditor Questions

2005-06-10 Thread McKown, John
 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Clark
 Sent: Thursday, June 09, 2005 7:11 PM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: Strange Auditor Questions
 
 
 Terry, 
 

snip

 
 Put the requirement back onto the auditor. After all this is 
 IBM's product not yours.  
 
 Kevin Clark

Just one, minor, point. The code is not IBM's code. It is OpenSSH code
which was ported by IBM or under contract to IBM. IIRC, they disavow any
responsibility.


--
John McKown
Senior Systems Programmer
UICI Insurance Center
Information Technology

This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and its'
content is protected by law.  If you are not the intended recipient, you
should delete this message and are hereby notified that any disclosure,
copying, or distribution of this transmission, or taking any action
based on it, is strictly prohibited.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


Re: Strange Auditor Questions

2005-06-09 Thread Tom Schmidt
On Thu, 9 Jun 2005 12:23:33 -0500, Terry Linsley wrote:

The organization we service is suffering through an audit at the moment.
One of the things the auditors looked at was the secure file transfer
process I had setup for that organization (OpenSSH based).  They explained
it sufficiently, but the auditor had one last requirement.  She wanted
proof that the data was actually being encrypted. 

If you want to make this potentially long story short you really ought to
ask the auditor directly (perhaps in writing) exactly what proof she will
accept.

Provide it.

She should be satisfied, you will do what is actually required and all will
otherwise be right with the world.

In my experience trying to do anything else is an exercise in pain.

--
Tom Schmidt
Madison, WI
(All auditor questions are strange at first glance.  Only a few become less
strange over time.  - Schmidt's Law)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


Re: Strange Auditor Questions

2005-06-09 Thread Ulrich Boche

Terry Linsley wrote:


The organization we service is suffering through an audit at the moment.
One of the things the auditors looked at was the secure file transfer proces I
had setup for that organization (OpenSSH based).  They explained it
sufficiently, but the auditor had one last requirement.  She wanted proof that
the data was actually being encrypted. 
 It is my understanding that OpenSSH encrypts the file in transit and does
not leave an encrypted copy of the data file lying around anywhere.  So, I
cannot show them a copy of the encrypted file.  I ran a transfer using the
most verbose debug level and it does not say anything like now encrypting
file.
 So, to satisfy the auditor (and my own curiosity), does anyone know how
to prove that OpenSSH is really encrypting the file?  Of course one could hang
a sniffer on the network and sniff the datastream, but I did not want to go
that far.  Thanks.



If you really need to provide proof that the packets in transit are 
encrypted, the probably easiest thing to do is to install Ethereal on a 
PC, start an SFTP file transfer between the PC and the z/OS system (you 
could use PUTTY on a Windows system for that purpose) and capture the 
packets with Ethereal. You don't even have to capture in promiscuous 
mode for this purpose. Ethereal will format the TCP packets nicely so 
you can see the negotiation and the encrypted data and provide the 
needed proof.

--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


Re: Strange Auditor Questions

2005-06-09 Thread Terry Linsley
Thanks for the suggestion!  Sounds very promising and has the added benefit
of totally befuddling the auditor. ;-)

I shall download and give it a whirl.


On Thu, 9 Jun 2005 20:16:06 +0200, Ulrich Boche [EMAIL PROTECTED] wrote:

If you really need to provide proof that the packets in transit are
encrypted, the probably easiest thing to do is to install Ethereal on a
PC, start an SFTP file transfer between the PC and the z/OS system (you
could use PUTTY on a Windows system for that purpose) and capture the
packets with Ethereal. You don't even have to capture in promiscuous
mode for this purpose. Ethereal will format the TCP packets nicely so
you can see the negotiation and the encrypted data and provide the
needed proof.
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


Re: Strange Auditor Questions

2005-06-09 Thread Kevin Clark
Terry, 

Creating your own test would be much like asking the FOX to count the Chickens. 
 This is serious auditing issue that should be solved by the auditor. They 
should suppy test data and you should supply the resulting file.  You could 
supplement the file with a trace (network, TCP trace, Byte count,translastion, 
etc..) 

Put the requirement back onto the auditor. After all this is IBM's product not 
yours.  

Kevin Clark




-- Original message -- 

 The organization we service is suffering through an audit at the moment. 
 One of the things the auditors looked at was the secure file transfer proces 
 I 
 had setup for that organization (OpenSSH based). They explained it 
 sufficiently, but the auditor had one last requirement. She wanted proof that 
 the data was actually being encrypted.  
 It is my understanding that OpenSSH encrypts the file in transit and does 
 not leave an encrypted copy of the data file lying around anywhere. So, I 
 cannot show them a copy of the encrypted file. I ran a transfer using the 
 most verbose debug level and it does not say anything like now encrypting 
 file. 
 So, to satisfy the auditor (and my own curiosity), does anyone know how 
 to prove that OpenSSH is really encrypting the file? Of course one could hang 
 a sniffer on the network and sniff the datastream, but I did not want to go 
 that far. Thanks. 
 
 [xposting to IBMTCP-L and MVS-OE lists] 
 
 -- 
 For IBM-MAIN subscribe / signoff / archive access instructions, 
 send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO 
 Search the archives at http://bama.ua.edu/archives/ibm-main.html 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html