Firewall Wizards mailing list archives
Re: Mainframes on the Net?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 13 Nov 2002 16:10:02 -0500 (EST)
A number of years ago I worked at a shop that ran mostly CRAYS, with a few sun systems working as the consoles into the CRAYS and an SGI Origin2000 system <now up to at least two Origin2000 systems> and a few IBM frames rounding out the corners. One of the large CRAYS was semi-military related. Of course the site was unhindered with firewalling, except the FW-1 NT/secureID boxen that were meant to protect the military system <though since the fw-1 NT system crashed daily, there was a backdoor tunel running ssh to this system if one 'needed' to avoid the fw-1 blockage>. One of my responsibilities was to monitor the logs of these systems for issues and deal with them, even though I was not the CISO for the company. I quite quickly made an issue of the fact that these systems were not protected by a perimiter of any dsign, nor was there any strict 'hardening' of the systems. In fact the sun consoles were quite soft, and would most likely be the focus point for an attack, get the console and you had the core... There had been compromises prior to my working here, none we wwere aware of while I worked there, though the door keys were rattled daily/nightly. Some of those compromises had exploited weaknesses in unicos/mk, not a common OS for sure. The exposure of such systems makes them available for the blackhats to test upon though. Of course I was advised by the powers that be that even the compromise of an internal system was not going to be much of an issue, as all the super servers ran on an FDDI ring, and there was no sniffer available that could sniff traffic off a wire running at such speeds. Even the 100Mbit to the desktops was considered awfully difficult to manage with a sniffer. I was kind of shocked by the attitude, especially considering these were highly intelligent co-workers, some grand levels of skill being present at this small, yet BIg client rich site. Of course a short time after I moved onto greener pastures the thinking had changed, perhaps to a major intrusion, perhaps to more pressure from the military clients that were then applying such. These days all these mission critical systems are firewalled off from public acess, and we've not poked about to try and discover if there are tunnels around such blockages once again. Thanks, Ron DuFresne On Wed, 13 Nov 2002, Don Kendrick wrote:
OK...maybe a little of topic but this is the group that would know :) There is quite a push from our IBM friends to use the S/390 box for a web server using Websphere or Apache running under Linux (either as a VM or in it's own LPAR). Needless to say, I considered this to be a joke....putting the crown jewels on the net? Where's the multi-tiered architecture? Where's the "defense in depth?" Sure the S/390 has "never been hacked" (their words) but who has ever put it in a position to be hacked? They tell me that I don't understand LPARs. They're separate machines. You can still do your multi-tiered. It's just all on the same box. My fear, they are separate because of software, written by humans. If that is breeched, it's game, set and match. If they were separate boxes, they would have to communicate via some interface that I can monitor. This isn't true all on one box. Anyone have any experience with this fight? Am I out of line? Don _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Mainframes on the Net?, (continued)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Barney Wolff (Nov 13)
- segmentation of DMZs Shimon Silberschlag (Nov 14)
- Re: segmentation of DMZs Paul D. Robertson (Nov 14)
- Re: segmentation of DMZs Carson Gaspar (Nov 14)
- Re: segmentation of DMZs Mikael Olsson (Nov 16)
- Re: segmentation of DMZs Carson Gaspar (Nov 17)
- Re: segmentation of DMZs Miles Sabin (Nov 15)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 15)
- RE: Mainframes on the Net? Gwendolynn ferch Elydyr (Nov 15)