Firewall Wizards mailing list archives
Re: Mainframes on the Net?
From: Paul Robertson <proberts () patriot net>
Date: Wed, 13 Nov 2002 12:18:57 -0500 (EST)
On Wed, 13 Nov 2002, Don Kendrick wrote:
OK...maybe a little of topic but this is the group that would know :) There is quite a push from our IBM friends to use the S/390 box for a web server using Websphere or Apache running under Linux (either as a VM or in it's own LPAR). Needless to say, I considered this to be a joke....putting the crown jewels on the net? Where's the multi-tiered architecture? Where's the "defense in depth?" Sure the S/390 has "never been hacked" (their words) but who has ever put it in a position to be hacked? They tell me that I don't understand LPARs. They're separate machines. You can still do your multi-tiered. It's just all on the same box. My fear, they are separate because of software, written by humans. If that is breeched, it's game, set and match. If they were separate boxes, they would have to communicate via some interface that I can monitor. This isn't true all on one box. Anyone have any experience with this fight? Am I out of line?
Caveat: It's been a fair number of years since I was a mainframe systems programmer, and even longer since I was a mainframe assembly language developer. They don't even make the boxes blue anymore. I do have around 10 years of mainframe experience (not exclusively mainframes, but mainframes for all of that, from s/360s, to 43xx and 93xx models. I've been a systems programmer and assembly/PL/1 developer on VM/CMS, MVS/TSO/e and MVS/CICS from the base 360 up through XA and ESA.) The virtualization scheme in VM is my favorite ever. It made one heck of a development environment. LPARs are probably better evolved, but I wasn't as comfortable developing in that environment (mostly people ran MVS there, back when, and I much preferred VM.) While you *might* be able to break out of the virtual environment, it sure won't be a trivial task. I started out on IBM mainframes, and spent a fair ammount of time on VM and MVS- I can't recall a single time I saw a virtual machine or even an address space cause a supervisor or hosting OS issue that executed code, even when the SVC code was our own. (SVCs are Supervisor Calls, like syscalls.) The only real major issue I've ever seen is that TSO/E's Virtual Telecommunications Access Method (VTAM) had some order-of-execution issues with OS terminal services macros (SVC 93 and SVC 94) where calling them from a Terminal Monitor Program (which AIR wasn't a user-space installable kind of thing anyway) would change order of execution despite execution order in the TMP depending on some parameters and what got called first (it was a fullscreen/linemode switching issue that I spent about two months proving to IBM existed- because they wouldn't touch that code and couldn't believe you could diagnose it to that level without the source. Rather than fixing it, they chose to document around it.) The CPU, OS, and machine architecture are evolved for this- this isn't trying to play games with an x86- VMWare is cool, but it's a hack because the architecture doesn't support virtualization well. The virtualization is complete enough that I've never been able to write a program that could tell what level it was running at. In fact, I'd be interested in what anyone would use to do that. We used to put "troublesome" users in 3rd level virtual machines (that is a VM running under a VM running under a VM which was either running VM/CMS or MVS- depending on their normal environment) just to make their performance suck until they woke up and smelled the coffee. Never had one figure it out. You can monitor inter-machine communication of virtual machines, and I'd suppose LPARs at the host OS level. The guest OS' don't get real hardware, everything is virtual to them, and that's the real power there. VM was originally designed by IBM to develop their other OS' in, so that they didn't need a new mainframe for each development group. Guests think they're on real hardware, and there's nothing that's not abstracted through a virtual device layer. Absent some silly subsystem stuff (and that would require an evaluation and reading lots of those big red books,) I'd trust VM as a base OS before I'd trust a firewall running on almost anything. The documentation level used to be astounding, I'd really recommend looking at the "Red Books" approrpriate to whichever environments and subsystems worry you. LPARs should be better than that- I've just never dealt with them, so my personal level of comfort is with VM as the only host OS and running lots of guests. I think you *can* set things up poorly, but you really have to try. I'm sure there are ways to get through things, but I'd probably only really worry about a serious audit if I were a significant target of choice, then I'd probably go ask either Bill Murray or Bob Abbott who'd be a good auditor for that environment. VM's been out for what- ~30 years? Unless they've been doing weird things lately, most of the work has probably been in addressing extensions, and POSIXey stuff, not in how the virtualization is handled. IMO, the only real argument you have here is "trusted insider goes bad, or hoses a configuration there's only one layer of control." The counter to that is probably either regular strong audits, or a different architecture. If there's significant data on the machines that won't ever hit the Web interface, then you've got a classic seperation argument that may or may not fly. Outside of principle, I wouldn't be all that concerned about running such an environment, though I'd want to spend a good deal of time digging at things, poking, prodding and maybe even writing some code. Though it's kind of the cat guarding the hen house, you could also get IBM to come in and have someone technical interactively address your questions until either you're happy or they're beaten into submission... HTH, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Mainframes on the Net? Don Kendrick (Nov 13)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Barney Wolff (Nov 13)
- segmentation of DMZs Shimon Silberschlag (Nov 14)
- Re: segmentation of DMZs Paul D. Robertson (Nov 14)
- Re: segmentation of DMZs Carson Gaspar (Nov 14)
- Re: segmentation of DMZs Mikael Olsson (Nov 16)
- Re: segmentation of DMZs Carson Gaspar (Nov 17)
- Re: segmentation of DMZs Miles Sabin (Nov 15)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Lorens Kockum (Nov 14)