Firewall Wizards mailing list archives
Re: Dangers from SNA?
From: kevans () peco-energy com
Date: Wed, 14 Jul 1999 16:02:58 -0400
The last update listed below was good. I think the point to be made is that SNA has a number of higher level (higher network level) structures that influence security. You need to talk to the person that does VTAM and NCP definitions in your SNA world to get that level of detail. In an SNA world you can be as dynamic or as static as you want about leaving people come in. The proof of that is the thousands of companies and 100,000 users on the IBM Information Network that have simply not had problems you see in the Internet. Please don't take that as a "religious" statement. I just don't think you can pick a reasonable solution without discussing the details of the definitions at the termination points of those SNA "SESSIONS". Bottom line is you need to talk at higher network layers to discuss SNA issues. Juergen, If your bypass is purely layer two (ie. token-ring/ethernet and no IP) then you will be secure from an IP point of view because IP runs on layer three, and you can't play tricks on a protocol that isn't there. However, you still have the vulnerability with SNA traffic. There are ways you can spoof MAC addresses, so you want to evaluate that. Unfortunately I don't know too much about SNA security. You also need some way of ensuring that no one enables layer three on the network devices. If you use DLSw you can treat it like IP through the firewall, however, the firewall is only going to be looking at the IP session characteristics, and not the SNA characteristics or contents. You also need to ensure that the firewall does not cause too much timelag, or else you will end up having dropped sessions all the time if the keepalives can't get through. You also want to ask about how the SNA is being sent over the WAN. He may already be using DLSw, as the only alternative I know is a split-bridge. Whatever way it is being passed, the devices are quite probably IP addressable, and so you need to remove all traces of IP before the layer three element is removed. Hope this helps, Joe Telecomms Specialist Opinions mine own, etc....... AT&T Global Network Services Firewalls, IP & Opennet Services Security Analysis - Network Design Team Juergen.Nieveler () gecits-eu com on 07/13/99 08:50:01 AM Please respond to Juergen.Nieveler () gecits-eu com To: firewall-wizards () nfr net cc: (bcc: Joe Dauncey/UK/IBM) Subject: Dangers from SNA? (See attached file: ATT15241.txt)
Attachment:
ATT15241.txt
Description: Text - character set unknown
Current thread:
- Dangers from SNA? Juergen . Nieveler (Jul 13)
- Re: Dangers from SNA? Ted Doty (Jul 13)
- <Possible follow-ups>
- Re: Dangers from SNA? joe_dauncey (Jul 14)
- Re: Dangers from SNA? kevans (Jul 14)