Re: Dangers from SNA?

[kevans () peco-energy com]

The last update listed below was good.   I think the point to be made is that
SNA has a number of higher level (higher network level) structures that
influence security.   You need to talk to the person that does VTAM and NCP
definitions in your SNA world to get that level of detail.  In an SNA world you
can be as dynamic or as static as you want about leaving people come in.    The
proof of that is the thousands of companies and 100,000 users on the IBM
Information Network that have simply not had problems you see in the Internet.

Please don't take that as a  "religious" statement.  I just don't think you can
pick a reasonable solution without discussing the details of the definitions at
the termination points of those SNA "SESSIONS".

Bottom line is you need to talk at  higher network layers to discuss SNA issues.





Juergen,

If your bypass is purely layer two (ie. token-ring/ethernet and no IP) then
you will be secure from an IP point of view because IP runs on layer three,
and you can't play tricks on a protocol that isn't there. However, you
still have the vulnerability with SNA traffic. There are ways you can spoof
MAC addresses, so you want to evaluate that. Unfortunately I don't know too
much about SNA security. You also need some way of ensuring that no one
enables layer three on the network devices.

If you use DLSw you can treat it like IP through the firewall, however, the
firewall is only going to be looking at the IP session characteristics, and
not the SNA characteristics or contents. You also need to ensure that the
firewall does not cause too much timelag, or else you will end up having
dropped sessions all the time if the keepalives can't get through.

You also want to ask about how the SNA is being sent over the WAN. He may
already be using DLSw, as the only alternative I know is a split-bridge.
Whatever way it is being passed, the devices are quite probably IP
addressable, and so you need to remove all traces of IP before the layer
three element is removed.

Hope this helps,

Joe

Telecomms Specialist                                        Opinions mine
own, etc.......
AT&T Global Network Services
Firewalls, IP & Opennet Services
Security Analysis - Network Design Team


Juergen.Nieveler () gecits-eu com on 07/13/99 08:50:01 AM

Please respond to Juergen.Nieveler () gecits-eu com

To:   firewall-wizards () nfr net
cc:    (bcc: Joe Dauncey/UK/IBM)
Subject:  Dangers from SNA?


(See attached file: ATT15241.txt)

Attachment: ATT15241.txt
Description: Text - character set unknown