Firewall Wizards mailing list archives

RE: Mainframes on the Net?

From: "Desai, Ashish" <Ashish.Desai () fmr com>
Date: Thu, 14 Nov 2002 13:24:31 -0500

a couple of years ago I had attended
Computer Associates annual conference.
These guys write one of the plugable security monitors 
for the mainframe, product is called "TopSecret", IBM's
version is called "RACF"
Found out that running "unix" (prior to the days of linux)
on the mainframe, the "unix" instance was allowed to access
files that are stored on the MVS side.
IBM implemented this using new "syscalls". CA's security
montior did NOT know how to handle these new "syscalls" so
it allowed blanket access to the files. I don't know if IBM's
security monitor did the right thing.

I don't know if CA fixed this problem.

Anyway the point I am making is that different OS instance
 may be given permission to access filesystem. Make sure
that the correct access is defined in the security monitor
so that the Internet facing system does not have access to the
core filesystem where the customer data is stored

Ashish

-----Original Message-----
From: Don Kendrick [mailto:don () netspys com] 
Sent: Wednesday, November 13, 2002 8:44 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Mainframes on the Net?

OK...maybe a little of topic but this is the group that would know :)

There is quite a push from our IBM friends to use the S/390 box for a 
web server using Websphere or Apache running under Linux (either as a 
VM or in it's own LPAR).

Needless to say, I considered this to be a joke....putting the crown 
jewels on the net? Where's the multi-tiered architecture? Where's the 
"defense in depth?" Sure the S/390 has "never been hacked" (their 
words) but who has ever put it in a position to be hacked?

They tell me that I don't understand LPARs. They're separate machines. 
You can still do your multi-tiered. It's just all on the same box.  My 
fear, they are separate because of software, written by 
humans. If that 
is breeched, it's game, set and match.

If they were separate boxes, they would have to communicate via some 
interface that I can monitor. This isn't true all on one box.

Anyone have any experience with this fight? Am I out of line?

Don

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: segmentation of DMZs, (continued)
- - - Re: segmentation of DMZs Paul D. Robertson (Nov 14)
    - Re: segmentation of DMZs Carson Gaspar (Nov 14)
    - Re: segmentation of DMZs Mikael Olsson (Nov 16)
    - Re: segmentation of DMZs Carson Gaspar (Nov 17)
    - Re: segmentation of DMZs Miles Sabin (Nov 15)
    - RE: segmentation of DMZs Ofir Arkin (Nov 18)
  - Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- Re: Mainframes on the Net? R. DuFresne (Nov 13)
- RE: Mainframes on the Net? Scott, Richard (Nov 13)
- RE: Mainframes on the Net? Noonan, Wesley (Nov 13)
- RE: Mainframes on the Net? Desai, Ashish (Nov 14)
  - RE: Mainframes on the Net? Paul D. Robertson (Nov 14)
- RE: Mainframes on the Net? ark (Nov 15)
  - RE: Mainframes on the Net? Paul D. Robertson (Nov 15)
  - RE: Mainframes on the Net? Gwendolynn ferch Elydyr (Nov 15)