Firewall Wizards mailing list archives
RE: Mainframes on the Net?
From: "Desai, Ashish" <Ashish.Desai () fmr com>
Date: Thu, 14 Nov 2002 13:24:31 -0500
a couple of years ago I had attended Computer Associates annual conference. These guys write one of the plugable security monitors for the mainframe, product is called "TopSecret", IBM's version is called "RACF" Found out that running "unix" (prior to the days of linux) on the mainframe, the "unix" instance was allowed to access files that are stored on the MVS side. IBM implemented this using new "syscalls". CA's security montior did NOT know how to handle these new "syscalls" so it allowed blanket access to the files. I don't know if IBM's security monitor did the right thing. I don't know if CA fixed this problem. Anyway the point I am making is that different OS instance may be given permission to access filesystem. Make sure that the correct access is defined in the security monitor so that the Internet facing system does not have access to the core filesystem where the customer data is stored Ashish
-----Original Message----- From: Don Kendrick [mailto:don () netspys com] Sent: Wednesday, November 13, 2002 8:44 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Mainframes on the Net? OK...maybe a little of topic but this is the group that would know :) There is quite a push from our IBM friends to use the S/390 box for a web server using Websphere or Apache running under Linux (either as a VM or in it's own LPAR). Needless to say, I considered this to be a joke....putting the crown jewels on the net? Where's the multi-tiered architecture? Where's the "defense in depth?" Sure the S/390 has "never been hacked" (their words) but who has ever put it in a position to be hacked? They tell me that I don't understand LPARs. They're separate machines. You can still do your multi-tiered. It's just all on the same box. My fear, they are separate because of software, written by humans. If that is breeched, it's game, set and match. If they were separate boxes, they would have to communicate via some interface that I can monitor. This isn't true all on one box. Anyone have any experience with this fight? Am I out of line? Don _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: segmentation of DMZs, (continued)
- Re: segmentation of DMZs Paul D. Robertson (Nov 14)
- Re: segmentation of DMZs Carson Gaspar (Nov 14)
- Re: segmentation of DMZs Mikael Olsson (Nov 16)
- Re: segmentation of DMZs Carson Gaspar (Nov 17)
- Re: segmentation of DMZs Miles Sabin (Nov 15)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)
- Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 15)
- RE: Mainframes on the Net? Gwendolynn ferch Elydyr (Nov 15)