Firewall Wizards mailing list archives
RE: Mainframes on the Net?
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 14 Nov 2002 21:02:04 -0500 (EST)
On Thu, 14 Nov 2002, Desai, Ashish wrote:
IBM implemented this using new "syscalls". CA's security montior did NOT know how to handle these new "syscalls" so it allowed blanket access to the files. I don't know if IBM's security monitor did the right thing.
It's not clear to me from some quick Web searches if Unix System Services goes through RACF via some user-id equiv. mechanism, or if the main vector is direct with its own ID/ACL scheme. That's why I'd go Linux on VM- in that case you should be able to confirm that the VM can only access the virtual devices you assign to it.
I don't know if CA fixed this problem.
This is where some time with the red books and then on a call with IBM would produce some interesting results- the MVS runs *nix stuff is obviously bolted on somewhat strangely, and knowing at what level the subsystem has access to devices would tailor how and where things get arranged. Thanks for posting this, it certainly makes validation much more important than if the native security interfaces were used.
Anyway the point I am making is that different OS instance may be given permission to access filesystem. Make sure that the correct access is defined in the security monitor so that the Internet facing system does not have access to the core filesystem where the customer data is stored
Here's the only interesting audit document I could find: http://www.auditnet.org/docs/USS.pdf Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: segmentation of DMZs, (continued)
- Re: segmentation of DMZs Carson Gaspar (Nov 14)
- Re: segmentation of DMZs Mikael Olsson (Nov 16)
- Re: segmentation of DMZs Carson Gaspar (Nov 17)
- Re: segmentation of DMZs Miles Sabin (Nov 15)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)
- Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 15)
- RE: Mainframes on the Net? Gwendolynn ferch Elydyr (Nov 15)