Firewall Wizards mailing list archives
RE: Mainframes on the Net?
From: ark () eltex ru
Date: Fri, 15 Nov 2002 14:10:14 +0300
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, IIRC there were numerous ways to run Unices on IBM/3x0 and numerous Unices that ran there. Some were IBM-originated and some third-party ones. I've seen some of those long before posix stuff appeared in OpenMVS, IIRC it was late 80's. Don't know if those existed in Soviet Union were localized copies of something or written from scratch. (nostalgic: i wonder how much old p/390 or russian ES-12xx cost these days?) "Desai, Ashish" <Ashish.Desai () fmr com> said :
a couple of years ago I had attended Computer Associates annual conference. These guys write one of the plugable security monitors for the mainframe, product is called "TopSecret", IBM's version is called "RACF" Found out that running "unix" (prior to the days of linux) on the mainframe, the "unix" instance was allowed to access files that are stored on the MVS side. IBM implemented this using new "syscalls". CA's security montior did NOT know how to handle these new "syscalls" so it allowed blanket access to the files. I don't know if IBM's security monitor did the right thing. I don't know if CA fixed this problem. Anyway the point I am making is that different OS instance may be given permission to access filesystem. Make sure that the correct access is defined in the security monitor so that the Internet facing system does not have access to the core filesystem where the customer data is stored Ashish-----Original Message----- From: Don Kendrick [mailto:don () netspys com] Sent: Wednesday, November 13, 2002 8:44 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Mainframes on the Net? OK...maybe a little of topic but this is the group that would know :) There is quite a push from our IBM friends to use the S/390 box for a web server using Websphere or Apache running under Linux (either as a VM or in it's own LPAR). Needless to say, I considered this to be a joke....putting the crown jewels on the net? Where's the multi-tiered architecture? Where's the "defense in depth?" Sure the S/390 has "never been hacked" (their words) but who has ever put it in a position to be hacked? They tell me that I don't understand LPARs. They're separate machines. You can still do your multi-tiered. It's just all on the same box. My fear, they are separate because of software, written by humans. If that is breeched, it's game, set and match. If they were separate boxes, they would have to communicate via some interface that I can monitor. This isn't true all on one box. Anyone have any experience with this fight? Am I out of line? Don _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBPdTWFaH/mIJW9LeBAQHjHAP9Hr97XmSdelwn1NfroEmh24VgKK1a7FHG n1WAZZE9HI2HrvJm870Jj8WsAMP9+ajEXTz0Npf5ZsnLI0I0GkPdmL/phV+mBAIu z7dQeSMlxBfELW8OczyCIu6Y1/8sqlAvWf9Eg6qX1KCdCuYqlHO1+5nJxoYcfmF1 5zUnxjht5x0= =tgA5 -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: segmentation of DMZs, (continued)
- Re: segmentation of DMZs Mikael Olsson (Nov 16)
- Re: segmentation of DMZs Carson Gaspar (Nov 17)
- Re: segmentation of DMZs Miles Sabin (Nov 15)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)
- Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- Re: Mainframes on the Net? R. DuFresne (Nov 13)
- RE: Mainframes on the Net? Scott, Richard (Nov 13)
- RE: Mainframes on the Net? Noonan, Wesley (Nov 13)
- RE: Mainframes on the Net? Desai, Ashish (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 14)
- RE: Mainframes on the Net? ark (Nov 15)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 15)
- RE: Mainframes on the Net? Gwendolynn ferch Elydyr (Nov 15)