> I'd like some info on mainframe security:
> What vulnerabilities (classes) exist on a classical mainframe?
The bigest one is impersonation. Authentication is often weak, in that it
relies on information passed in plaintext (reusable passwords sent in the
clear). Anyone able to put a sniffer in front of the Front End Processor
can probably grab the password for any account on the system.
I'd have to agree, like most systems the users let you down by chosing weak
passwords, but like any other system you can put a password policy in place
which does not allow you to pick a very weak password.
> What new vulnerabilities do I introduce when running Unix services or
TCP/IP
> (IBM OPEN MVS?)?
The same vulnerabilities for UNIX exist under OMVS for the same products.
The one advantage you have is that each process is run under a seperate
address space and MVS does not allow communication across the address space
unless you explicitly permit it. But yes if you have a sniffer you can
still get the password. although you could implement passtokens or kerberos
in which case it won't be a problem.
> is the any advantager ro running a FW on a mainframe?
You get a prise for the world's most expensive firewall. ;-)
You may get second prize :-) I know of a few sites who have spent 1 million+
on redundant firewalls etc when they had an underutilised CMOS mainframe
which could have easily taken the load and it definetely cost less than
1,000,000. The advantage is you can utilse existing equipment. Once again
for anyone to break out of controlled address space they would have to be
pretty damn clever. If you were going to do it you should put it on a
seperate LPAR. However on the otherside of the coin. Do you really want
to place you mainframe, which no doubt contains reasonably vital information
directly onto the internet? While you may be convinced at some stage, I
doubt management will see it the same way.
Mark
PS only my opinion which does not necessarily reflect the Bank.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
