Hi Jantje We're running a zOS DMZ with a WAS for about 3 years now. It is in a dedicated LPAR whithin one of our CECs. Since the application running in the DMZ is read-only, the setup and the protection of the production environment was quite simple. No worries about saving the data or transporting updates into production. We dedicated a string of DASD and an OSA-Adapter to the LPAR. All the other LPARs were protected against the DMZ by removing the DMZ-Lpar from the "Device Candidate list" of all other shared resources. There is no TCPIP-connection between the DMZ and the other LPARs. The data that we put into the DMZ is copied through a "transport DASD" from our production into the DMZ (by varying a DMZ-NONSMS-Dasd online in our production system). So, the worst thing that can happen is that the DMZ itself gets destroyed and/or hacked. Since this application is not a critical one, we can take that risk. TSO/ISPF access is through OSA/ICC-connections only. We installed a couple of freeware tools (AUTO, MXI, etc.) on the DMZ to be able to do a minimum of automation and save the log and smfdata of the lpar (also by using the "transport-dasd"). This nearly physical separation of the dmz let us sleep quite happily. *But* the downside of this setup is facing us now: we will have to move away from the "read-only-dogma" into a full function dmz that allows updates even in the production systems. Currently, we are discussing several scenarios how to get there. They start somewhere with a http-server on Linux between a bunch of firewalls accessing data on a production system and end whithin a fully fashioned zOS-DMZPLEX with its own DASD, taperobots etc. The key problem we are faced with is the companys security policy that no event from "outside" may generate an immediate action in a production system.
Hth Cheers Tom Thomas Ramseier Bundesamt für Informatik und Telekommunikation BIT Betriebszentrum / Bereitstellung / Host Informationssystem-Architekt Monbijoustrasse 74 CH-3003 Bern Tel. +41 (0)31 323 01 00 Fax +41 (0)31 325 90 30 [EMAIL PROTECTED] www.bit.admin.ch Der Eisbrecher: Die Kundenzeitung des BIT www.bit.admin.ch/eisbrecher -----Ursprüngliche Nachricht----- Von: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] Im Auftrag von Jan MOEYERSONS Gesendet: Mittwoch, 10. August 2005 15:04 An: [email protected] Betreff: Mainframe in the DMZ -- organization of operations Dear Listers, We are considering what the security impact of putting a WAS on mainframe in the DMZ would be. I was wondering: did any of you already do that? What impact does this have on the operational organization? Do you have special procedures for application and system maintenance? Do you have a separate CEC or is a separate LPAR safe enough? What about updates to the system configuration? IODF? Sharing OSA adapters? Sharing DASD? Any suggestions are welcome. Cheers, Jantje. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
