>From personal experience here: Our z/OS network person campaigned for "no >outbound connections" (other than whitelisted) because he knows that the >majority of the corporate information resides on the z/OS system. So he felt >this was a good security thing. But then we allow anybody to do an ftp client >connection from their desktop to z/OS and that kills the reason. My >orientation is like the RACF group says: Secure the data using RACF rules. >Don't depend on a secure channel to protect the data (except in flight - but >we don't encrypt on the internal LAN).
John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Gibney, Dave > Sent: Tuesday, April 12, 2011 5:38 PM > To: IBM-MAIN@bama.ua.edu > Subject: Fear the Internet, was Cool Things You Can Do in z/OS > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > > Behalf Of Dick Bond > > Sent: Tuesday, April 12, 2011 3:19 PM > > To: IBM-MAIN@bama.ua.edu > > Subject: Re: Cool Things You Can Do in z/OS > > > > That's a couple of big "ifs" - that's why we can't use it. Our > workstation IP > > addresses, even if fixed (like mine - most are not), cannot be > accessed from > > z/OS. I would think most real-world shops are that way - if not, > well, they > > may need to hire some networking personnel to setup proper security. > > > > I am curious, why do some of the powers that be fear > connecting their > mainframe to the network. With proper vpn, there should be no > reason to > block z/OS from reaching out to users work stations. I wouldn't even > insist on vpn if WSA would do SSL or SSH tunneling. And > presumably much > of this traffic would be on an intranet, not the wild and wooly > Internet. > There is no fear of virii, well maybe an application in java, but > certainly not the system. Properly secured, a user can get > anywhere they > don't belong not matter what port or door they come in on. > > I'd truly hate the (IMO unneeded) extra steps to do > Shopzseries or CA > MSM without direct connection to IBM and CA's sites. > > Is there a real reason, not PHB paranoia that I'm missing? > > Dave Gibney > Information Technology Services > Washington State University > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
