Some might argue that a LAN cannot be considered 'secure' if there is a Windows box anywhere in the path :-)
As near as I can tell, PCI does not currently require encryption on internal LANs. However, I've read about internal networks being penetrated and compromised, so I wonder if that the encryption requirement is not far off. I do seem to recall such a rule that was proposed then quickly withdrawn a year or two ago. Point is that it might be prudent to anticipate the requirement sooner than later. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of McKown, John Sent: Wednesday, April 13, 2011 7:40 AM To: [email protected] Subject: Re: Fear the Internet, was Cool Things You Can Do in z/OS >From personal experience here: Our z/OS network person campaigned for "no >outbound connections" (other than whitelisted) because he knows that the >majority of the corporate information resides on the z/OS system. So he felt >this was a good security thing. But then we allow anybody to do an ftp client >connection from their desktop to z/OS and that kills the reason. My >orientation is like the RACF group says: Secure the data using RACF rules. >Don't depend on a secure channel to protect the data (except in flight - but >we don't encrypt on the internal LAN). John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * [email protected] * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[email protected]] On Behalf Of Gibney, Dave > Sent: Tuesday, April 12, 2011 5:38 PM > To: [email protected] > Subject: Fear the Internet, was Cool Things You Can Do in z/OS > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:[email protected]] On > > Behalf Of Dick Bond > > Sent: Tuesday, April 12, 2011 3:19 PM > > To: [email protected] > > Subject: Re: Cool Things You Can Do in z/OS > > > > That's a couple of big "ifs" - that's why we can't use it. Our > workstation IP > > addresses, even if fixed (like mine - most are not), cannot be > accessed from > > z/OS. I would think most real-world shops are that way - if not, > well, they > > may need to hire some networking personnel to setup proper security. > > > > I am curious, why do some of the powers that be fear connecting > their mainframe to the network. With proper vpn, there should be no > reason to block z/OS from reaching out to users work stations. I > wouldn't even insist on vpn if WSA would do SSL or SSH tunneling. And > presumably much of this traffic would be on an intranet, not the wild > and wooly Internet. > There is no fear of virii, well maybe an application in java, but > certainly not the system. Properly secured, a user can get anywhere > they don't belong not matter what port or door they come in on. > > I'd truly hate the (IMO unneeded) extra steps to do Shopzseries or > CA MSM without direct connection to IBM and CA's sites. > > Is there a real reason, not PHB paranoia that I'm missing? > > Dave Gibney > Information Technology Services > Washington State University > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
