>Interesting article on the SearchDataCenter site today... > >http://tinyurl.com/juuee > >Could SNA be cracked? (Note the proper word use here. Hackers do not do >bad. Crackers do bad.) > >Later, >Ray > I consider SNA to be very insecure unless one takes steps to protect things. Using Telnet, SSL is a must for all 3270 sessions. This would help. There are other steps which people generally do not do. There is a free VTAM SME (Sys Mgmt Exit) from North-Ridge software which shows you all the traffic coming in and out of your network which you will not have any clue of where it is originating. The idea that one has an IBM 3745 with a NULL network isolates one away from other networks is not true.The output of this, implement on the fly exit, was an eye-opener. At that time being connected to AT&T's network to get to IBM, and also Social Security, Blue Crosses, etc, opened us up to exposures. I looked around for a solution to this and finally installed a SNA-Firewall which gets control for all traffic coming into the network and has the ability to capture the BIND request. Anything short of seeing everything in the BIND is not good enough. By looking at the BIND request, one can also see bad performance settings for those who are authorized to get into the network. It is amazing how many of the old defaults are used, work, and are causing performance issues.
Think about it, z/OS or even the old “free” MVS has VTAM and can be run on a Laptop. I know of 10+ different ways to get into a SNA network and most are because of not doing things in SNA to secure things. I know of LU6.2 sessions coming from UNIX, Windows, etc. which can connect to you to exploit weaknesses. Microsoft SNA Server is available and able to be used by anyone who might want to try to get into a SNA network. Then there is the “man-in-the-middle” scenario for another. There is one way, just discovered, which despite all vanilla things which come in VTAM will not stop them; I just installed an Integrity patch onto the SNA Firewall to prevent it (IBM has been notified of the situation). The patch from the vendor says that through VTAM one can compromise VTAM traffic and also TCP/IP traffic in your mainframe. As with RACF integrity patches, the exposure is not explained. It appears the CISCO assistance is going help in their small area but does not solve the problem overall. What is really scary is now companies are using EE (Enterprise Extender), which was intended to be used inside of corporate SNA “Intranet”, to connect to a form of an SNA Internet connection. This from a VTAM perspective makes one company’s SNA network join another company’s SNA network and opens them both up for requests to flow through both trying to find things. Few people admit or recognize the exposures which exist using a SNA network. Most of the SNA expertise is long gone and the networks are just kept up with little understanding what could be done to secure things. Jim ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
