I trimmed your excellent response and failed to note where. Sorry. IMHO, security issues are most commonly audit driven. Audit driven solutions are easily identified by a glaring lack of technical knowledge.
That said, IMHO, the sacrificial server has some pros. It could be a useful shield in a password DoS attack. Its mission is to contain the damage by going out of service. It can also add value as an outer shield to a DDoS attack. The MF can handle the load much more so than the network infrastructure. Having an outer server fail would sacrifice that connectivity to protect the overall network. Seems reasonable. Keep in mind that a fusible link in a circuit is designed to fail. And unintended failures are both expected and acceptable. Something PC's do well :-) -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Timothy Sipples Sent: Tuesday, January 30, 2007 2:55 AM To: [email protected] Subject: Re: TN3270 server offload options I agree with all the endorsements of just letting the mainframe itself (VIPA, OSA, CS z/OS) handle TN3270(E). I can't think of too many (any?)(*) reasons for offloading that function these days. (*) About the only reason I can think of is if you're extending TN3270 to the public Internet (or other "untrusted" network) and want a gateway that's *physically* separate. Security policies are funny things. Very often they have little or nothing to do with technical realities. But somebody might have a policy that says "must be physically separate box" just...because. :-) (There's actually a pretty strong argument that adding boxes can undermine security. More potential attack vectors, basically.) Knowing just a little about WPS, this is my hunch about the genesis of your question. If my hunch is right, I wonder whether you could use two z/OS mainframes "cross connected" to satisfy the letter of the policy. Yes, perhaps silly, but so it goes. :-) There are also firewall-type functions in z/OS (e.g. IPSec), or available for Linux on z, if that's the issue. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html

