Many people have remarked that they take electronic delivery for important tax reasons. I'm wondering about the rest of you.
With respect to firewalls, it seems very odd to me that your employers would be buying expensive firewalls and then using them to replace (much cheaper) air gaps. The single firewall (or proxy) rule we're talking about here to facilitate direct electronic delivery consists of these parameters (in outline): 1. Outbound (mainframe-initiated only); 2. From one non-production LPAR (or z/VM z/OS guest); 3. From one IP address; 4. If desired, over one dedicated, physical connection (OSA port, cable, switch port); 5. Outbound to one IP address using a single, well-known port (443); 6. Using a TLS-encrypted connection; 7. Negotiated with an unexpired IBM server certificate signed by a well-known certificate authority; 8. With logging and (if desired) alerting when/if these outbound connections occur; 9. With outbound connections allowed to be initiated only within particular, very narrow time windows as equivalently set in mainframe scheduling (if desired); 10. With a total outbound data size transmission limit within that time window (if desired). This is what firewalls (and proxies) are designed for. That's *all* they're designed for, to provide fine grained connection rules and block other connections. If nobody is willing to add such a highly locked down, restricted firewall rule, even upon careful security audit and review, then why have a firewall? Why not just yank the cables and air gap? Why trust the firewall to block if you don't trust the firewall to block? ....And if you can't trust *this* path, can you trust a side trip through a (potentially malware-infested) PC? Or a tape that isn't always in your (or the vendor's) physical custody enroute to you? (It's at least more realistic to package DVDs in tamper-proof ways.) ....Or are these questions too naive, and this is just a reflection of simple, no-particular-reason inertia (again)? (Somebody has to ask the naive questions once in a while.) -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
