Re: vswitch for everyone

Fri, 17 Apr 2009 08:02:01 -0700 

Alan Altmark wrote:


On Friday, 04/17/2009 at 08:54 EDT, Harold Grovesteen
<[email protected]> wrote:



Harder, Pieter wrote:




That would be my desire as well, but IBM says it is what it is for



security



reasons.



I agree with them. Paranoia maybe, but better safe than sorry.




More likely EALS certification related.




No, it has nothing to do with certification.  In the evaluated
configuration, RACF is present and is protecting all Guest LANs and
VSWITCHes.  When an ESM is active, even unrestricted Guest LANs are under
ESM control.  If you want everyone to freely access a virtual network, you
must explicitly say so.  [Note: The z/VM EAL 4+ common critieria
certification only applies to the evaluated configuration.  No claims are
made for other configurations.]


Does that configuration assume an ESM? I'm new to security being thrown
into it by PCI at my organization.



My background in both security and networking has shaped my support for
explicit authorization.   In my world view:
-  [SET] VMLAN TRANSIENT 0 would be the default, preventing class G users
from using DEFINE LAN.   If you want class G users to define LANs, then I
recommend explicitly saying so in SYSTEM CONFIG (VMLAN statement) - just
in case the default for transient Guest LANs changes from "unlimited" to
zero.
- A DEFINE LAN would actually result in a disconnected VSWITCH under the
covers so that VLAN rules are enforced.

If you do not use an ESM, then I recommend VMLAN TRANSIENT 0.  If you do
have an ESM, then I recommend a rule (e.g. RACF generic profile "**") that
defines the default access as "denied."

Alan Altmark
z/VM Development
IBM Endicott

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390





----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to