On Thu, Jan 22, 2015 at 1:08 AM, Cameron Seay <[email protected]> wrote:
> I am teaching several nainframe classes this term and a question came up: > does FICON proper provide firewall services or is that handled by RACF and > the external firewall of the network where the mainframe lives? > > FICON is a type of peripheral interconnection, like SATA, SCSI, or the like. At least the FICON that I am aware of on a z machine. It has nothing to do with security, users, firewalls, etc. RACF is an ESM (External Security Manager) for z/OS, z/VM, z/VSE. I don't think that there is a version for Linux on z (the topic assumed on this forum, tho other things come here some times). On z/OS (don't know z/VM), RACF does _not_ perform firewall type services. It only control logons (userid + password) and access to resources, such as files (and, on z/OS, other "resources"). You can think of RACF as being __conceptually__ similar to a combination of PAM and SELinux on Linux. On z/OS, IP firewall services are a part of the TCPIP stack, which is separate from the RACF security system. The basic firewall ability for Linux on z, like all other Linux variants, is the iptables facility. I imagine that most shops also use an external firewall router "in front of" the LAN on which the z/Linux system resides. I cannot imagine doing it otherwise. But maybe that just a failure of my "imaging software". I will likely come across as a bit harsh, but it is not my intention to be hurtful in this. But given your questions, I am not sure that you should be teaching a course which talks about "mainframes", if by "mainframe" you mean the IBM z machines. I don't know the scope of your class, but the following publications from IBM might be helpful. http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg248050.html?Open IBM zEnterprise System Technical Introduction http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg248137.html?Open Setting up Linux on System z for production A good starting place for information is http://www-03.ibm.com/systems/z/hardware/index.html . But, to be very honest, the amount of information available can be overwhelming. Perhaps people here, or on IBM-MAIN (if you can stand the "noise" from a bunch of us old, surly curmudgeons) could be of some help. What do you want to get across in your class on mainframes? Do you want to compare the z hardware versus, say, Intel's x86? Or do you want to compare the software, such as z/OS versus Linux or VMWare versus z/VM (or the "built in" z machine's hypervisor, called PR/SM). For an example, the Intel x86 hardware can run OSes such as Windows, Linux, Mac OS/X, and *BSDs. The z hardware generally runs one or more of Linux, z/VM (a hypervisor - think VMWare), z/OS, z/VSE, or z/TPF. -- While a transcendent vocabulary is laudable, one must be eternally careful so that the calculated objective of communication does not become ensconced in obscurity. In other words, eschew obfuscation. 111,111,111 x 111,111,111 = 12,345,678,987,654,321 Maranatha! <>< John McKown ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
