Jim
I will spare all who have been reading all the history of this on IBMMAIN
about my strong recommendation for those running SNA networks to strongly
consider the need for a SNA Firewall.
Which means you haven't spared us at all! I recognise a trick to which I
succumb myself when the
] On
Behalf Of Chris Mason
Sent: Tuesday, August 11, 2009 11:12 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: VTAM security issue
Hal
As a matter of courtesy I very rarely discuss off list conversations.
Does this mean Jim Marshall passed on the information you requested in
private? Since you were asking
Gibney, Dave
Verzonden: zondag 9 augustus 2009 23:46
Aan: IBM-MAIN@BAMA.UA.EDU
Onderwerp: Re: VTAM security issue
Isn't the A Architecture? And the S Synchronous :)
Now I'm confused. What does the initialism SNA stand
of both sides.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Chris Mason
Sent: Sunday, August 09, 2009 10:08 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: VTAM security issue
JM Right now I understand there are 20+ ways which VTAM/SNA
for resources, but
neither does IP. The Domain Name space used by IP hosts is
not provided by, or dependent on IP.
re:
http://www.garlic.com/~lynn/2009l.html#3 VTAM security issue
it was the communication division ... not the networking division.
vtam/ncp (pu5/pu4) formed part of a communication
: VTAM security issue
JM Right now I understand there are 20+ ways which VTAM/SNA systems
have been compromised.
HM Please give us some details on the compromised VTAM/SNA systems.
Hal Merritt - and perhaps many others including myself - are still waiting for
Jim Marshall's reply.
..snip
I'm not addressing this specifically to Pat since he knows it all perfectly.
SNA addressing relies on two components - and it uses names not numbers.
Within an enterprise, a naming authority is assigned which allocates - these
days - just 8-character LU names.[1] The enterprise in turn is
well out of my league here.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Chris Mason
Sent: Tuesday, August 11, 2009 11:12 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: VTAM security issue
Hal
As a matter of courtesy I very rarely
for resources, but
neither does IP. The Domain Name space used by IP hosts is
not provided by, or dependent on IP.
re:
http://www.garlic.com/~lynn/2009l.html#3 VTAM security issue
it was the communication division ... not the networking division.
vtam/ncp (pu5/pu4) formed part of a communication
I believe Jim Marshall is just trying to dismiss a fact inconvenient for the
product he is promoting? FUD! See previous comments from the Chris Mason
I will spare all who have been reading all the history of this on IBMMAIN about
my strong recommendation for those running SNA networks to
re:
http://www.garlic.com/~lynn/2009l.html#3 VTAM security issue
http://www.garlic.com/~lynn/2009l.html#7 VTAM security issue
the communication division did provide the basis for rapid uptake of
personal computers via terminal (communication) emulation. A customer
could get an ibm/pc
Lynn (I guess[1])
I see this is no longer discussing VTAM security but is hinged to one of my
lead-in comment regarding an universal network.
There are some policemen in this list who require subject drift properly to be
documented - or they will complain - even if the complaint is unjustified
on the compromised VTAM/SNA systems.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Jim Marshall
Sent: Wednesday, January 21, 2009 2:25 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: VTAM security issue
On Mon, 19 Jan 2009 07:41:17 -0600, Chris Mason
chrisma...@belgacom.net (Chris Mason) writes:
There is no universal SNA network - as some in IBM imagined could be
created in the early '80s - and so the access to these supposedly
vulnerable VTAM systems is going to be via the universal IP
network.[1] Thus one of the protocols whereby the IP
On Sun, 9 Aug 2009 11:57:15 -0400, Anne Lynn Wheeler wrote:
possibly SNA organization viewed it as competition (even tho SNA had
nothing to do with networking).
Now I'm confused. What does the initialism SNA stand
for?
Or, while this list is focused on initialism pedantry,
is it possible that
On Sun, 9 Aug 2009 16:03:33 -0500, Paul Gilmartin paulgboul...@aim.com wrote:
On Sun, 9 Aug 2009 11:57:15 -0400, Anne Lynn Wheeler wrote:
possibly SNA organization viewed it as competition (even tho SNA had
nothing to do with networking).
Now I'm confused. What does the initialism SNA stand
Isn't the A Architecture? And the S Synchronous :)
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Patrick O'Keefe
Sent: Sunday, August 09, 2009 2:43 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: VTAM security issue
On Sun, 9 Aug
Paul Gilmartin wrote:
Now I'm confused. What does the initialism SNA stand
for?
It's the Airport code for John Wayne Airport in Orange County.
--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
On Mon, 19 Jan 2009 07:41:17 -0600, Chris Mason
chrisma...@belgacom.net wrote:
Jim
FUD!
There's quite a lot needs straightening out here!
- etc, etc, etc.
I appreciate the response from my learned colleague and he is correct about
SNA Security being available. For one it is hardly
Please give us some details on the compromised VTAM/SNA systems.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Jim Marshall
Sent: Wednesday, January 21, 2009 2:25 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: VTAM security issue
On Mon
Jim
FUD!
There's quite a lot needs straightening out here!
1. It is very much in general inappropriate to associate security with only
with VTAM. It is very likely to be more appropriate to use the term SNA
security.
2. If we are talking about long ago, with respect to security at the
CICS of organization A is connected (LU6.2 Connection) to CICS of
organization B. No problem with that. I looked into the CDRM and found
some other application of organization B defined in VTAMLST of oranization
A. Tried LOGON APPLID(xxx) and gpt the GMtran of org. B (if it is the
default, I can
Itschak
Let's see I have got your problem straight.
You have two VTAM nodes, VTAMA and VTAMB. There is a CICS application
running in each node, CICSA and CICSB. You want to allow CICSA to have
sessions with CICSB and you want to prevent all other possible sessions
between VTAMA and VTAMB, say
Tony
I also want to block the ability to enter logon applid command (may be by
userid, even of the solution will require entering userid password). How to
achive that?
I doubt you can do that with USS, but I may be wrong.
Interesting!
This would appear to depend on how the LU was defined
In response to a Wed, 14 Jan 2009 08:00:36 +0200 message from Itschak
Mugzach imugz...@gmail.com:
You seem to be mixing terminology, and possibly causing confusion, Itschak.
(Though I think Chris understands what you've said and has provided some
good pointers.)
You start out by saying
Now,
Walt, I might used worng wording, but when I said LOGON to CICS (or any
other VTAM application on partner sight, I ment it. The only limit I
have when Pentesting is the partner company to agree for the signon.
I have seen few sites using no GMTRAN at all, so you signon to CICS with no
password and
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of Itschak Mugzach
Walt, I might used worng wording, but when I said LOGON to CICS (or
any
other VTAM application on partner sight, I ment it. The only limit I
have when Pentesting is the partner company to agree for
Please have a look at this scenario:
CICS of organization A is connected (LU6.2 Connection) to CICS
oforganization B. No problem with that. I looked into the CDRM and
found some other application of organization B defined in VTAMLST of
oranization A. Tried LOGON APPLID(xxx) and gpt the GMtran
Itschak
I see you are there and able to respond. Since we haven't heard a Thanks
Chris that exactly meets my requirements. I must assume that my purely
VTAM solution using CDRM statement operands and CDRSC statements where
necessary didn't somehow answer your needs. I'd rather like to know why
John, Do you want me to surprise you? As your new president said: yes, we
can. Sec=YES has nothing to do with the signon procedure of CICS and how
users get identified. As you know, each terminal runs the dfltuser (from
SIT) if no user signed on. Its is well documented in the manuals. This is
Hi Chris,
You answers are just exectly what I was looking for. I RTFMed a little as
well and have my ideas. For example, I looked into the USS TAB code and
found that a I can force some input rules, ;like blocking LOG APPLID. I
didn't respond as I am still learning your answer, BTW, I want to
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of Itschak Mugzach
John, Do you want me to surprise you?
You're welcome to try, but be prepared for disappointment.
As your new president said: yes, we
can. Sec=YES has nothing to do with the signon procedure of
Itschak
I looked into the USS TAB code and found that a I can force some input
rules, ;like blocking LOG APPLID.
Actually you can't! Recall I said it was a bit like ISTINCLM and the MODETAB
operand. You always have the mode table entries in ISTINCLM even if you
code a MODETAB operand.
Please have a look at this scenario:
CICS of organization A is connected (LU6.2 Connection) to CICS of
organization B. No problem with that. I looked into the CDRM and found
some other application of organization B defined in VTAMLST of oranization
A. Tried LOGON APPLID(xxx) and gpt the GMtran of
Itschak
I'm afraid you'll need to clarify rather a lot here!
A CICS application in session with another CICS application is one thing. A
session initiated by means of Unformatted System Services (USS) is quite
another.
Your CICS-CICS session is LU type 6.2. Any session initiated with the aid
2009/1/13 Itschak Mugzach imugz...@gmail.com
Please have a look at this scenario:
CICS of organization A is connected (LU6.2 Connection) to CICS of
organization B. No problem with that. I looked into the CDRM and found
some other application of organization B defined in VTAMLST of
Chris,
I know all this, but I think that at the end of your answer you started to
understand. Org. A and org B are partners that security shares CICS
resources VIA a CICS connection. When defining the connection, you can limit
who can use which trx (by identifying the user or by assigning a user
37 matches
Mail list logo
