NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] OT-Host access



Ihsan--
 
1.  There is a Unix-based secure telnet project.  Personally, I use ssh as well as most of the rest of the world which is not to say stelnet (??) is bad.  If you can build ssh2 for your environment, I would recommend it on a dedicated DMZ host with plug-gw running.
 
2.  If you decide (via corporate or organizational security policy) to offer in-bound SSL access to hosts, once again, place them in your DMZ and restrict access (front and back sides) through your firewall designs.
 
3.  I know nothing about physically adding an interface to a mainframe...I consider it pretty cool that I at least got to see and use the IBM 390 machines at my former University :)
 
4.  translating publicly-accessible addresses into internal addresses will be done via NAT and split DNS will take care of name resolution.
 
5.  Affecting performance is a broad description.  If you stick a Nokia IP650 with FW-1 in place of a Cisco 2500 with ACLs you will see a performance increase.  A SPARCStation 20 with FW-1 in place of a Cisco 7204 VXR with ACLs will see a reduction in performance.  More information about your topology would yield a more descriptive answer.
 
6.  A TCP stack is essential to modern network communication.  Aside from the recent issues with TCP sequence number prediction as an exploit, there isn't much to concern yourself with...the IP protocol suite was not designed with security in mind; it was merely functional and fairly efficient.  If you're in a RACF environment (excellent host-based authentication and authorization but no encryption capabilities) you're just as well off as an external Unix host with wide-open telnet if someone is able to sniff your line.
 
Chris
-----Original Message-----
From: Ihsan Cakmakli [mailto:[email protected]]
Sent: Tuesday, May 01, 2001 3:48 PM
To: [email protected]
Subject: [FW1] OT-Host access

Hi,
 
I am looking for ways giving secure access to host enviroment from Internet. My question:
 
There are some products on the market which gives secure telnet access(!) from Internet. These products can talk directly to Host/Mvs TCP/IP stack or SNA servers (which means Internet -> DmzSNAserver -> Host(via sna)). 
 
**Would you give Internet access to your host environment from Internet via SSL opening some ports? (In this configuration, your host environment has a legal IP adress.)
There are other issues,
    *like adding another interface to mainframe for DMZ configurations(?),
    *translating Internal Host address to legal address
    *putting another Firewall in front of mainframe .(Well, mainframe backbone connections are complex including multi connections and types- token ring, ATM etc. So, my other question is: How can you put a firewall in front of mainframe without affecting performance and changing your networking environment ? )
    * Well, as we know there can be exploits and security problems with TCP/IP stacks. Are there any with mainframe TCP/IP stacks ? (IBM, Tcpconnect etc.) If yes, what is the effect of this exploit? (Like Unix root or sendmail exploit, can you gain access to the machine ?)
 
Thanks.
 
Ihsan Cakmakli
YKT


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.