Ihsan--
1. There is a Unix-based secure telnet project. Personally, I
use ssh as well as most of the rest of the world which is not to say stelnet
(??) is bad. If you can build ssh2 for your environment, I would recommend
it on a dedicated DMZ host with plug-gw running.
2. If you decide (via corporate or organizational security policy)
to offer in-bound SSL access to hosts, once again, place them in your DMZ and
restrict access (front and back sides) through your firewall
designs.
3. I know nothing about physically adding an interface to a
mainframe...I consider it pretty cool that I at least got to see and use the IBM
390 machines at my former University :)
4. translating publicly-accessible addresses into internal
addresses will be done via NAT and split DNS will take care of name
resolution.
5. Affecting performance is a broad description. If you stick
a Nokia IP650 with FW-1 in place of a Cisco 2500 with ACLs you will see a
performance increase. A SPARCStation 20 with FW-1 in place of a Cisco 7204
VXR with ACLs will see a reduction in performance. More information about
your topology would yield a more descriptive answer.
6. A TCP stack is essential to modern network communication.
Aside from the recent issues with TCP sequence number prediction as an exploit,
there isn't much to concern yourself with...the IP protocol suite was not
designed with security in mind; it was merely functional and fairly
efficient. If you're in a RACF environment (excellent host-based
authentication and authorization but no encryption capabilities)
you're just as well off as an external Unix host with wide-open telnet if
someone is able to sniff your line.
Chris
Hi,
I am looking for ways giving secure access to
host enviroment from Internet. My question:
There are some products on the market which
gives secure telnet access(!) from Internet. These products can talk directly
to Host/Mvs TCP/IP stack or SNA servers (which means Internet ->
DmzSNAserver -> Host(via sna)).
**Would you give Internet access to your
host environment from Internet via SSL opening some ports? (In this
configuration, your host environment has a legal IP adress.)
There are other issues,
*like adding another interface
to mainframe for DMZ configurations(?),
*translating Internal Host
address to legal address
*putting another Firewall in
front of mainframe .(Well, mainframe backbone connections are complex
including multi connections and types- token ring, ATM etc. So, my other
question is: How can you put a firewall in front of mainframe without
affecting performance and changing your networking environment ?
)
* Well, as we know
there can be exploits and security problems with TCP/IP stacks. Are there
any with mainframe TCP/IP stacks ? (IBM, Tcpconnect etc.) If yes, what is the
effect of this exploit? (Like Unix root or sendmail exploit, can
you gain access to the machine ?)
Thanks.
Ihsan Cakmakli
YKT
|