Results 1 to 7 of 7

Thread: OS/390 - Mainframe query

  1. #1
    Senior Member
    Join Date
    Jan 2005
    Posts
    100

    OS/390 - Mainframe query

    Hello all -

    Have people run into a lot, if any questions on security about Mainframes and OS/390? Our organization has them, but when I question anyone on the security of those devices I am met the response of RACF. Being naturally suspicious, I am wondering if anyone works with security still for mainframes? I question it because while mainframe technology is out "there", it doesn't pop up much on the radar for security and I don't think it's discussed here.

    Thoughts?

    TIA
    \"An ant may well destroy a whole dam.\" - Chinese Proverb
    \"Not only can water float a craft, it can sink it also.\" - Chinese Proverb

    http://www.AntiOnline.com/sig.php?imageid=764

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I worked with System 370, I'm guessing we are talking basically the same OS - it's been a few years..... They were never directly connected to the outside..... As I remember the rights and permissions of the connected terminal were pretty robust mainly because the cost of the mainframe were so high. I spent many hours talking to System Analysts etc. convincing them that my company's product was simple, wouldn't touch anything but the JES spool and redirect the output appropriately and would be totally managed at the lowest possible rights of anyone to the JES spool.

    I don't know about OS/System 390 but I can't believe that it is any less secure or any more directly connected......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    KuiXing-2005,

    You might want to check here...

    IBM announces new security technology on the mainframe with z/OS 1.5

    http://www-1.ibm.com/servers/eserver/zseries/zos/
    IBM: z/OS operating system

    Or here...

    This product is a port of our existing Security Toolkit for Java to the IBM ® OS/390 ® mainframe environment.

    http://www.entrust.com/authority/java/faqs_os390.htm
    Entrust Authority Security Toolkit for Java: OS/390 Edition Frequently Asked Questions

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    I have done some security assessments against zOS using RACF, as long as RACF has been implemented properly its damn good. What specific questions do you have? just the general security overall?
    Quis custodiet ipsos custodes

  5. #5
    Junior Member
    Join Date
    Jun 2002
    Posts
    23

    Fun, Fun, Fun.

    I've worked with OS/390 in the banking industry as it is the backend to alot of the ATM/EFTPOS applications that don't get seen.

    The bank I worked for had RACF implemented beautifully, the system was tight as a drum so to speak.

    The permissions were set from our HQ and operators from all around the country with the lowest access level were able to get in and monitor all the relevant process's with ease.

    We never had a breach in the 3 years that I worked on it, so although this isn't definitive I think its a good start.

    Hope this adds a little to the discussion.

    Cheers,
    DOHC

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130

    Re: OS/390 - Mainframe query

    Have people run into a lot, if any questions on security about Mainframes and OS/390? Our organization has them, but when I question anyone on the security of those devices I am met the response of RACF. Being naturally suspicious, I am wondering if anyone works with security still for mainframes? I question it because while mainframe technology is out "there", it doesn't pop up much on the radar for security and I don't think it's discussed here.

    Thoughts?

    TIA [/B]
    There is a lot of MF security admin out there. I am one, for example
    why we didnt see news and/or discussion about mainframe security?

    because:

    a) Most of MF security admins are SO especialist that cant use anything else but Mainframes.
    so You wont to see those guys around here often
    b) MF security use to be discussed on closed forums. Just among MF guys. You cant see MF discussions about networking or databases either. Its a priviledge forum


    MF security is a Myth. Mainframes are secure just as another platform, depending on basically of Admins Skills and Care. And a Mainframe can be unsecure just as my Dad' Windows 98 installation. In fact, A LOT of mainframe installations (i use to work as a consultant/auditor on that) ARE weak.
    Why the mainframes spread this sensation of "security"? because instead of "distributed platforms" where (a lot of) security admins has near no training and just jump on market as
    "windows security admin", after a MS course. On Mainframe area, it takes YEARS to be recognized as a "senior guy" and more YEARS to be a "security guy". And a lot, lot, lot of trainning.
    Mainframes (im taking just about IBM) O.S.es doesnt have a security software built-in, as other O.S. IBM built it as an "open interface", to allow anyone build their own security subsystem. Nowadays, there is three tools on market:
    RACF (IBM)
    ACF2 (CA)
    TOP-SECRET (CA)
    MF OS is also very well developed and its very rare to find a "security flaw" on them. Yeap, IBM took more than 30 years to do that. Also is very rare (i saw very few times in 25 years working with them) to crash. z/OS (successor of MVS) has more than 70% of its code of recovery routines . On some subsystems you can see 10,15 nested levels of recovery code on a single failure.

    Altough you cant see us, we can see you.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    Senior Member
    Join Date
    Jan 2005
    Posts
    100
    I have done some security assessments against zOS using RACF, as long as RACF has been implemented properly its damn good. What specific questions do you have? just the general security overall?
    Just security in general - as I stay on over time, more people will learn I'm an IT Auditor - so I may have a plethora of questions over time - some may be like this - a solid technology that maybe not too many people have experience with - or the one-off technologies. For this discussion, I am curious about general security overall - simply to help broaden my mainframe experience - which at this point is nill and I want to make sure I ask at least somewhat intelligible questions when I interview our auditees.

    a) Most of MF security admins are SO especialist that cant use anything else but Mainframes. b) MF security use to be discussed on closed forums. Just among MF guys. You cant see MF discussions about networking or databases either. Its a priviledge forum
    That's ok - I don't want to be privileged - it complicates things for me. I will just ask my questions and see if any MF experts wish to chime in - like you! No - seriously - I haven't run into many MF people - so finding a couple out here is great!

    Thanks for all the great information so far - it's helping me out!
    \"An ant may well destroy a whole dam.\" - Chinese Proverb
    \"Not only can water float a craft, it can sink it also.\" - Chinese Proverb

    http://www.AntiOnline.com/sig.php?imageid=764

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •