At 04:03 AM 3/7/97 +0000, you wrote:
> Would anyone care to comment on possible risks of mainframes/sna networks in
> an internet/intranet environment? I'm exploring the issue for a friend. The
> site in question will soon have connections to the internet with a mixture of
> SNA and tn3270 access. The tn3270 sessions are what concern me the most
> of the transport media..should they also be concerned about the SNA
> network? I've never heard of an exploit via SNA. Where would I find
> security mechanisms for such a site? All the mainframe folks I know are
RACF > types.
Most RACF Security staff would NOT want to allow TN3270 from the INTERNET
onto their Mainframe CICS/IMS/DB2 platforms via TCP/IP and VTAM. This
environment MUST be handled the same way you would handle a Server on your
INTRANET that could be accessed from the INTERNET. DMZ, FIREWALL and end to
end encryption are REQUIRED.
Simple RACF passwords are minor protection without encrption. Passive data
hijacking of unencrypted Telnet screen data can expose as much data as a
break-in would in a very short period of time. Pure SNA is a little more
secure because most of the time it travels over dedicated lines or is
piggybacked with TCP/IP on an INTRANET not INTERNET and because the tools to
capture it are a lot harder to find.
> They may have money in the budget next year for a security audit.
> Approximately how much would an audit cost? Are there vendors who
> target the main-frame market? Sample RFPs for an audit would be great. Any
> stories are also welcome here...downtime for big iron is expensive.
> I'd like them to be aware of the tradeoffs. Thanks.
>Tim White Open Systems Administrative Services
net P.O. Box 11306
>(803)-561-6464 Columbia, SC 29211
Most all of the big accounting firms can audit Mainframe systems. There are
a lot of independents who could also do the audit. Cost is based on the
size of the shop, number of users and the detail required (banks cost more
due to FED requirements, ect). The big accounting firms would love to give
you a couple of sample RFPs for an audit. War stories like an entire TCP/IP
network including all of the Mainframe financials (TN3270) connected to the
INTERNET without a firewall I'll save for off-line.
 Ken_Stephens @
com (313) 876-5081 
 Senior Capacity Planner/Data Security Officer 
 Michigan Employment Security Agency (MESA) 
 Millennium Consulting 
 Your Security Policy is only as strong as your 
 organization's commitment to it.