Doesn't the current OS/400 support IP natively? We use IP to communicate
between our AS400s and our mainframe - eliminating the need for
encapsulation and allowing the firewall greater control over the traffic.
Bill
>
>Hello,
>
>I'd like to get your opinions of the security in place compared to the
>security of the redesign. Also, opinions on security in SNA/IBM
>environments, and risks.
>
>Security in the host today is accomplished through RACF, which defines user
>accounts, and specifies which resources the users can access.
>
>----------------
>
>My client has remote sites with various degrees of trust. Some remotes are
>part of the company, but not strictly controlled by IS as what they can or
>think they can do with their network.
>
>These sites are considered pretty secure, although not completely trusted.
>IS wants to have more control on what access they have to the corporate
>campus LAN.
>
>We have a firewall in place, which permits IS santioned IP applications to
>pass through.
>
>However, one of the requirements is SNA, with an AS400 located at the
>remote site connecting to an FEP with access to a mainframe located at the
>corporate site.
>
>The SNA is encapsulated into TCP and forwarded from the remote router to a
>corporate router, which de-encapsulates the TCP and forwards SNA onto the
>token ring.
>
>The firewall is currently set up to pass the DLSW TCP port number through,
>as long as the source and destination IP address are correct.
>
>The routers are set up to route IP. IPX, Appletalk, Vines, Decnet are not
>allowed to be bridged. Netbios is not passed through the DLSW tunnel either.
>
>We currently have the following:
>
>
> AS400
> |
> (sna, token ring)
> |
> router dlsw peer (encapsulates sna into tcp, forwards tcp
>session to peer2)
> |
> FRAME RELAY NETWORK
> |
> |
> router, IP only
> |
> --LAN--
> |
> firewall (permits dlsw tcp port 2065)
> |
> |
> CAMPUS Token ring
> |
> DLSW Peer2 Router (No bridging on interface to Campus Ring)
> |
> ring
> |
> IBM FEP, 3745
> |
> IBM MAINFRAME
>
>Note that DLSW Peer2 router is inside the firewall. The interface that
>connects to the corporate campus Token ring does not have bridging enabled,
>so the SNA packets, when deencapsulated, do not get forwarded back onto
>that ring. They only get forwarded on to the FEP connected ring. There is
>no telnet access from outside the firewall to internal campus resources,
>without authentication at the firewall itself.
>
>There are other FEPs and FEP ring interfaces that connect directly to the
>campus token ring, which also connect to the MAINFRAME, for host access by
>people located on the campus network.
>
>There are some security risks, including denial of service attacks through
>excessive bridging packets, access to the FEP by anyone on a remote ring,...
>
>-----
>
>We are considering a redesign. I'd like to get your opinions of the
>security in place compared to the security of the redesign. Also, opinions
>on security in SNA/IBM environments, and risks.
>
> AS400
> |
> (sna, token ring)
> |
> router dlsw peer (encapsulates sna into tcp, forwards tcp
>session to peer2)
> |
> FRAME RELAY NETWORK
> |
> |
> router, IP
> dlsw peer
> | \
> --LAN-- \
> | ring
> firewall \
> | FEP
> |
>CAMPUS Token ring
>
>As you can see, the dlsw will no longer be tunneled through the firewall.
>The connection to the FEP would be outside the firewall. Nothing else is
>on the fep ring.
>
>The dlsw peer router would have to be set up with specific addresses of
>remote routers that could establish dlsw connections to it. The only added
>threat is that the router which is configured with the peer is also outside
>the firewall.
>Someone could potentially bring another router up, telnet to and break into
>the dlsw peer router, configure themself, and have access to the fep.
>
>Thanks,
>
>
>
>
>
>
>
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>** Sami Mousa, FORE ATM(WAN) Certified **
>** International Network Services Office: (908)603-8541 x320 **
>** Network Systems Engineer e-mail: sami_mousa @
ins .
com **
>** 120 Wood Ave South Pager: (888)896-4064 **
>** Suite #615 Fax: (908)548-5630 **
>** Iselin, New Jersey 08830 www.ins.com **
>=============================================================================
> "My statements in this message are personal opinions \
> which may have no basis whatsoever in fact."
>
>
>
|
|
