Re: [fw-wiz] Mainframes on the Net?

From: R. DuFresne (dufresne@sysinfo.com)
Date: 11/13/02


From: "R. DuFresne" <dufresne@sysinfo.com>
To: Don Kendrick <don@netspys.com>
Date: Wed Nov 13 19:51:18 2002


A number of years ago I worked at a shop that ran mostly CRAYS, with a few
sun systems working as the consoles into the CRAYS and an SGI Origin2000
system <now up to at least two Origin2000 systems> and a few IBM frames
rounding out the corners. One of the large CRAYS was semi-military
related. Of course the site was unhindered with firewalling, except the
FW-1 NT/secureID boxen that were meant to protect the military system
<though since the fw-1 NT system crashed daily, there was a backdoor tunel
running ssh to this system if one 'needed' to avoid the fw-1 blockage>.
One of my responsibilities was to monitor the logs of these systems for
issues and deal with them, even though I was not the CISO for the company.
I quite quickly made an issue of the fact that these systems were not
protected by a perimiter of any dsign, nor was there any strict
'hardening' of the systems. In fact the sun consoles were quite soft, and
would most likely be the focus point for an attack, get the console and
you had the core...

There had been compromises prior to my working here, none we wwere aware
of while I worked there, though the door keys were rattled daily/nightly.
Some of those compromises had exploited weaknesses in unicos/mk, not a
common OS for sure. The exposure of such systems makes them available for
the blackhats to test upon though.

Of course I was advised by the powers that be that even the compromise of
an internal system was not going to be much of an issue, as all the super
servers ran on an FDDI ring, and there was no sniffer available that could
sniff traffic off a wire running at such speeds. Even the 100Mbit to the
desktops was considered awfully difficult to manage with a sniffer. I was
kind of shocked by the attitude, especially considering these were highly
intelligent co-workers, some grand levels of skill being present at this
small, yet BIg client rich site. Of course a short time after I moved
onto greener pastures the thinking had changed, perhaps to a major
intrusion, perhaps to more pressure from the military clients that were
then applying such. These days all these mission critical systems are
firewalled off from public acess, and we've not poked about to try and
discover if there are tunnels around such blockages once again.

Thanks,

Ron DuFresne

On Wed, 13 Nov 2002, Don Kendrick wrote:

> OK...maybe a little of topic but this is the group that would know :)
>
> There is quite a push from our IBM friends to use the S/390 box for a
> web server using Websphere or Apache running under Linux (either as a
> VM or in it's own LPAR).
>
> Needless to say, I considered this to be a joke....putting the crown
> jewels on the net? Where's the multi-tiered architecture? Where's the
> "defense in depth?" Sure the S/390 has "never been hacked" (their
> words) but who has ever put it in a position to be hacked?
>
> They tell me that I don't understand LPARs. They're separate machines.
> You can still do your multi-tiered. It's just all on the same box. My
> fear, they are separate because of software, written by humans. If that
> is breeched, it's game, set and match.
>
> If they were separate boxes, they would have to communicate via some
> interface that I can monitor. This isn't true all on one box.
>
> Anyone have any experience with this fight? Am I out of line?
>
> Don
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!