RE: Client Access bypass signon (Dan Bale) -- MIDRANGE-L

>Frankly, if we've got unauthorized folks sniffing our LAN, we've got
far bigger problems than my AS/400 signon.  

Probably true, but anyone can download snort.  And if you have wireless
in your facility, it's a lot more complicated.

>Can't a LAN sniffer capture network logon passwords as well?

It depends on the authentication scheme.  Some schemes let the client
encrypt the password and then the client and server compared the
encrypted values.  Or they use some form of encryption to send the pwd
to the server.

>"If it is a security violation, why would IBM supply it?"

If the PC is considered to be in a secure location, then allowing signon
bypass can still be considered tolerable / secure.  

Alternately, it may be there to support other applications that do not
require system-level authentication (app-level may be instituted
instead).  You may have users accessing systems where it is desired to
not have OS/400 usrprfs for every user.  Maybe a public kiosk situation
like a library card catalog system, for example.  Once on the system,
the INLPGM runs an app that either does it's own authentication or
allows public access to unsecured applications.

John A. Jones
Americas Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787 F: +1-312-601-1782
John.Jones@xxxxxxxxxxxxxxxxxxxxxxx

-----Original Message-----
From: Dan Bale [mailto:dbale@xxxxxxxxxxxxx] 
Sent: Friday, July 30, 2004 10:16 AM
To: Midrange Systems Technical Discussion
Subject: RE: Client Access bypass signon (Dan Bale)

> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx / Jones, John (US)
> Sent: Friday, July 30, 2004 11:00 AM
>
> Anyone who sniffs the LAN can pick up the contents of the batch file.

Frankly, if we've got unauthorized folks sniffing our LAN, we've got far
bigger problems than my AS/400 signon.  Can't a LAN sniffer capture
network logon passwords as well?

I guess it bears reiterating the question that Steve asks, "If it is a
security violation, why would IBM supply it?"

I will discuss this with our sec admin.

Thanks,
db

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.



This email is for the use of the intended recipient(s) only.  If you have 
received this email in error, please notify the sender immediately and then 
delete it.  If you are not the intended recipient, you must not keep, use, 
disclose, copy or distribute this email without the author's prior permission.  
We have taken precautions to minimize the risk of transmitting software 
viruses, but we advise you to carry out your own virus checks on any attachment 
to this message.  We cannot accept liability for any loss or damage caused by 
software viruses.  The information contained in this communication may be 
confidential and may be subject to the attorney-client privilege. If you are 
the intended recipient and you do not wish to receive similar electronic 
messages from us in future then please respond to the sender to this effect.