Joe -
The original point of this thread was that the sophistication level of hacks
has risen dramatically, and no machine can be considered hack-proof.
The Buffer Overruns is still a Win problem, but not the only problem.
The point I was making by saying "assume a legit iSeries profile can be had"
is so that we think about inner defenses. We need to stop thinking that
"iSeries security is the greatest..." and deal with the details of making a
great implementation. You & I already do that in many ways - we don't give
*ALLOBJ, *SPLCTL, *SAVSYS, *IOSYSCFG, etc to every user.
For decades (yes, decades..) Rochester has clearly said that the security
is great when a site takes the many "extra" steps in configuration, authority management, and monitoring to ensure this high level of security. It's in every IBM Security Manual, Carol Woodbury and Pat Botz's book, new Common Criteria redbook, the IBM Tips & Technique books, all the way back to the C2 redbook (and others). Setting your machine to level 50 is only one of many, many steps needed. Our collective problem is that many iSeries shops stop at a few system value settings and feel "secure". Most of my own customers have made a business decision to only allocate limited time to security. Because every user connects to me thru non-OS400 devices, I need several lines of defense,
both at the door (authentication), and inside.
And Joe, - the reality of the corporate world of networks is our playing field. You may have an extremely efficient iSeries centric network in your development shop, but that is a tiny minority to the real world we live (and secure) in. I don't have a single customer
that does not have some Windows, Linux, or Unix server.
jim franz

----- Original Message ----- From: "Joe Pluta" <joepluta@xxxxxxxxxxxxxxxxx>
To: "'PC Technical Discussion for iSeries Users'" <pctech@xxxxxxxxxxxx>
Sent: Thursday, December 29, 2005 1:53 AM
Subject: RE: [PCTECH] Here is a real reality check for every PC user...


First: no, I don't have to compare a Windows server to an iSeries server,
because I don't see a valid reason to run a Windows server in an iSeries
shop, except maybe as a file server.  Instead, there are dozens or even
hundreds of those little virus-infested XP desktops littered throughout the
office.

(And by the way, as far as I know the Sony rootkit spyware worked on Windows
servers as well as desktops, but I'm not certain of that.)

Second, if you "assume" that a legit profile can be had, then all bets are
off on any machine. As long as the legit profile has enough rights, you can
do anything.

(Of course, if you set up single sign-on and then put your SSO server on a
Windows machine, you are in effect giving away all your passwords, since we
know the Windows machine can be busted, but that's why putting SSO on a
Windows box is goofy.)

No, the right thing is to start with the assumption that all you have is
standard access to the machine through public network access.  If you have
an unsecured wireless network, you've got a different set of problems than
if you have a firewalled system that only allows port 80 HTTP access to a
DMZ machine.  But even in the latter case, if the DMZ machine is a Windows
machine, any number of buffer overrun exploits have been found that can, in Microsoft's words, allow a malicious user to take control of your computer.
There never has been a single reported buffer overrun exploit on the
iSeries, whereas Microsoft sends out patches nearly daily fixing theirs.

Let's repeat that, just in case I wasn't clear: THERE HAS NEVER BEEN A
BUFFER OVERRUN EXPLOIT ON THE iSERIES.  I don't understand how a Windows
advocate can keep a straight face and say how Windows is comparable to the
iSeries in security.  It's simply not true.

Finally, as to a keyboard logger: if you have that sort of thing on your
network, you've lost control of your system and your IT manager needs to be
fired.  In addition, anybody using that sort of software must be arrested
and brought to trial.  To allow felonies as the standard assumption, well
heck, all I have to do is kidnap the IT manager and torture the password out
of him, maybe make him watch Springer episodes 24/7.

Joe


From: Jim Franz

Joe - but the iSeries is a "server" and you need to match server to server
to be fair.
A well configured Windows server is way beyond XP Pro desktop.
It is a given, proven over & over that MS desktop applications have had &
continue
to have problems. But now you have to picture that "more vulnerable"
desktop
communicating with the iSeries (Client Access or thru IE/html or
whatever).
A keyboard logger on the pc can log your iSeries
profile & password....Now picture yourself not with your "development
server", but
a large corporate iSeries....
I think you have to start with the assumption that a legit profile can be
had. Now
what doors do you need to close?
jim franz


--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.