Is it Time for a Mainframe Security Model?

The circumstances in which participated in the Microsoft IIS vulnerability patches help to highlight this week vary between Windows 2000 and there are still big iron mainframes, this day is considered as a reference standard in most areas of enterprise computing.

Vulnerability - which requires not only the presence of illegal immigrants itself, but also optional meta search equipment, it can be effective use - and perhaps should not affect the majority of the W indowsN T4 or .0 W indows2 000 devices. However, eEye Digital Security, and Internet security company said first determine the vulnerability of, it is estimated that as many as 50% of the existing Windows NT 4.0 or Windows 2000 installations may be affected.

How do? The answer is simple: IIS and optional Meta search facility - known as Index Server 2.0, W indowsN T4 .0 space, and called on the simple "Indexing Service", in W indows2 000 speeches -- are enabled by default, the configuration or install any operating system. To be precise, illegal immigrants Index Server 4.0 and 2.0 ship, and has launched a state-of-the box, the option of Windows NT 4.0 pack, and the IIS 5.0 and indexing service is installed by default with Windows 2000 Server / Advanced Server.

Administrator can choose whether they want to install either services, in fact, but based on the tragic prognosis from EEye companies, and from other quarters This view, this option is rarely exercised.

Therefore, industry watchers said that many IT organizations may unwittingly has already deployed Windows NT 4.0 or Windows 2000 system and Web and meta-search services installed - and is seriously risk as a result .

"I doubt, the number is far higher than the 50 percent, I do not know from where the number of eEye be, in fact," avers Mr. Russ Cooper people Editors Note Windows NT mailing list BugTraq. "To test whether or not this matter is there is a difficult process, but there are also some of the default installation ." Needless to say, most of the services and functions are not enabled by default in the mainframe environment. According to Ted macneil, the consultant with IBM Global Services strategic outsourcing services, they are under the Andean Bank in Toronto, mainframe security model in many ways diametrically opposed, that is, Windows NT/2000 and most of the other "open" system.

"I believe that the mainframe model is superior to the medium-term, personal computers, networks and open systems environment, and only because it follows the standard: do not expressly permitted is prohibited," he comments. "Other platforms, from what I have seen, following standards: All is not expressly prohibited is permitted. This allows users responsible for the protection of their own, often without the necessary skills, but little or no help from the supplier, which left a large loophole. " In the mainframe environment, then managers must carefully - hard - configure and customize, and the most system services.

In the same way, suggesting Jimujiou Han, the companys cross-platform, IT consulting company in Levittown, New York, which provides software development expertise, mainframe and other platforms, some mainframe operating environment to make it difficult administrator installation services and features that they would like to actually .

"This is so difficult in the mainframe, especially in the [right] os/390 or secondary vocational schools, what to do, you have the power to do so, so that, trying to do what you can not This difficult to do started to take off, even in the absence security. " Conversely, Windows NT/2000 - and even many U NIX L inux operations System - o odles ship with the system service and other potentially dangerous features, and ensure that the state-of-the straight box .

"With Windows 2000 and Windows NT 4.0, the default is a very Order system, which requires managers to ensure that the system," explained Roger seielstad , senior network administrator for advice and infrastructure management specialist Peregrine Systems, Inc., "its significant that is, the default installation Sun Solaris and Red Hat Linux functions number Similarly, many of the services and potentially dangerous start default . " Microsoft may take us a very long road, the new generation of Windows platform - Windows XP Professional Edition and Windows 2002 Server / Advanced Server - more secure simply limit the companys services and function of the operating system installed by default. But According to the NT Bugtraq Cooper, for example, will be a certain degree of alienation is groups, and promote the Windows NT 4.0 and Windows 2000 passed in the first place.

"What kind of name, the Department of the four guys want to do some printing and file sharing? "He asked rhetorical" the truth of the matter is that no one, it [often] have sufficient resources so that they can start with the complete safety devices. " Yesterday announced the vulnerability - as well as the continued preponderance of Denial of Service (DoS) attacks and attacks procedures literally allow an attacker to take complete control of the key tasks of Information System - made it clear that, the extent to which the Windows nt/2000 behind the large metal box, in other important aspects, as well.

"How many mainframe programmer, do you know who can really achieve decline entire mainframe system"? Sanier MISRA challenge the management main on the worlds security practices for Unisys Systems. ", And open systems is that they are new, and [that] the information on how to compromise, more accessible today." Conversely, DOS and other attacks, is almost impossible to successfully abuses of the mainframe system, the advocate to point out that the metal box.

In fact, IBMs zSeries mainframe launch a technology - known as the L PAR- allows administrators to define logical partitions for different workload (testing, production and Web services, for example) in the mainframe environment . This is a result of the isolation and safety data Another application from a single person - even if they are located in the same system. And zSeries mainframes, but also with the use of a feature called - "Plan implementation of the national" - it can prevent programs or services access or implementation of a pre-determined order.

This function is the closest approximation In "br> Windows 2000 and its space courtesy Unisys ES7000 servers, advanced system and the ability to split the workload, In" br> In addition to enhanced security features .

, In the final analysis, most observers agree that, if change is to occur, it will be driven by end-users and software providers.

"I think there will be change in behaviour [users], then It will also combine to shift to software and documentation," Cooper NT Bugtraq, comments, " As a peoples priorities change functions, security, development, and will change the focus their own software, and methods of their software works to security more functional and more easy to manage. " Peregrine Systems seielstad agreed. "Microsoft is still focused on the development of characteristics, in strengthening the user experience, more than quality. These features one of the reasons why they have become leading software vendors, the market, "he said," more and more will require better quality than flashy features. "- Stephen s woyer