Replies like this are why I seldom post to IBM-Main anymore. The fact
that it comes from someone who I respect and consider a friend hurts all
the more. Bottom line is that I work for a living, and I often don't
have time to respond in gory detail to everything posted. My primary
objective here was to stress that the z/OS architecture is inherently
hardened against viruses. The fact that I did not go into explicit
protections for APF-authorized programs appears to have been my fatal
flaw, according to Mr. Cole. Regardless of what comes back, this will
be my last post on the subject. My comments below.
Regards,
Tom Conley
On 3/27/2012 1:06 PM, David Cole wrote:
At 3/27/2012 11:19 AM, Pinnacle wrote:
There is a mainframe product that protects against malicious
software. It's called SAF, and it interfaces with ESM's like RACF, or
ACF2, or TopSecret.
"SAF" is not a product. It stands for "System Access Facility" and it
is nothing more than an interface within z/OS into which a security
system (such as ACF2, TopSecret and any ryo security system) can plug
into to receive and respond to security calls. It really has nothing
to do with anti-virus protection.
SAF is not a product, you're right. Please forgive my use of the term
"product", I should have said "feature". I do take issue with your last
sentence. SAF and an ESM have everything to do with anti-virus
protection, provided they are configured to correctly protect
APF-authorized resources.
It [z/OS] is the only operating system out there with built-in
anti-virus protection. On top of that, the hardware itself actively
protects against damage through storage keys, protected memory, etc.
You have to explain to the auditors that anti-virus software is not
needed on z/OS, because it's intrinsic to the operating system and
the hardware.
I think you seriously misunderstand what a virus is...
Yes, z/OS has exceptional security (and integrity and reliability)
features for protecting against non-authorized programs. But I must
emphasize... -->NON<--authorized programs!
When it comes to AUTHORIZED programs, z/OS's integrity (which is what
you are talking about with "storage keys" and such) is very good, but
of course not bulletproof. Worse though, when it comes to SECURITY,
there are some real problems! Because with the proper knowledge, it is
TRIVIALLY EASY FOR AN AUTHORIZED PROGRAM TO SUBVERT SECURITY COMPLETELY!
This is what mainframers constantly forget regarding security. For
authorized programs there is no security. All that is necessary for a
malicious program to do is to Trojan-horse its way (with the AC(1)
attribute) into an authorized library, and you're done for!
I've never forgotten this. That's why my APF-authorized libraries are
severely limited in scope, and audited for any and all updates.
As far as I know there is no serious anti-virus program for
mainframes. I believe strongly that there needs to be one, but I don't
know of one. And at this stage of the mainframe culture, I would be
seriously suspicious of the efficacy of any program that claimed to be
anti-virus. I don't think that a serious mainframe anti-virus program
can exist unless and until IBM itself makes a commitment to support an
effort to make the mainframe anti-virus proof.
www.zassure.com is the closest thing I've seen to an MVS anti-virus
program. After seeing a demo, I would have bought it, or recommended it
to a client. Check it out, you will be surprised, if not shocked.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
