T 4.10 Complexity of access possibilities to networked IT systems

In contrast to stand-alone systems on which the login process is primarily responsible for access control and which therefore can only be corrupted through the use of poor passwords or no passwords at all, network computers run a large number of complex processes that allow a wide variety of different types of access. For example, the sendmail daemon in Unix allows network computers to send and receive text (e-mails), the FTP daemon allows users to log in to a computer even though its login capabilities are limited and does not even protect such logins using a password in some cases (anonymous FTP), and the telnet daemon that allows a complete login.

Server systems like Windows NT or Novell Netware avoid the transmission of passwords as plain text for security reasons. This protection mechanism is bypassed, though, through the use of services such as FTP or Telnet because plain text passwords are used again in this case.

Apart from the fact that all of these processes can open security gaps due to incorrect or faulty configuration, the probability that these processes contain security-related programming errors is naturally significantly higher due to their complexity.

There are a number of different ways to connect a z/OS system to internal and public networks. Access is possible via SNA and TCP/IP, e.g. FTP, TELNET, or using a browser. Many of the network functions known from Unix installations can be used under the Unix System Services of z/OS. This wide variety of connection capabilities makes specifying a secure network configuration for the z/OS system very complex.

Example:

© Federal Office for Information Security. All rights reserved.