Is it Time for a Mainframe Security Model?
- By Scott Bekker
- June 20, 2001
The circumstances which attended the IIS vulnerability
that Microsoft Corp.
patched this week served to highlight the vast differences that still exist between Windows 2000 and the Big Iron mainframe, which to this day is viewed as a reference standard in most segments of enterprise computing.
The vulnerability - which requires the presence of not only IIS
itself, but also of an optional meta-search facility if it's to be
effectively exploited - probably shouldn't have affected most Windows NT 4.0 or Windows 2000 installations. Yet eEye Digital Security, the Internet security firm that
first identified the vulnerability, estimates that as many as 50 percent of existing Windows NT 4.0 or Windows 2000 installations could be affected.
What gives? The answer is simple: Both IIS and the optional meta-search facility in question - dubbed Index Server 2.0 in the Windows NT 4.0 space, and called simply the "Indexing Service" in Windows 2000-speak - are enabled by default during the configuration or installation of either operating system. To be precise, IIS 4.0 and Index Server 2.0
ship with, and are enabled out-of-the-box by, the Windows NT 4.0 Option
Pack, while IIS 5.0 and the Indexing Service are installed by default
with Windows 2000 Server/Advanced Server.
Administrators can choose whether or not they want to install either
service, actually, but based on dire prognoses from eEye and from other
quarters, it would appear that such an option is rarely exercised.
Consequently, industry watchers say that many IT organizations may
unintentionally have deployed Windows NT 4.0 or Windows 2000 systems
with Web and meta-search services installed - and are now seriously at
risk as a result.
"I would suspect that the number is much higher than 50 percent, and I'm not sure where eEye got that number, actually," avers Russ Cooper,
editor of the Windows NT Bugtraq Mailing List. "To test for whether or not this thing
is out there is a difficult process, but it's also something that's
installed by default."
Needless to say, most services and features are not enabled by default in mainframe environments. According to Ted MacNeil, a consultant with IBM Global Services' strategic outsourcing services who is attached to Scotia Bank in Toronto, the mainframe security model is in many respects diametrically opposed to that of Windows NT/2000 and to most other "open" systems.
"I believe the mainframe model is better than the mid-range, PC, LAN and Open Systems environments, simply because it follows the standard: 'All that is not expressly permitted is forbidden,'" he comments. "The other platforms, from what I have seen, follow the standard: 'All that is not expressly forbidden is permitted.' This makes users responsible to protect themselves, often without the necessary skills, and little, or no, help from the vendors. This leaves a lot of holes."
In mainframe environments, then, administrators must painstakingly - and laboriously - configure and customize most system services.
In the same way, suggests Jim Keohane, president of Multi-Platforms Inc., an IT consultancy in Levittown, N.Y., which provides
software development expertise for mainframe and for other platforms,
some mainframe operating environments make it difficult for
administrators to install the services and features that they actually
"It is so difficult on a mainframe, especially [on an] MVS or OS/390, to do even what you have the authority to do, so that trying to do what
you are not allowed to do starts off being difficult even without
Conversely, Windows NT/2000 - and even many Unix and Linux operating
systems - ship with oodles of system services and other potentially
dangerous features enabled straight out-of-the-box.
"With Windows 2000 and Windows NT 4.0, the default is a very enabled
system, which requires the administrator to secure the system," explains
Roger Seielstad, a senior network administrator with consulting and
infrastructure management specialist Peregrine Systems Inc. "It's notable
that the default installs of Sun Solaris and Red Hat Linux function much
the same way, with many potentially dangerous services starting by
Microsoft could go a long way towards making its next-generation Windows
platforms - Windows XP Professional and Windows 2002 Server/Advanced
Server - more secure simply by restricting the services and
functionality that the operating system installs by default. But
according to NT Bugtraq's Cooper, such would to a certain extent
alienate the very groups that have spurred Windows NT 4.0 and Windows
2000 adoption in the first place.
"What's the name of the IT guy in the department of four people who
wants to do some printing and file sharing?" He asks, rhetorically. "The
truth is that there isn't one, and that [often] there aren't sufficient
resources so that they can start with this totally secure installation."
The announcement of yesterday's vulnerability - and the continuing
preponderance of denial-of-service (DoS) attacks and of exploits that
literally let attackers take complete control over mission-critical
information systems -clearly demonstrate the extent to which Windows
NT/2000 lag behind Big Iron in other significant respects, as well.
"How many mainframe programmers do you know who can actually bring down
the whole mainframe system?" Challenges Sunil Misra, managing principal
of the worldwide security practice for Unisys Corp.. "The problem with open
systems is that they are new, and [that] the information on how to
compromise them is more easily available today."
Conversely, DoS and other attacks are nearly impossible to successfully
perpetrate on mainframe systems, Big Iron advocates like to point out.
Indeed, IBM's zSeries mainframes boast a technology - dubbed LPAR - that
lets administrators define logical partitions for different workloads
(test, production and Web serving, for example) in a mainframe
environment. This has the effect of securely isolating data and
applications from one another - even if they're hosted on the same
system. And zSeries mainframes also leverage a feature called - "program
execution states" - which can prevent programs or services from
accessing or executing pre-determined system commands.
The nearest approximation of such functionality is provided in the
Windows 2000 space courtesy of Unisys and its ES7000 servers, which
boast advanced system and workload partitioning capabilities, in
addition to enhanced security features.
In the final analysis, most observers agree that if change is to occur,
it'll be driven by end users and by software vendors alike.
"I think that there will be a behavioral change [among users], and that
it'll also come in combination with changes to software and
documentation," NT Bugtraq's Cooper comments. "As peoples priorities
shift from functionality to security, developers will change the focus
of their software and the way that their software works to make security
more functional and more easily managed."
Peregrine Systems' Seielstad agrees. "Microsoft still focuses their
development on features, in terms of enhancing the user experience, over
quality. These features are one of the reasons they have become the
dominant software vendor in their markets," he observes. "Increasingly,
corporations will demand better quality over flashy features." -- Stephen Swoyer