That Insecure Feeling
The mighty mainframe may be in for a surprise. As the role of legacy systems in e-business increases, hackers may learn to crack new territory.
Rigorous security and high cost of ownership have kept mainframes safe from hackers. But as they become key players in e-business, mainframes could be at risk.
As virus after virus and security exploit after security exploit have rocked the open systems space, administrators in mainframe environments have heaved sighs of relief. After all, no one has ever successfully created, let alone distributed, a mainframe virus, have they? Why should things change?
"There has never been a virus for any mainframe, and one of the reasons that there have been so few exploits for mainframes is that most potential attackers just don’t have any experience with these types of systems," comments Sunil Misra, managing principal of the worldwide security practice for Unisys Corp. in Blue Bell, Pa.
But Misra and other security experts caution that things could change very soon. Jim Keohane, president of Multi-Platforms Inc., a Levittown, N.Y. IT consultancy that provides software development expertise for mainframe and other environments, claims that mainframes have earned a stellar reputation for security as much by accident as by design. In this respect, Keohane argues, mainframe administrators must be as cautious as their counterparts in the open systems space whenever they deploy existing mainframe systems as part of new e-business implementations.
"Mainframes are notoriously secure, but part of that [security] was unintended," he claims. "By that I mean it is so difficult on a mainframe, especially [on an] MVS or OS/390 machine, to do even what you have the authority to do. Trying to do what you aren’t allowed to do starts off being difficult even without security."
The bigger problem, Keohane continues, is that as mainframes continue to evolve, they’re becoming less monolithic and centralized and more like their brethren in the open systems space, a market segment populated with upstarts like Sun Microsystems and Hewlett-Packard and whippersnappers like Microsoft.
"As mainframes become more Unix-like, they’ll have the same susceptibilities Unix currently has. Ditto for Windows support on mainframes," Keohane concludes. "As mainframes adapt more of the development paradigm of the rest of the world (C, Java, scripting, etc.), they’ll become more convenient playgrounds for the cracker crowd."
What, Me Worry?
IBM has a reputation for service and support in all market segments, but especially in mainframe computing. According to Ted MacNeil, a consultant with IBM Global Services’ strategic outsourcing services who is attached to Scotia Bank in Toronto, Ont., it’s a reputation the company has earned. "Since 1974, IBM has had a statement of integrity that guarantees the security of the system and [which says that] they will fix any holes, immediately, working [seven days a week, 24 hours a day] until the issue is resolved," he points out.
As administrators of Windows and Unix systems have discovered, however, all bets are off with respect to patching vulnerabilities in their own environments. In early June, for example, Microsoft confirmed the existence of a dangerous new security hole in its Exchange 5.5 and Exchange 2000 messaging and mail platforms. In short order, Microsoft issued three—yes, that’s three—patches to correct it.
Why the embarrassment of patches? Because versions 1.0 and 2.0 of the security update that Microsoft originally issued to fix the problem actually caused Exchange jobs running on the company’s flagship Windows NT and Windows 2000 operating systems to crash. And this wasn’t even Microsoft’s first go-around with flawed security patches. Besides botching at least two "service pack" updates, which are similar to the mainframe world’s permanent temporary fixes, the software giant has let several security issues, including a vulnerability in Windows NT 4.0’s "local security authority," linger for months before effectively patching each.
And that brings up another thing that simply doesn’t happen in the mainframe space, argues Linda Distel, director of eServer security and software with IBM: "We have a team of people that reviews system code to make sure that we don’t introduce integrity problems in new code."
Although Microsoft gets a fair share of negative publicity when it comes to frequent security shortcomings in its software, the reality is that in the desktop, server and midrange space, new security vulnerabilities of all kinds are discovered on an almost daily basis for almost all platforms. Mainframe environments have been largely immune from such problems, however.
According to the CERT Coordination Center, security vulnerabilities were discovered at a clip of about three a day in 2000. Indeed, except for a two-year stretch from 1997 to 1999, when the number of certified vulnerabilities actually fell, security vulnerabilities have been on the rise, and are now more than doubling in year-over-year comparisons. This year, we’re on pace to smash 2000’s record: CERT recorded 633 vulnerabilities in the first quarter alone.
But Microsoft products aren’t the sole target in all or even most security incidents. In February, for example, a worm attack called "sadmind/IIS" exploited vulnerabilities in Microsoft’s Internet Information Services Web platform and in a tool (called "sadmind") that ships with the Solstice systems and network management environment from Sun Microsystems. In April of last year, Linux kingpin RedHat Software, then in the midst of touting its Linux version as a secure platform for e-business, was forced to patch an embarrassing vulnerability that, if exploited, could have given attackers complete control over a compromised system. Sun and Red Hat aren’t alone in this. Check the annals of Bugtraq, CERT and others and you’ll find dozens of similar vulnerabilities that affect a variety of different platforms.
But search for "S/390" or "390" or even "mainframe" among the hundreds of security advisories that CERT has issued since 1988, and you’ll turn up nothing. For the most part, mainframe environments have remained relatively insulated from security vulnerabilities, even as they’re being retrofitted for e-business. According to IBM’s MacNeil, the inherent security of mainframe environments, compared with rivals that run on less centralized platforms, can probably be attributed to a fundamental difference in design philosophy.
"I believe the mainframe model is better than the midrange, PC, LAN and open systems environments, simply because it follows the standard, ‘All that is not expressly permitted is forbidden,’" he comments. "The other platforms, from what I have seen, follow the standard, ‘All that is not expressly forbidden is permitted.’ This makes users responsible for protecting themselves, often without the necessary skills and little or no help from the vendors. This leaves a lot of holes."
Unisys’ Misra suggests that other factors are at work, as well. "I think it’s probably not fair to say that the technology itself is inherently more secure, primarily because the number of people who understand it enough to cause damage is much lower," he comments. "Second, the hacking subculture and the issues related to putting systems and networks on the Internet are relatively new, so the problem with open systems is that they are new, and the information on how to compromise them is more easily available today."
Which brings up an interesting point, contends Multi-Platforms’ Keohane. What if access to mainframe hardware and software, traditionally restricted by high prices, were suddenly within the grasp of hackers? "The entry price for a cracker to get a home ‘mainframe’ is now down to a few bucks a day," Koehane argues, pointing to mainframe emulation software available from Fundamental Software Inc. and T3 Technologies as examples of solutions that crash through the high-cost-of-entry barrier to mainframe computing.
But why would a hacking subculture suddenly take an interest in S/390 or zSeries mainframes? "Think of the challenge!" Keohane responds. "There are now deals to legitimately get a laptop mainframe [emulator], loaded with OS/390 software, for $10-15 a day. If a cracker wants to work with free S/390 emulators and can get his hands on an OS/390 image plus the needed emulator software, he can be in business with only a $600 Linux box."
If and when vulnerabilities are actually discovered in mainframe environments, they can usually be traced back to the addition of new-fangled application software. An example is IBM’s WebSphere Web application server, for which IBM issued an advisory and two software patches in March. Even so, the number of such vulnerabilities that actually affect mainframe environments is negligible.
A potential problem area in any e-business deployment is the balancing act IT organizations must perform when they attempt to safely isolate mission-critical data and applications behind firewalls or on internal networks, while the same data or applications are required to conduct e-business. The problem is exacerbated in mainframe environments, which are assumed to be more secure than open systems and which, according to many estimates, still house 50 to 75 percent of enterprises’ mission-critical data. In fact, bringing mainframe systems into the e-business fold by connecting them to the Internet can expose them, and the majority of an enterprise’s mission-critical data, to attack.
"Java, HTML and CGI scripts do run on the Web servers that run in the mainframe environment," IBM’s MacNeil cautions, noting that all three facilities are common avenues of attack on any platform. "Once you expose data to the outside world, I don’t believe that the mainframe is any worse than any other system environment, but I believe that if you make a mistake you can accidentally open it up just as easily."
According to Distel, IBM has worked extensively with customers to address just this problem. "We have customers today that are putting their Web servers on zSeries, connecting to their backend zOS systems on the same system, separated by LPARs," she says.
LPAR technology in zSeries mainframes lets administrators define logical partitions for different workloads—test, production and Web serving, for example—and it can effectively and securely isolate mission-critical data and applications from each other, even if they’re stored on the same system. According to Distel, zSeries mainframes running zOS also let mainframe administrators define separate address spaces and data spaces—that, is data spaces that contain only data and cannot actually run programs. zOS running on zSeries has a facility, dubbed "program execution states," that can segment program execution into two different classes, and won’t let programs in one class access or execute some system commands.
Help is also available, or soon will be, from third parties. For example, Multi-Platforms’ Keohane says he’s now working with one of his clients, LockStar Inc., an e-business application security vendor, to develop a secure infrastructure for e-business with a focus on mainframe environments.
"They are wedding older RACF [Resource Access Control Facility] or ACF2 or Top Secret user ID/password security to newer PKI [public key infrastructure] certificates to allow for a graceful adoption," he explains, noting that in his experience mission-critical data and services can be integrated effectively into the e-business fold. "You can safely deploy critical apps and data behind a phalanx of intermediary Web servers and firewalls, yet still provide for secure data transit twixt Web app and mainframe via their secure pipeline facility."
In the final analysis, mainframe administrators and programmers are an ornery lot, and many resist opening up their highly secure mainframe environments to the wild profusion of Internet attackers, despite the availability of robust security solutions. "We are not using any e-business or Web anything on our mainframe," says a mainframe administrator with an advocacy group for older citizens. "We use TCP/IP internally only. And if [we weren’t] required to implement TCP/IP in latter versions of OS/390, we wouldn't have implemented that either."
Significantly, the vicissitudes of e-business could also fly in the face of some of the mainframe world’s most time-honored best practices. Lee Warriner, a mainframe systems programmer with Hartford Financial Services Group, outlines a development philosophy that is in many ways at odds with the breakneck pace of e-business, but which has been a mainstay of reliable and secure mainframe computing for decades. "I want the operating system libraries and data protected from update by anyone and for system changes [and] updates to go through a controlled testing and installation process by the responsible area," he concludes.
Roger Seielstad, a senior network administrator with Atlanta consulting and infrastructure management specialist Peregrine Systems, suggests that security be recast as a "team effort" that combines the best work and practices of vendors and IT organizations alike. "Each member of the team has to add his resources to the team, and the combination should be able to provide a reasonably secure system," he says. "From the vendor’s perspective, code quality is key. Vendors need to provide audited code with few bugs to their customers."
Steve Swoyer is a freelance journalist based in State College, Pa. He can be reached via e-mail at firstname.lastname@example.org.