|
midrange.com
Does anyone have an example of an exit program for ODBC. I am not a
programmer so I wouldn't want to try to write one. We have an audit
requirement to secure ODBC by the end of October on our production
partitions.
John Bresina Jr
Sr Server Engineer - Midrange Team
Allianz Life of North America
5701 Golden Hills Drive
Minneapolis, Mn 55416
763 582 6761
rob@xxxxxxxxx
Sent by:
midrange-l-bounce To
s@xxxxxxxxxxxx Midrange Systems Technical
Discussion
<midrange-l@xxxxxxxxxxxx>
09/15/2006 02:26 cc
PM
Subject
Re: ODBC Security
Please respond to
Midrange Systems
Technical
Discussion
<midrange-l@midra
nge.com>
Rather a recent discussion on the security list. Searching the recent
archives might give some good insight.
Defense in depth is always the best strategy.
First, and strongest wall, should always be object authority. Now, some
people secure everyone out of an object. And then the only way to access
a file was via programs that adopted authority. Knew a fellow who did
this for a company that made body parts for humans. Like artificial
knees. If you do this then the only way they can use ODBC is if you copy
the data to a different file that is opened for read.
Leaving all your files for read might not be a good idea. For example if
your programs secure who can read certain fields. For example if your
employee file has salary information in there with name and address and
certain people can look up address but only certain other people can look
up salary and that is all program restricted. Now accessing that file via
odbc blasts by that. Workaround, break the file apart which some vendors
do. Or use column level security. Nice theory but I've not seen people
use this in practice yet. Has anyone? Supported by DB2.
Oh and as far as the "download file", our users quickly figured out that
they could query most any file they wanted to and overwrite the download
file and download that.
Next wall may be exit points. Let's say your application vendor is from
the stone age. And he requires the files to be *ALL for all users
accessing the files. Now, you can use an exit point to restrict who can
download what data from what file. For example I can secure Sally from
downloading from the logical that has both name and salary information in
it, but let Susie get both.
Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
fbocch2595@xxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
09/15/2006 01:59 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
To
midrange-l@xxxxxxxxxxxx
cc
Subject
ODBC Security
I wanted to get some info on the risks to giving AS400 users authority to
use ODBC.
If object authority is *use ODBC s/b ok for AS400 users to use...right?
If they have *change to AS400 objects then ODBC is not good because they
can upload data or change it via file transfer or ODBC...right?
Using an exit pgm will restrict all users except ONLY those alllowed by
the exit...which makes it the best way to secure ODBC...is that right?
Thanks for any info
Frank
________________________________________________________________________
Check out the new AOL. Most comprehensive set of free safety and security
tools, free access to millions of high-quality videos from across the web,
free AOL Mail and more.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
-----------------------------------------
CONFIDENTIALITY NOTICE: The information in this message, and any
files transmitted with it, is confidential, may be legally
privileged, and intended only for the use of the individual(s)
named above. Be aware that the use of any confidential or personal
information may be restricted by state and federal privacy laws.
If you are not the intended recipient, do not further disseminate
this message. If this message was received in error, please notify
the sender and delete it.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
