Re: ODBC Security -- MIDRANGE-L

Rob,

Let's add SafeNet/400 to the list, from Kisco too.

Rich Loeber
Kisco Information Systems
http://www.kisco.com
  ------------------------------------------------------------------------

QSCANFSCTL wrote:

Rob, can you add Bytware to the list?

http://www.bytware.com/products/standguard_30.html

Mike Grant
Bytware, Inc.
775-851-2900

http://www.bytware.com

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Friday, September 15, 2006 12:47 PM
To: Midrange Systems Technical Discussion
Subject: Re: ODBC Security

I've written one for FTP but not ODBC.  If you prompt the SPENDMONEY
command you'll see:
http://faq.midrange.com/data/cache/198.html

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

John_Bresina@xxxxxxxxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
09/15/2006 03:37 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>

To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
Re: ODBC Security

Does anyone have an example of an exit program for ODBC.  I am not a
programmer so I wouldn't want to try to write one.  We have an audit
requirement to secure ODBC by the end of October on our production
partitions.

John Bresina Jr
Sr Server Engineer - Midrange Team
Allianz Life of North America
5701 Golden Hills Drive
Minneapolis, Mn 55416
763 582 6761

             rob@xxxxxxxxx
             Sent by:
             midrange-l-bounce
          To

             s@xxxxxxxxxxxx            Midrange Systems Technical
                                       Discussion
                                       <midrange-l@xxxxxxxxxxxx>
             09/15/2006 02:26
          cc

             PM

     Subject

                                       Re: ODBC Security
             Please respond to
             Midrange Systems
                 Technical
                Discussion
             <midrange-l@midra
                 nge.com>

Rather a recent discussion on the security list.  Searching the recent
archives might give some good insight.

Defense in depth is always the best strategy.

First, and strongest wall, should always be object authority.
 Now, some
people secure everyone out of an object.  And then the only
way to access
a file was via programs that adopted authority.  Knew a fellow who did
this for a company that made body parts for humans.  Like artificial
knees.  If you do this then the only way they can use ODBC is
if you copy
the data to a different file that is opened for read.
Leaving all your files for read might not be a good idea.
For example if
your programs secure who can read certain fields.  For example if your
employee file has salary information in there with name and
address and
certain people can look up address but only certain other
people can look
up salary and that is all program restricted.  Now accessing
that file via
odbc blasts by that.  Workaround, break the file apart which
some vendors
do.  Or use column level security.  Nice theory but I've not
seen people
use this in practice yet.  Has anyone?  Supported by DB2.
Oh and as far as the "download file", our users quickly
figured out that
they could query most any file they wanted to and overwrite
the download
file and download that.

Next wall may be exit points.  Let's say your application
vendor is from
the stone age.  And he requires the files to be *ALL for all users
accessing the files.  Now, you can use an exit point to
restrict who can
download what data from what file.  For example I can secure
Sally from
downloading from the logical that has both name and salary
information in
it, but let Susie get both.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

fbocch2595@xxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
09/15/2006 01:59 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>

To
midrange-l@xxxxxxxxxxxx
cc

Subject
ODBC Security

I wanted to get some info on the risks to giving AS400 users
authority to
use ODBC.

If object authority is *use ODBC s/b ok for AS400 users to
use...right?

If they have *change to AS400 objects then ODBC is not good
because they
can upload data or change it via file transfer or ODBC...right?

Using an exit pgm will restrict all users except ONLY those
alllowed by
the exit...which makes it the best way to secure ODBC...is that right?

Thanks for any info

Frank
______________________________________________________________
__________
Check out the new AOL.  Most comprehensive set of free safety
and security
tools, free access to millions of high-quality videos from
across the web,
free AOL Mail and more.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

-----------------------------------------
CONFIDENTIALITY NOTICE:  The information in this message, and any
files transmitted with it, is confidential, may be legally
privileged, and intended only for the use of the individual(s)
named above.  Be aware that the use of any confidential or personal
information may be restricted by state and federal privacy laws.
If you are not the intended recipient, do not further disseminate
this message.  If this message was received in error, please notify
the sender and delete it.

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


CONFIDENTIALITY NOTICE:  This e-mail message and any attachment to this 
e-mail message contain information that may be privileged and confidential.  
This e-mail and any attachments are intended solely for the use of the 
individual or entity named above (the recipient) and may not be forwarded to 
or shared with any third party.  If you are not the intended recipient and 
have received this e-mail in error, please notify us by return e-mail or by 
telephone at 775-851-2900 and delete this message.  This notice is 
automatically appended to each e-mail message leaving Bytware, Inc.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.