RE: ODBC Security -- MIDRANGE-L

Rob, can you add Bytware to the list? 

http://www.bytware.com/products/standguard_30.html

Mike Grant
Bytware, Inc.
775-851-2900 

http://www.bytware.com

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx 
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Friday, September 15, 2006 12:47 PM
To: Midrange Systems Technical Discussion
Subject: Re: ODBC Security

I've written one for FTP but not ODBC.  If you prompt the SPENDMONEY 
command you'll see:
http://faq.midrange.com/data/cache/198.html

Rob Berendt
-- 
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

John_Bresina@xxxxxxxxxxxxxxx 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
09/15/2006 03:37 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>

To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
Re: ODBC Security

Does anyone have an example of an exit program for ODBC.  I am not a
programmer so I wouldn't want to try to write one.  We have an audit
requirement to secure ODBC by the end of October on our production
partitions.

John Bresina Jr
Sr Server Engineer - Midrange Team
Allianz Life of North America
5701 Golden Hills Drive
Minneapolis, Mn 55416
763 582 6761

             rob@xxxxxxxxx 
             Sent by: 
             midrange-l-bounce                                
          To 

             s@xxxxxxxxxxxx            Midrange Systems Technical 
                                       Discussion 
                                       <midrange-l@xxxxxxxxxxxx> 
             09/15/2006 02:26                                 
          cc 

             PM 

     Subject 

                                       Re: ODBC Security 
             Please respond to 
             Midrange Systems 
                 Technical 
                Discussion 
             <midrange-l@midra 
                 nge.com> 

Rather a recent discussion on the security list.  Searching the recent
archives might give some good insight.

Defense in depth is always the best strategy.

First, and strongest wall, should always be object authority. 
 Now, some
people secure everyone out of an object.  And then the only 
way to access
a file was via programs that adopted authority.  Knew a fellow who did
this for a company that made body parts for humans.  Like artificial
knees.  If you do this then the only way they can use ODBC is 
if you copy
the data to a different file that is opened for read.
Leaving all your files for read might not be a good idea.  
For example if
your programs secure who can read certain fields.  For example if your
employee file has salary information in there with name and 
address and
certain people can look up address but only certain other 
people can look
up salary and that is all program restricted.  Now accessing 
that file via
odbc blasts by that.  Workaround, break the file apart which 
some vendors
do.  Or use column level security.  Nice theory but I've not 
seen people
use this in practice yet.  Has anyone?  Supported by DB2.
Oh and as far as the "download file", our users quickly 
figured out that
they could query most any file they wanted to and overwrite 
the download
file and download that.

Next wall may be exit points.  Let's say your application 
vendor is from
the stone age.  And he requires the files to be *ALL for all users
accessing the files.  Now, you can use an exit point to 
restrict who can
download what data from what file.  For example I can secure 
Sally from
downloading from the logical that has both name and salary 
information in
it, but let Susie get both.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

fbocch2595@xxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
09/15/2006 01:59 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>

To
midrange-l@xxxxxxxxxxxx
cc

Subject
ODBC Security

I wanted to get some info on the risks to giving AS400 users 
authority to
use ODBC.

If object authority is *use ODBC s/b ok for AS400 users to 
use...right?

If they have *change to AS400 objects then ODBC is not good 
because they
can upload data or change it via file transfer or ODBC...right?

Using an exit pgm will restrict all users except ONLY those 
alllowed by
the exit...which makes it the best way to secure ODBC...is that right?

Thanks for any info

Frank
______________________________________________________________
__________
Check out the new AOL.  Most comprehensive set of free safety 
and security
tools, free access to millions of high-quality videos from 
across the web,
free AOL Mail and more.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion 
(MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

-----------------------------------------
CONFIDENTIALITY NOTICE:  The information in this message, and any
files transmitted with it, is confidential, may be legally
privileged, and intended only for the use of the individual(s)
named above.  Be aware that the use of any confidential or personal
information may be restricted by state and federal privacy laws.
If you are not the intended recipient, do not further disseminate
this message.  If this message was received in error, please notify
the sender and delete it.

-- 
This is the Midrange Systems Technical Discussion 
(MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

-- 
This is the Midrange Systems Technical Discussion 
(MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


CONFIDENTIALITY NOTICE:  This e-mail message and any attachment to this e-mail 
message contain information that may be privileged and confidential.  This 
e-mail and any attachments are intended solely for the use of the individual or 
entity named above (the recipient) and may not be forwarded to or shared with 
any third party.  If you are not the intended recipient and have received this 
e-mail in error, please notify us by return e-mail or by telephone at 
775-851-2900 and delete this message.  This notice is automatically appended to 
each e-mail message leaving Bytware, Inc.