(no subject)

Chak Lung Dominic Li

(no subject)
Dear All,

I am one of the DB2 DBA member in a bank. Our team plans to implement
DB2 DRDA (DB2 V5) using TCP/IP support for the access of DB2 data in
OS/390 thru ODBC and DB2 Connect (Personal Edition V 7).

Regarding the security of this setup, we would like to have your input
for the following:

1. TCP/IP

- Is there any known security exposure when comparing with SNA?

2. DB2 Connect

- For signon at DB2 Connect, is there any encryption/decryption
of user/password when
passing through network?
- For repeated attempt of incorrect passwords at DB2 Connect
signon, will the DB2 user
be revoked? How can we achieve this purpose?

Please let me have your input soon and your asistance would be highly
appreciated.

Thanks and regards,
A Cheng



Gerry McHugh

Re: (no subject)
(in response to Chak Lung Dominic Li)
See below

-----Original Message-----
From: Li, Chak Lung Dominic [mailto:[login to unmask email]
Sent: Thursday, January 11, 2001 6:35 AM
To: [login to unmask email]
Subject: (no subject)


Dear All,

I am one of the DB2 DBA member in a bank. Our team plans to implement
DB2 DRDA (DB2 V5) using TCP/IP support for the access of DB2 data in
OS/390 thru ODBC and DB2 Connect (Personal Edition V 7).

Regarding the security of this setup, we would like to have your input
for the following:

1. TCP/IP

- Is there any known security exposure when comparing with SNA?

SNA is more secure than TCP/IP, because SNA also uses the Communications
Database (CDB), which is part of the DB2 catalog, for security. TCP/IP does
not use tha CDB for incoming requests, and only uses it superficially for
outgoing requests. However, TCP/IP is faster if you're on OS/390 V2.6 or
higher. Also, SNA is a real pain in the a__ to set up. Even my IBM
instructors at the DB2 Connect class recommend you use TCP/IP.


2. DB2 Connect

- For signon at DB2 Connect, is there any encryption/decryption
of user/password when
passing through network?

Specify DCS_ENCRYPT when creating the database alias at the client and DB2
Connect workstation.


- For repeated attempt of incorrect passwords at DB2 Connect
signon, will the DB2 user
be revoked? How can we achieve this purpose?

Don't know this for a fact, but I would assume that RACF will revoke based
on the settings specified by the RACF admins.

Please let me have your input soon and your asistance would be highly
appreciated.

Thanks and regards,
A Cheng