Most mainframes formerly used a hardware device called a Network Control Processor (NCP) to connect terminals to the mainframe. At one time, most terminals were hard-wired into the NCP and used the SNA protocol to communicate with it.
With time, hard-wired terminals were replaced with desktop computers running Windows, and connected in a LAN. This LAN used TCP/IP, not SNA. In a typical configuration, each department in a company might have its desktop computers connected in a departmental LAN, with all the LANs hard-wired to the NCP.
As TCP/IP usage started to expand, IBM replaced NCPs with a different type of hardware called an Open Systems Adapter (OSA). The OSA uses TCP/IP. LANs are now connected to the OSA using TCP/IP.
Some people assumed this meant SNA is no longer used. They fail to realize that the connections of terminals to the mainframes through OSAs still use SNA. The SNA is packaged inside the TCP/IP packets sent between the LANs and OSAs.
Another factor that caused people to assume the end of SNA was IBM’s introduction of new functionality called Enterprise Extender (EE), which uses Unformatted Datagram Protocol/ Internet Protocol (UDP/IP), which is somewhat similar to TCP/IP. UDP/IP actually passes SNA packets across the network by enveloping them in a UDP/IP wrapper. This means SNA is still being used; it’s just hidden in UDP/IP packets.
All the security mechanisms for TCP/IP and UDP/IP (such as firewalls and encryption) provide no protection against SNA attacks on your network. The SNA packets containing the attack messages aren’t affected by TCP/IP packet filtering. If the SNA message is encrypted on one end, then decrypted on the other, it’s just as dangerous as it originally was.
Both SNA and TCP/IP are likely to be part of your mainframe networks for years to come. Whether you’re familiar with security for SNA or TCP, the following descriptions will help you understand both sides.
How SNA Works
SNA is IBM’s original telecommunication architecture for mainframes and other platforms. While use of TCP/IP is growing and many people claim SNA is “going away,” it will be a major part of our networking for the foreseeable future.
SNA is a means to connect—to support communication between two endpoints. The end-points may be terminals, programs, or hardware devices such as an Automated Teller Machine (ATM). Each end-point is defined as a Logical Unit (LU). Each LU has an LU name. Each terminal and other hardware device is assigned an LU name. Each program that talks over the network (such as CICS or TSO) is assigned an APPLID name; that is, an LU name denoting a program. An LU is considered an entry point to a network, whether it’s a terminal or an APPLID.