z/os Communications Server Network Security Overview

Similar documents
z/os Communications Server Network Security Overview SHARE Session 9250

How to Secure Mainframe FTP

z/os Network Security Roadmap

z/os Communications Server Security Using Policy Agent

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

z/os Firewall Technology Overview

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

CS z/os Network Security Configuration Assistant GUI

Chapter 9 Firewalls and Intrusion Prevention Systems

Top 10 Tips for z/os Network Performance Monitoring with OMEGAMON. Ernie Gilman IBM. August 10, 2011: 1:30 PM-2:30 PM.

Top 10 Tips for z/os Network Performance Monitoring with OMEGAMON Session 11899

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Safe and Secure Transfers with z/os FTP

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Introduction to Mainframe (z/os) Network Management

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Top 10 Tips for z/os Network Performance Monitoring with OMEGAMON Ernie Gilman

Lecture 10: Communications Security

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Case Study for Layer 3 Authentication and Encryption

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Network Security Fundamentals

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Implementing and Managing Security for Network Communications

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Chapter 4 Virtual Private Networking

Security Technology: Firewalls and VPNs

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Securing IP Networks with Implementation of IPv6

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Firewalls, Tunnels, and Network Intrusion Detection

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

BlackRidge Technology Transport Access Control: Overview

CS 4803 Computer and Network Security

Computer Networks. Secure Systems

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Configuring Security Features of Session Recording

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Laboratory Exercises V: IP Security Protocol (IPSec)

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Security Engineering Part III Network Security. Security Protocols (II): IPsec

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Introduction of Intrusion Detection Systems

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

21.4 Network Address Translation (NAT) NAT concept

TN3270 Security Enhancements

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Network Access Security. Lesson 10

Internet Protocol Security (IPSec)

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Security vulnerabilities in the Internet and possible solutions

z/os V1R11 Communications Server System management and monitoring Network management interface enhancements

BorderWare Firewall Server 7.1. Release Notes

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Cornerstones of Security

OS/390 Firewall Technology Overview

Firewalls (IPTABLES)

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 8 Security Pt 2

Firewalls. Ahmad Almulhem March 10, 2012

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

OS/390 Firewall Technology Overview

Firewalls. Chapter 3

Chapter 8 Virtual Private Networking

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

The BANDIT Products in Virtual Private Networks

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Lecture 17 - Network Security

8. Firewall Design & Implementation

Using IPSec in Windows 2000 and XP, Part 2

NETWORK SECURITY (W/LAB) Course Syllabus

DMZ Network Visibility with Wireshark June 15, 2010

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

How To Protect A Web Application From Attack From A Trusted Environment

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

About Firewall Protection

McAfee Firewall Enterprise 8.2.1

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

March

Network Defense Tools

74% 96 Action Items. Compliance

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

ICSA Labs Network Protection Devices Test Specification Version 1.3

SonicWALL PCI 1.1 Implementation Guide

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

End-to-end encryption options on z/os

Transcription:

System z Security for today and tomorrow z/os Communications Server Security Overview Lin Overby z/os Communications Server Strategy, Architecture and Design 14 December 2012

Session abstract z/os Communications Server Security Overview Traditionally, network security has been placed at the enterprise perimeter. Enterprise security deployments are increasingly implemented with multiple layers of defense to protect mission critical data systems. While perimeterbased network security is still in force, the additional enablement of network security function at the server provides a critical layer of protection in the security infrastructure. This session will describe how z/os Communication Server 'self-protects' z/os from a network security perspective. Topics covered are drivers of network security function deployment into the server endpoint, as well as the policy-based network security solutions that are available on z/os. The solution focus areas for this session include IPSec, Application Transparent TLS, integrated intrusion detection services, SAF protection of TCP/IP resource, centralized control of Communications Server network security, and integration of DataPower with z/os security using the Communications Server Security Server. 2

Agenda Overview Roles and objectives Deployment trends and requirements Policy-based Security IP security (IP packet filtering and IPSec) Application Transparent TLS Intrusion Detection Services Enterprise-wide Security Roles Centralized Policy Agent Security Services SAF Protection of TCP/IP Resources SERVAUTH profiles for TCP/IP 3

Agenda Overview Roles and objectives Deployment trends and requirements Policy-based Security IP security (IP packet filtering and IPSec) Application Transparent TLS Intrusion Detection Services Enterprise-wide Security Roles Centralized Policy Agent Security Services SAF Protection of TCP/IP Resources SERVAUTH profiles for TCP/IP 4

Role of network security on System z Secure access to both TCP/IP and SNA applications Focus on end-to-end security and self-protection Exploit strengths of System z hardware and software Business Partner Enterprise or Intranet Secure Key Distribution Secure protocols (IPSec, SSL, SNA SLE) with Strong Encryption F I R E W A L L IBM Internet Remote Access IBM IBM F I R E W A L L IBM IDS Enterprise or Intranet IBM Intranet Host RACF for User I&A Access Ctl Mission-critical data z/os Communications Server z/os CS IDS Protect data and other resources on the system from the network System availability Protect system against unwanted access and denial of service attacks from network Identification and authentication Verify identity of network users Access control Protect data and other system resources from unauthorized access Protect data in the network using cryptographic security protocols Data endpoint authentication Verify who the secure end point claims to be Data origin authentication Verify that data was originated by claimed sender Message Integrity Verify contents were unchanged in transit Data Privacy Conceals cleartext using encryption 5

Recent network security deployment trends and requirements Self-protection will increase in importance and will evolve into the last layer deployed in a total defense in depth strategy. The server (and client) will become the new perimeter as more security function is pushed into the endpoints, either because more security is required or because the endpoint is the only place the function can be performed. More defense in depth deployments Security no longer perimeter based Server is last layer in defense in depth Driven by regulatory compliance and more stringent IT security policies Many new industry and government standards (PCI DSS, HIPAA, SOX, etc.) Driving many enterprises to adopt new security practices Data privacy is a common theme drives end-to-end network crypto Increasing adoption of network security in servers Seeing increasing deployment of both IPSec and TLS on z/os Self-protect features such as IP packet filtering ( personal firewall on server), IDS Focus on minimizing security deployment costs Application transparent network security reduces application costs Policy-based network security reduces deployment costs GUI-based policy administration for ease of use 6

Protocol layer view of TCP/IP security technologies Protect the system z/os CS TCP/IP applications use SAF to authenticate users and prevent unauthorized access to datasets, files, and SERVAUTH protected resources. The SAF SERVAUTH class is used to prevent unauthorized user access to TCP/IP resources (stack, ports, networks). Intrusion detection services protect against attacks of various types on the system's legitimate (open) services. IDS protection is provided at both the IP and transport layers. Application layer SAF protection Application specific Native SSL / TLS API layer SAF protection AT-TLS IDS Kerberos TCP/UDP transport layer Protect data in the network Examples of application protocols with built-in security extensions are SNMPv3 and OSPF. Both Kerberos and SSL/TLS are located as extensions to the sockets APIs and applications have to be modified to make use of these security functions. Both SSL/TLS and Kerberos are connection-based and only applicable to TCP (stream sockets) applications, not UDP. AT-TLS is a TCP/IP stack service that provides SSL/TLS services at the TCP transport layer and is transparent to applications. IP packet filtering blocks out all IP traffic that this system doesn't specifically permit. These can be configured or can be applied dynamically as defensive filters. IP ing layer IDS IP Filtering IPSec IP packet filters specify traffic that requires IPSec. IPSec resides at the networking layer and is transparent to upper-layer protocols, including both transport layer protocol and application protocol. 7

Agenda Overview Roles and objectives Deployment trends and requirements Policy-based Security IP security (IP packet filtering and IPSec) Application Transparent TLS Intrusion Detection Services Enterprise-wide Security Roles Centralized Policy Agent Security Services SAF Protection of TCP/IP Resources SERVAUTH profiles for TCP/IP 8

Policy-based network security on z/os overview Policy is created through Configuration Assistant for z/os Communications Server GUI-based tool Configures each security discipline (AT-TLS, IPSecurity and IDS) using consistent model Generates and uploads policy files to z/os Policy Agent processes and installs policies into TCP/IP stack Policies are defined per TCP/IP stack Separate policies for each discipline Policy agent also monitors and manages the other daemons and processes needed to enforce the policies (IKED, syslogd, trmd, etc.) Provides network security without requiring changes to your applications Security policies are enforced by TCP/IP stack Different security disciplines are enforced independent of each other TCP/IP Application Sockets API Transport AT-TLS IPSecurity Security policy administrator ing DLC IDS IDS Policy AT-TLS Policy Policy Agent IPSecurity Policy 9

Configuration Assistant for z/os Communications Server Configures: AT-TLS IPSec and IP filtering IDS Quality of Service Policy-based routing Separate perspectives but consistent model for each discipline Focus on concepts, not details What traffic to protect How to protect it De-emphasize low-level details (though they are accessible through advanced panels) z/osmf-based web interface (strategic) or downloadable standalone Windows application Builds and maintains Policy files Related configuration files JCL procs and RACF directives Supports import of existing policy files 10

IP Security 11

z/os IP Security support z/os Client Enterprise or Intranet F I R E W A L L Internet F I R E W A L L Enterprise or Intranet IPSec traffic Non-IPSec traffic z/os IP Security is a complete IP filtering, IPSec, and IKE solution and is part of z/os Communications Server Services Protect the system from the network IP filtering to control which packets can enter the system Protect against data leakage from the system IP filtering to control which packets can leave the system Cryptographic protection of data in the network Manual IPSec (statically defined security associations) Dynamic negotiation of IPSec security associations using Internet Key Exchange (IKE) Filter directed logging of IP Security actions to syslogd 12

IP packet filtering overview IP filtering at the z/os IP Layer Filter rules defined based on attribute of IP packets: IPv4 or IPv6 source/destination address Protocol (TCP, TCP with ACK, UDP, ICMP, etc.) Source/destination Port Direction of flow Local or routed traffic Time interface Used to control Traffic being routed Access at destination host (local) Possible actions when a filter rule is matched: Permit Deny Permit with IPSec protection Log (in combination with above actions) IP filter rules are defined within IPSecurity policy This policy also controls IPSec if you choose to use it Rudimentary default rules can also be defined in TCPIP profile to provide protection before policy agent initializes Benefits for local traffic (self-protection): Early discard of potentially malicious packets Avoid wasting CPU cycles checking validity of packets for applications that are not supported on this system Applications TCP/UDP IPv4 & IPv6 Interfaces Applications TCP/UDP IPv4 & IPv6 Interfaces Routed Traffic Local Traffic Filter policy Traffic routed through this TCP/IP stack Filter policy Traffic going to or coming from applications on this TCP/IP stack only 13

IPSec overview Applications Applications IPSec TCP/UDP IP/ICM P Data Link TCP/UDP IP/ICMP Data Link Provides authentication, integrity, and data privacy via IPSec security protocols Authentication Header (AH) - provides authentication / integrity Encapsulating Security Protocol (ESP) - provides data privacy with authentication / integrity Implemented at the IP layer Requires no application change Secures traffic between any two IP resources - Security Associations (SA) Management of crypto keys and security associations can be: Manual Dynamically negotiated via Internet Key Exchange (IKE) based on IP security policy 14

z/os IPSec security features A complete IPSec implementation Authentication Header (AH) and Encapsulating Security Payload (ESP) Security Associations (SAs) Transport and Tunnel Mode Supports host and gateway roles (optimized for host role) IKE version 1 and version 2 (RFC 5996) Wide range of modern cryptographic algorithms including AES (multiple modes), SHA2, SHA1, RSA, ECDSA, etc. IPSec policy administrator NSS Daemon Sockets API IKE Daemon IPSec policy ziip assisted Moves IPSec processing from general CPs to ziips All inbound IPSec traffic and a good portion of outbound IPSec traffic is processed on a ziip processor Supports NAT Traversal and NAPT for IPv4 Sysplex-wide Security Associations allow SAs to be shared across the sysplex IP Security monitoring interface: IBM Tivoli OMEGAMON XE for Mainframe s 15 encrypted Transport ing IPv4, IPv6 IP filters + IPSec DLC Allows z/os to participate in a wide range of VPN topologies and interoperates with a wide variety of IPSec implementations.

IPSec Scenarios and z/os Roles Legend Data endpoint Security endpoint z/os as Host (Data Endpoint) Host-to-Host: End-to-End Security Association z/os z/os Host-to-gateway: Protect segment of data path H1 Internet/ intranet H2 H1 intranet G1 Internet/ intranet G2 intranet H2 Connection Transport mode IPSec SA Connection Tunnel mode IPSec SA z/os as Gateway (Routed Traffic) H1 Gateway-to-Host: Protection over Untrusted Segment intranet z/os G1 Internet/ intranet G2 intranet H2 Gateway-to-Gateway: Protection over Untrusted Segment z/os H1 intranet G1 Internet/ intranet G2 intranet H2 Connection Tunnel mode IPSec SA Connection Tunnel mode IPSec SA 16

Application Transparent TLS 17

Transport Layer Security enablement Applications System SSL API TLS/SSL Applications System SSL API TLS Encrypted Sockets TCP Sockets TCP IP ing Layer IP ing Layer Interfaces Interfaces TLS traditionally provides security services as a socket layer service TLS requires reliable transport layer, Typically TCP (but architecturally doesn t have to be TCP) UDP applications cannot be enabled with traditional TLS There is now a TLS variant called Datagram Transport Layer Security (DTLS) which is defined by the IETF for unreliable transports On z/os, System SSL (a component of z/os Cryptographic Services) provides an API library for TLS-enabling your C and C++ applications Java Secure Sockets Extension (JSSE) provides libraries to enable TLS support for Java applications However, there is an easier way Application Transparent TLS! 18

z/os Application Transparent TLS overview Stack-based TLS TLS process performed in TCP layer (via System SSL) without requiring any application change (transparent) AT-TLS policy specifies which TCP traffic is to be TLS protected based on a variety of criteria Local address, port Remote address, port Connection direction z/os userid, jobname Time, day, week, month AT-TLS policy administrator using Configuration Assistant AT-TLS policy Application transparency Can be fully transparent to application Applications has option to inspect or control certain aspects of AT-TLS processing application-aware and application-controlled AT-TLS, respectively Optional APIs for applications to inspect or control aspects of TLS session. TCP/IP Application Sockets API Transport (TCP) Available to TCP applications Includes CICS Sockets Supports all programming languages except PASCAL Supports standard configurations z/os as a client or as a server Server authentication (server identifies self to client) Client authentication (both ends identify selves to other) Uses System SSL for TLS protocol processing Remote endpoint sees an RFC-compliant implementation Interoperates with other compliant implementations encrypted AT-TLS System SSL ing IPv4, IPv6 DLC 19

Some z/os applications that use AT-TLS Communications Server applications TN3270 Server FTP Client and Server CSSMTP Load Balancing Advisor IKE NSS client NSS server Policy agent DB2 DRDA IMS-Connect JES2 NJE Tivoli Netview applications MultiSystem Manager NetView Management Console RACF Remote Sharing Facility CICS Sockets applications 3 rd Party applications Customer applications 20

Advantages of using AT-TLS Reduce costs Application development Cost of System SSL integration Cost of application s TLS-related configuration support Consistent TLS administration across z/os applications Gain access to new features with little or no incremental development cost Complete and up-to-date exploitation of System SSL features AT-TLS makes the vast majority of System SSL features available to applications AT-TLS keeps up with System SSL enhancements as new features are added, your applications can use them by changing AT-TLS policy, not code Ongoing performance improvements Focus on efficiency in use of System SSL Great choice if you haven t already invested in System SSL integration Even if you have, consider the long-term cost of keeping up vs. short term cost of conversion 21

z/os AT-TLS Supported Roles Legend Data endpoint Security endpoint Server authentication only Server and Trusted CA's Certificate z/os TLS Server RACF Keyring H1 z/os as Server Connection Internet/ intranet TLS Client H2 TLS Session Trusted CA's Certificate Keyring Server and Trusted CA's Certificate Keyring TLS Server H1 z/os as Client Connection Internet/ intranet z/os TLS Client H2 TLS Session Trusted CA's Certificate RACF Keyring Server + client authentication Server and Trusted CA's Certificate Optional: Client certificate to RACF userid mapping for SAFCHECK z/os TLS Server RACF Keyring H1 Connection Internet/ intranet TLS Client H2 TLS Session Client and Trusted CA's Certificate Keyring Server and Trusted CA's Certificate Keyring TLS Server H1 Connection Internet/ intranet z/os TLS Client H2 TLS Session Client and Trusted CA's Certificate RACF Keyring 22

IPSec* and AT-TLS comparison Attribute Traffic covered Provides true end-to-end protection Provides network segment protection Protection scope Requires application modifications Endpoints and authentication Auth credentials Session key refresh IPsec All IP traffic (TCP, UDP, ICMP, etc.) Yes Yes Flexible (all traffic, single protocol, single or range of connections, etc.) No IP node to IP node (dynamic tunnels only) X.509 certificates or pre-shared keys Configurable based on data and time. AT-TLS TCP connections Yes No Single TCP connection No, unless advanced function needed Application to application X.509 certificates Configurable based on time. * - using IKE to establish IPsec tunnels dynamically 23

Intrusion Detection Services 24

Protecting against intentional and unintentional attacks on your system What is an intrusion? Information Gathering and system topology Data location and contents Eavesdropping/Impersonation/Theft On the network/on the host Base for further attacks on others through Amplifiers, Robots, or Zombies Denial of Service - Attack on availability Single packet attacks - exploits system or application vulnerability Multi-packet attacks - floods systems to exclude useful work Attacks can occur from Internet or intranet Company firewalls and intrusion prevention appliances can provide some level of protection from Internet Perimeter security strategy alone may not be sufficient. Some access is permitted from Internet typically into a Demilitarized Zone (DMZ) Trust of intranet Attacks can be intentional (malicious) but often occur as a result of errors on nodes in the network (config, application, etc.) External attacker Internal end-user attacker Intrusion Detection and Prevention Packet filtering Enterprise Enterprise network network or or intranet intranet Company Firewall Public Public network network or or Internet Internet Zombie attacker 25

z/os Communications Server IDS overview IDS Policy administrator IDS Policy Trmdstat reporting or other auditing tools Security Auditor z/os CS Policy infrastructure Applications TCP/UDP IPv4 & IPv6 Interfaces Detailed event messages to z/os UNIX System Services Syslogd Attack Probe Fires Syslogd Intrusion Event Notification Actions Selected event messages to MVS console Automation based on MVS console messages Security Administrator MVS Console Operator Attack!!! CTRACE Dynamic packet trace of suspicious activity Engineer detailed P/D Defensive Actions Discard packet Deny connection Reset connection 26

z/os Communications Server IDS features IDS Events Scans attempts by remote nodes to discover information about the z/os system Attacks numerous types Malformed packets IP option and IP protocol restrictions Specific usage ICMP Interface and TCP SYN floods and so forth including several new attack types introduced in V1R13 Traffic Regulation TCP - limits the number of connections any given client can establish UDP limits the length of data on UDP queues by port Defensive actions Packet discard Limit connections Drop connections (V1R13) Reporting Logging Console messages IDS packet trace Notifications to external event managers (like Tivoli NetView) z/os in-context IDS broadens overall intrusion detection coverage: Ability to evaluate inbound encrypted data - IDS applied after IPSec decryption on the target system Avoids overhead of per packet evaluation against table of known attacks - IDS policy checked after attack probe fires Detects statistical anomalies realtime - target system has stateful data / internal thresholds that generally are unavailable to external IDSs Policy can control prevention methods on the target, such as connection limiting and packet discard 27

Defense Manager enables dynamic defensive actions The z/os Communications Server Defense Manager component allows authorized users to dynamically install time-limited, defensive filters: A local security administrator can install filters based on information received about a pending threat Enables filter installation through automation based on analysis of current attack conditions Defensive filtering is an extension to IDS capabilities Adds additional defensive actions to protect against attacks z/os Security Administrator DM defensive filter database ipsec command z/os Defense Manager Maintain defensive filters Initial filters installed via TCP/IP Profile and/or Policy Agent ipsec command TCP, UDP IP Applications Interfaces Filter rules IDS IDS Automation software Message processing Defensive filters DENY only Limited lifetime (max ~2 weeks) Installed "in-front" of configured/default filters Maintained on DASD for availability in case of DM restart or stack start/restart Scope may be: Global - all stacks on the LPAR where DM runs Local - apply to a specific stack One Defense Manager per LPAR Use of ipsec command to display and control defensive filters is secured via SAF security profiles 28

Centralized Policy Agent and Security Services 29

Security Administration and Monitoring at Each System z/os image 1 Certificates and private keys for image 1 Stack One z/os image n IKE Daemon...... IKE Daemon Stack Eight RACF Keyring Policy Agent Client Pagent.conf local policies Certificates and private keys for image n RACF Keyring Policy Agent Client Pagent.conf local policies Monitoring RACF certificate administration Configuration Assistant for z/os CommServer Each z/os system locally administered Monitoring RACF certificate administration Policy configuration Connectivity required between administration and each managed platform Monitoring application has advance knowledge of each managed node Coordination required to push policy out to each system for deployment Stack One... Stack Eight 30

Centralized networking security policy management LPAR1 Pagent.conf Stack One LPARn Pagent.conf Stack One Policy Agent Client...... Policy Agent Client... Optional local policies Stack Eight Optional local policies Stack Eight Secure connections Pagent.conf Stack One Policy Agent Server... Stack Eight LPARx Centralized policies security policy governs actions by security enforcement points IPSec, TLS, IDS/IPS Centralized policy management Policy agent roles Centralized policy service provided by policy agent that has role of policy server Policy agents that obtain policy from policy server have role of policy client A single policy agent can be a policy client or policy server but not both 31

Centralized Security Services for IPSec IPsec SAs z/os image 1 iked.conf IKE Daemon secure connections nss.conf z/os image x Security Services Daemon Certificates and private keys for images 1 to n SAF Keyring Centralized monitoring IKE peer IPsec SAs Stack One z/os image n iked.conf Stack One.. IKE Daemon... Stack Eight Stack Eight NSS role extended in z/os V1R12 NSS is required for z/os V1R12 advanced certificate support Certificate Revocation List Certificate Trust Chain NSS is required for ALL IKEv2 certificate services Centralized SAF certificate administration Centralized IPSec network security services for a set of z/os images Images can be non-sysplex, within sysplex or cross sysplex NSS digital signature services Allows central administration of SAF certificates and private keys Sign and verify during runtime IKE negotiations NSS monitoring interfaces Allows selection of single focal point as IPsec management hub ipsec command for administrator Monitor Interface (NMI) for management application 32

Extending NSS Integrating DataPower with z/os security WebSphere DataPower Appliances Performs advanced WebServices operations Message format transformation for traditional z/os applications Offloads XML and WebServices security function DataPower Appliance (logical integration) DataPower XI50z Integrated Blade (physical integration) Web Services request DataPower XML and Web Services processing SAF request NSS client DataPower DataPower Secured TCP Connections z/os NSS Server NSS Client infrastructure XMLAppliance Discipline SAF Access Service Certificate Service Private Key Service SMF Audit Records RACF Profiles RACF NSS XMLAppliance discipline enables both logical and physical integration between DataPower and z/os security. DataPower accesses centralized SAF services via z/os NSS for: SAF access service: Provides SAF-based authentication (of DP users) and access control (of DP resources) with SMF auditing Certificate service: Provides retrieval of RSA certificates from a SAF keyring Private key service provides: Private RSA key retrieval (clear key only) RSA signature and decryption operations (secure key only) z/os security administered through z/os security facilities such as RACF (SAF), ICSF SMF ICSF RACF Keyring 33

Agenda Overview Roles and objectives Deployment trends and requirements Policy-based Security IP security (IP packet filtering and IPSec) Application Transparent TLS Intrusion Detection Services Enterprise-wide Security Roles Centralized Policy Agent Security Services SAF Protection of TCP/IP Resources SERVAUTH profiles for TCP/IP 34

SERVAUTH Protection for TCP/IP All the "traditional" SAF protection of datasets, authorized MVS and z/os UNIX functions, etc. on a z/os system applies to TCP/IP workload just as it applies to all other types of workload. Be careful with anonymous services such as anonymous FTP or TFTP services that can be configured to allow un-authenticated users access to selected MVS data sets and/or HFS files. The SERVAUTH resource class is used to specifically define and protect a number of TCP/IP unique resources General SERVAUTH profile format: EZB.resource_category.system_name.jobname.resource_name EZB designates that this is a TCP/IP resource resource_category is capability area to be controlled e.g. TN3270, Stack Access, etc. system_name is the name of the system (LPAR) - can be wild-carded (*) jobname is the jobname associated with the resource access request - can be wild-carded (*) optional resource_name - one or more qualifiers to indicate name of resource to be protected - can be wild-carded (*) To protect one of the supported TCP/IP resources, you define a SERVAUTH profile with universal access NONE and you then permit authorized user IDs to have READ access to the resource If using OEM security packages, beware of the differences between defined/not defined resource actions 35

STACKACCESS WEBSERV TCPIPA TSOUSR1 TSOUSR2 TCPIPB Limits local users open sockets or use of TCP/IP stack services (e.g., get hostname, get hostid, etc.) Access to stack via sockets is allowed if the user has access to the following SERVAUTH class SAF resource: EZB.STACKACCESS.sysname.stackname security zone security A zone A security zone security B zone B security zone security C zone C Define stack resource with UACC(NONE) and permit groups or individual users to allow them access to the stack In the example, TSOUSR1 and TSOUSR2 are not permitted to use TCPIPA EZB.STACKACCESS.*.TCPIPA WEBSRV permitted, all others not EZB.PORTACCESS.*.TCPIPA.WEBPORT WEBSRV permitted, all others not EZB.NETACCESS.*.TCPIPB.ZONEC TSOUSR1 permitted, all others not 36

NETACCESS Controls local user s access to network resources WEBSERV TSOUSR1 TSOUSR2 bind to local address send/receive IP packets to/from protected zone Subnet Individual host TCPIPA TCPIPB (Note that firewalls can t distinguish between individual users) Access to security zone is allowed if the user has access to the SERVAUTH class SAF resource associated with the zone: security zone security A zone A security zone security B zone B EZB.STACKACCESS.*.TCPIPA WEBSRV permitted, all others not EZB.PORTACCESS.*.TCPIPA.WEBPORT WEBSRV permitted, all others not EZB.NETACCESS.*.TCPIPB.ZONEC TSOUSR1 permitted, all others not security zone security C zone C EZB.NETACCESS.sysname.stackname.zonename NETACCESS statement in TCP/IP profile defines security zones. For example, stack B may have: NETACCESS INBOUND OUTBOUND 192.168.1.0 255.255.248.0 ZONEB 192.168.0.0/16 ZONEC Default 0 WORLD ENDNETACCESS In the example, TSOUSR2 is not permitted to network security zone C 37

PORTACCESS WEBSERV TCPIPA TSOUSR1 TSOUSR2 TCPIPB Limits local users access to non-ephemeral ports Controls whether a started task or userid can establish itself as a server on a given TCP or UDP port. Access to use port is allowed if the user has access to the following SERVAUTH class SAF resource: EZB.PORTACCESS.sysname.stackname.SAFname security zone security A zone A security zone security B zone B SAF keyword on PORT or PORTRANGE statement in TCP/IP profile defines SAF resource name. For example, stack A may have: security zone security C zone C PORT 80 TCP * SAF WEBPORT EZB.STACKACCESS.*.TCPIPA WEBSRV permitted, all others not EZB.PORTACCESS.*.TCPIPA.WEBPORT WEBSRV permitted, all others not EZB.NETACCESS.*.TCPIPB.ZONEC TSOUSR1 permitted, all others not In the example, only userid WEBSRV is permitted to establish itself as a server on port 80 on stack TCPIPA 38

SAF Protection: Other SERVAUTH resources There are 30+ different possible TCP/IP-related resource types to protect. Careful use of these can provide a significant level of security administrator-based control over use of TCP/IP-related resources on z/os Command protection ipsec nssctl pasearch netstat Application control broadcast socket options IPv6 advanced socket APIs NSS certificate, service, client access FTP port, command access and HFS access DCAS access management APIs packet trace realtime SMF data connection data Other resource restrictions Fast Response Cache Accelerator (FRCA) page load SNMP subagent access DVIPA modification control See z/os Communications Server IP Configuration Guide chapter 3 for a complete list of SERVAUTH profiles 39

Summary 40

Summary Protecting system resources and data from the network Integrated Intrusion Detections Services Detects, records, and defends against scans, stack attacks, flooding Protect system availability Built in protection against Denial of Service attacks IP packet filtering Syslogd integrity and availability Sysplex Wide Security Associations SAF protection of z/os resources z/os CS application access to data sets and files SERVAUTH class protection Protecting mission critical data in the network True end-to-end security with security endpoint on z/os Strong encryption with AES and Triple DES Using hardware assist from crypto coprocessor and CP assist instruction Transparent Application Security IPSec for TCP/IP applications Application-Transparent TLS support Internet-ready access to SNA applications with TN3270 SSL Built-in Application Security Kerberized FTP, rsh, telnet, Secure network services SNMPv3, Secure OSPF Authentication, Secure DNS 41

Thank you 42

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information