z/os Firewall Technology Overview



Similar documents
OS/390 Firewall Technology Overview

OS/390 Firewall Technology Overview

21.4 Network Address Translation (NAT) NAT concept

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Cornerstones of Security

Network Configuration Settings

Chapter 12 Supporting Network Address Translation (NAT)

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

TN3270 Security Enhancements

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Lecture 17 - Network Security

CSCE 465 Computer & Network Security

Network Security. Lecture 3

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Proxy Server, Network Address Translator, Firewall. Proxy Server

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Overview - Using ADAMS With a Firewall

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Overview - Using ADAMS With a Firewall

Virtual Private Networks

Network Access Security. Lesson 10

Chapter 17. Transport-Level Security

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

IBM enetwork VPN Solutions

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Networking Security IP packet security

Internet Protocol: IP packet headers. vendredi 18 octobre 13

NETASQ MIGRATING FROM V8 TO V9

Chapter 32 Internet Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Virtual Private Networks

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Guideline for setting up a functional VPN

IP Security. Ola Flygt Växjö University, Sweden

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Firewalls. Ahmad Almulhem March 10, 2012

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Cisco Which VPN Solution is Right for You?

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Security vulnerabilities in the Internet and possible solutions

Galileo International. Firewall & Proxy Specifications

Cisco AnyConnect Secure Mobility Solution Guide

SSL VPN. Virtual Private Networks based on Secure Socket Layer. Mario Baldi. Politecnico di Torino. Dipartimento di Automatica e Informatica

Protocol Security Where?

Firewalls. Chapter 3

Security Technology: Firewalls and VPNs

SSL SSL VPN

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

ETSF10 Part 3 Lect 2

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

LinkProof And VPN Load Balancing

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Proxies. Chapter 4. Network & Security Gildas Avoine

TABLE OF CONTENTS NETWORK SECURITY 2...1

12. Firewalls Content

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Multi-Homing Security Gateway

Introduction to Security and PIX Firewall

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Configuring Global Protect SSL VPN with a user-defined port

Chapter 9 Firewalls and Intrusion Prevention Systems

CCNA Security 1.1 Instructional Resource

GPRS / 3G Services: VPN solutions supported

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Basic Network Configuration

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Laboratory Exercises V: IP Security Protocol (IPSec)

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

Chapter 7. Address Translation

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Stateful Inspection Technology

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

Transcription:

z/os Firewall Technology Overview Mary Sweat E - Mail: sweatm@us.ibm.com Washington System Center OS/390 Firewall/VPN 1

Firewall Technologies Tools Included with the OS/390 Security Server Configuration Client (GUI) Configuration Commands Logging Server Proxy FTP server Socks Server Real Audio Support Internet Security Association Key Management Protocol (ISAKMP) Server Included with the enetwork Communications Server for OS/390 Network Address Translation (NAT) IP Filters IP Tunnels (IPSec or Virtual Private Network) OS/390 Firewall Technologies is not a separate product. It is part of the OS/390 Security Server and enetwork Communications Server for OS/390. If the Security Server has not been purchased the Configuration Commands can still be used because the Security Server code is shipped with the base OS/390 and the usage of Configuration Commands is not checked to see if there is a license for the Security Server. Prior to OS/390 2.10 the Socks server, FTP proxy, ISAKMP server and Configuration client that comes with OS/390 Firewall Technologies can only be used if the customer has purchased the Security Server. The firewall checks and ensures a Security Server license exist before it allows the installation to utilize these features. As of OS/390 2.10 a customer can use ISAKMP and the Configuration Client without having a license provided they have the APAR OW47982 installed. A license is still required if configuring the FTP proxy or the Socks server. OS/390 Firewall/VPN 2

Firewall Hardware Requirements Any communication hardware interface supported by the TCP/IP protocol stack to make the network connections OSA, 3172, CTC, XCF, etc. At least two network interfaces; one network interface connects the secure, internal network that the firewall protects the other network interface connects to the nonsecure, outside network or internet Secure Non-secure Crypto Coprocessor this is optional requirement as the OS/390 firewall can use software encryption (RSA BSAFE) used with Integrated Cryptographic Service Facility (ICSF) By default all adapters defined are considered "non-secure" until the firewall administrator defines selected adapters as secure. You can have numerous adapters (max. 256) but you must have a minimum of 2 if you use the interfaces on both sides of the firewall. SECURE adapter is the side of the firewall that allows data to flow in and out of the company's environment. The SECURE environment can be thought of as the company's intranet or an area which the company has control over the machines and can dictate what changes are allowed on those machines. The NONSECURE environment deals with the flow of traffic going to or coming from the Internet or any environment the company can not trust or does not control. The OS/390 Firewall Technology Virtual Private Network (often known as tunnels) can utilize the hardware crypto features on your CMOS machines. No other feature of the OS/390 Firewall uses this hardware. To exploit the hardware crypto functions, the TCP/IP Firewall stack needs to be authorized for the ICSF services via RACF class CSFSERV. ICSF services that can be exploited are; - clear key import callable service - decipher callable service - encipher callable service - random number generate callable services OS/390 Firewall/VPN 3

Software Requirements OS/390 Security Server (RACF) OS/390 enetwork Communications Server OS/390 UNIX services OS/390 C/C++ Collection Cl. Lib. OS/390 System Secure Socket Layer (System SSL) Open Cryptographic Services Facility (OCSF) Security Server Open Cryptographic Enhanced Plug-ins (OCEP) System Secure Sockets Layer is required for the usage of the OS/390 Firewall GUI. OCSF and OCEP is required if dynamic tunnels (ISAKMP) are used. OS/390 Firewall/VPN 4

Graphical User Interface GUI Client Configuration Server (OS/390) SSL Written in JAVA Installs / runs on Windows 95/NT & AIX AIX Java 1.1.4 or higher AIX 4.2 or higher Netscape 3.0.1 Windows 95 or Windows NT web browser with Java and frames support zip tool that handles long file names The GUI was available in 2.7, previous versions of S/390 Firewall only had a command line interface for configuring the firewall. System SSL encrypts data flowing between GUI and Configuration Server. If System SSL is not setup the GUI will not work. Authorization to use and configure the firewall is checked via External Security Manager (eg. RACF). Must have explicit authorization to the GUI RACF profile ICF.CFGSRV even if you are a superuser. Benefits; > Provides ease of use > Defaults filled in > On-line help > Error checking > Dialog messages > English / Japanese OS/390 Firewall/VPN 5

FTP Proxy Support OS/390 Firewall Technologies supply an FTP proxy server (pftpd) access controlled on a user-by-user basis to go out of the secure network to come in from the non-secure world local ftp commands disabled on the firewall Users ftp to the firewall and with valid authorizations, pftpd contacts FTP server outside the secure network Non-Secure Network Secure Network ftp pftpd destination ftp server ftp client File Transfer Protocol (FTP) is a TCP/IP service that transfers files from one network host to another. The purpose of the FTP proxy is to act as middle man. Rather then the client connecting directly to the FTP server, the client will connect to the FTP proxy first. The proxy then ask the client where did it really want to go? The client responds with the information and the FTP Proxy performs the actual connection to the FTP server. When using this proxy the firewall address is what is sent to the FTP server rather then the clients address which is the norm. Therefore, the FTP proxy hides the client addresses. Once a connection is established, all commands the user enters, are forwarded to the remote host by the proxy. The proxy also returns all status messages for you. Clients must be userid/passwords on the firewall system to use the FTP proxy. They do not need authority to logon to the system. Each proxy server is written for a specific application, in this case FTP. OS/390 Firewall/VPN 6

Socks A socks dæmon sits between the client and destination server socks dæmon is generic can handle traffic for multiple, different applications Socks replaces the IP address of the user with the address of the firewall ftp telnet... (Socksified Clients) client socks dæmon server Any application protocol A SOCKS server performs the same function as the FTP proxy with regards to keeping the client's address secret. However, a SOCKS server can be used by multiple application instead of the FTP proxy only working with FTP applications. To use the SOCKs server, application must be SOCKSIFIED, meaning the applications have be compiled to incorporate the SOCKS server library. SOCKS server uses rules to determine whether the request is authorized to pass to or from the protected network Authorization is rules-based, as opposed to a userid/password like the FTP proxy OS/390 Firewall/VPN 7

Real Audio Support Supports live and on-demand audio from the Internet Special protocol developed by Progressive Networks OS/390 Firewall monitors and identifies RealAudio TCP connections dynamic filter rule for a UDP packet is defined when a RealAudio connection is identified rule is removed when the RealAudio TCP connection is closed Real Audio Player Firewall TCP UDP Real Audio Server OS/390 Firewall/VPN 8

Network Address Translation (NAT) Network Address Translation provides a translation from an internal (secure) IP address to an temporary external registered address Secure Network NAT Pool RESERVE t.h.5.0 255.255.255.0 TRANSLATE 9.82.0.0. TCP/IP TCP/IP NAT t.h.5.0 Non-Secure Network t.h.f.1 src=t.h.f.1 dest=t.h.5.9 src=t.h.f.1 dest=9.82.92.8 9.82.92.8 Allows an installation to hide their internally-used IP addresses > to provide additional security > to externalize only registered IP addresses NAT looks like a normal IP router that forwards IP packets between two network interfaces. OS/390 Firewall/VPN 9

IP Filters Basic control feature in firewalls Works at the IP layer of TCP/IP Determines what traffic is allowed to flow through Filters on; TCP/IP IP Filter Rules Interfaces Secure Net -- source and destination IP address & mask -- source and destination port -- direction of the data flow -- IP protocol -- type of interface (secure or nonsecure) -- date/time Non-secure Net Filter components; > network objects > rules > services > connections Filter rules, or definitions specify what traffic is authorized to flow where, must be defined by the system administrator and activated OS/390 Firewall/VPN 10

Virtual Private Networks Virtual Private Networking (VPN) allows secure communications between remote sites over a public network like the internet Secures data traffic at the IP layer secure traffic for all applications, without modifications to applications Firewall BETA Firewall ALPHA Secure Network #1 Tunnel INTERNET Secure Network #2 Illustrated is a tunnel between two firewall hosts across the Internet. The two secure networks are in effect combined into a Virtual Private Network and it allows secure communications between the two hosts. OS/390 Firewall/VPN 11

Tunnel Types Manual, keys are static encryption & authentication keys are the same for the life of the tunnel must be manually updated has the widest choice of header and encryption options Dynamic tunnels (ISAKMP), keys are dynamic based on Internet Security Association and Key Management Protocol (ISAKMP) defines message formats and flows that will allow two devices to dynamically agree to the information shared between them negotiate and refresh security parameters and exchange keys securely Ability to inter-operate with another OS/390 system or any other compatible IBM platforms is simplified by using export/import capability of the fwtunnl command or via the configuration client. For communicating with non-ibm platforms the tunnel information will have to be entered manually. OS/390 Firewall/VPN 12

Firewall Example (one) OS/390 UNIX Web Server Ports 80 and 443 9.14.1.3 TCP/IP Interfaces Firewall Technologies Non-secure Domain: wscfw.ibm.com OS/390 system, running a web server, connected to the Internet. A firewall is setup on this host to ensure that only traffic destined for the Web server are allowed in. All other data is denied access. OS/390 Firewall/VPN 13

Firewall Example (two) Internet Server (LPAR 1) Production and Intranet Server (LPAR 2) OS/390 UNIX Web Common Server Gateway Interface SOCKS Internet Connection Application Prog. Interface FTPD CICS IMS Firewall Technologies SNA LU6.2 CICS IMS DB2 Batch TSO OS/390 UNIX Web Server UNIX Services Firewall Technologies TCP/IP Interfaces TCP/IP Interfaces Internet Intranet A second example of using the OS/390 Firewall is to place one on the LPAR that deals with the public (Internet). This firewall controls traffic inbound from the Internet and the response back. The production LPAR also has a firewall. This firewall controls company employees coming from the Intranet. Any communication between the two LPAR's is performed via SNA. OS/390 Firewall/VPN 14

Firewall Example (three) Internet Router Public Network Infrastructure Servers (DNS, Routers, etc.) Web Servers Secure Network OS/390 Dealers Suppliers Router Router Outside Firewall Proxies (SMTP HTTP/SSL, FTPD, etc.) Switch Application Servers Inside Firewall Application Servers Ethernet Database Servers Application Servers Database Servers Each box in the public network represents multiple machines providing the services depicted. A firewall on a platform other then OS/390 is setup in front of the public environment. This firewall handles all incoming requests from the Internet. Behind the public network another firewall is placed (OS/390 Firewall). This firewall is there to have another layer of security in place of the critical data residing on the OS/390. OS/390 Firewall/VPN 15

IPSec Standard References Request for Commends (RFCs) located at www.ietf.org 1825 Security Architecture for Internet Protocol 1826 IP Authentication Header 1827 IP Encapsulating Security Payload 1828 IP Authentication Using Keyed MD5 1829 The ESP DES_CBC Transform 2401 Security Architecture for Internet Protocol 2402 IP Authentication Header 2403 HMAC-MD5-96 within ESP and AH 2404 HMAC-SHA-1-96 within ESP and AH 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV 2406 IP Encapsulating Security Payload 2407 Internet IP Domain of Interpretation for ISAKMP 2408 Internet Security Association and Key Management Protocol (ISAKMP) 2409 Internet Key Exchange 2410 NULL Encryption Algorithm and Its Use With IPSec OS/390 Firewall/VPN 16

References OS/390 Security Server 1999 Updates Technical Presentation Guide (SG24-5627-00) located at www.redbooks.ibm.com Security in OS/390-based TCP/IP Network (SG24-5383) OS/390 Firewall/VPN 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information