More Related Content Similar to Systemz Security Overview (for non-Mainframe folks) (20) Systemz Security Overview (for non-Mainframe folks)1. IBM System z
An Overview of Mainframe
Security for
Non-Mainframe Personnel
June 2013
Mike Smith (smithlmi@us.ibm.com)
With thanks to Greg Boyd
© 2013 IBM Corporation
2. IBM System z
Trademarks
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
IBM*
IBM (logo)*
ibm.com*
AIX*
BladeCenter*
DataPower*
CICS*
DB2*
DS4000*
FICON*
IMS
Lotus*
POWER7
ProtecTIER*
RACF*
Rational*
System Storage
System x*
System z*
System z10
Tivoli*
WebSphere*
XIV*
zEnterprise
z/OS*
z/VM*
z/VSE
* Registered trademarks of IBM Corporation
The following are trademarks or registered trademarks of other companies.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license there from.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
InfiniBand is a trademark and service mark of the InfiniBand Trade Association.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of
Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.
* All other products may be trademarks or registered trademarks of their respective companies.
Notes:
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any
user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the
workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have
achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to
change without notice. Consult your local IBM business contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the
performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
Page 2
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
3. IBM System z
Agenda
System z, z/OS, and z/VM Security Strategy
– Most Securable System
– Protecting the Borders of System z and its Data
– Extending System z’s Quality of Service (Security) to the Enterprise
Some of the Current Security Features
– RACF for z/OS and z/VM
– z/OS Communication Server and its Tools for Cybersecurity
– System z Hardware Encryption Features
– Providing Protection for Data in Transit
– Encrypting Data at Rest and Backups
– Managing Digital Certificates with z/OS PKI Services
– Extending Identity Management and Auditing with LDAP (z/OS and z/VM)
Page 3
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
4. IBM System z
zEnterprise servers preserve and enhance the industry
renown strengths of the IBM Security Framework
without requiring changes of the current core business applications.
IBM continues to leverage and enhance the leading security capabilities provided by the z/OS
and z/VM operating systems to build the tightest IT Security Hub, and further enhance their
enterprise security through new technology in Authentication, Authorization, Encryption,
Auditing, and Administration.
The IBM Security Framework
Security Governance, Risk Management
and Compliance
Security Governance, Risk Management
and Compliance
People and Identity
Data and Information
Common
Best
Security
Practices
(the 5 A’s)
Application and Process
Network, Server, and End-point
Physical Infrastructure
Common Policy, Event Handling and Reporting
Professional
Services
Page 4
Mainframe Security Overview
Managed
Services
Hardware
& Software
June 2013
PCI-DSS
Compliance and
Legal Requirements
HIPAA
© 2013 IBM Corporation
5. IBM System z
System z Integrity Statements
Designed to help protect your system, data, transactions,
and applications from accidental or malicious modification
System integrity is the inability to bypass the security on system resources
IBM will always take action to resolve if a case is found where the above can be
circumvented
System z integrity statements and the Common Criteria certifications
can be helpful proof points in addressing compliance requirements.
ibm.com/servers/eserver/zseries/zos/racf/zos_integrity_statement.html
ibm.com/servers/eserver/zseries/zos/racf/zos_integrity_statement.html
http://www.vm.ibm.com/security/zvminteg.html
http://www.vm.ibm.com/security/zvminteg.html
First Issued in 1973 – Over 3 decades !!
For System z Security has been a state of mind from design to delivery
IBM’s commitment to z/OS System Integrity reaffirmed in September 2007
Page 5
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
6. IBM System z
What do you think of the Mainframe (System z)?
Forrester Survey –
“Please rank which operating system category you feel is inherently more
secure?”
April 10, 2007
Operating System Vendors: Do More To Help Users With Server Security
by Jennifer Albornoz Mulligan
Rank
Mainframe
Unix
3
Macintosh
4
Least secure
1
2
Most secure
Linux
5
Windows
Figure 3 - Security Decision-Makers’ Opinions On OSes’ Security
Page 6
Source: Forrester Research, Inc. 41887
Base: 75 decision-makers responsible for server security
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
7. IBM System z
System z Evaluations & Certifications
z/VM
The Common Criteria
program establishes an
organizational and
technical framework to
evaluate the
trustworthiness of IT
Products and
protection profiles
z/OS
Common Criteria
z/VM 5.3, 6.1
• EAL 4+ for CAPP and
LSPP
• System Integrity
Statement
z/OS
• Common Criteria EAL4+
• with CAPP and LSPP
• z/OS 1.7 1.10 + RACF
• z/OS 1.11 + RACF (OSPP)
• z/OS 1.12 + RACF (OSPP)
• z/OS 1.13 + RACF (OSPP)
• Common Criteria EAL5
• z/OS RACF 1.12 (OSPP)
• z/OS 1.10 IPv6 Certification by
JITC
• IdenTrust™ certification for
z/OS PKI Services
• FIPS 140-2
• System SSL z/OS 1.10
1.12 & 1.13
• z/OS ICSF PKCS#11
Services – z/OS 1.11, 1.12,
1.13
• Statement of Integrity
z/VM
Linux on System z
Linux on System z
Virtualization with partitions
Cryptography
• zEnterprise zEC12, z196 & z114
• Common Criteria EAL5+ with specific target of
Evaluation – LPAR: Logical partitions
• Crypto Express2, Crypto Express3 & Crypto
Express4S Coprocessors
- FIPS 140-2 level 4 Hardware Evaluation
- Approved by German ZKA
• CP Assist
- FIPS 197 (AES)
- FIPS 46-3 (TDES)
- FIPS 180-3 (Secure Hash)
Mainframe Security Overview
June 2013
Common Criteria
SUSE SLES10 certified
at EAL4+ with CAPP
Red Hat EL5 EAL4+
with CAPP and LSPP
OpenSSL - FIPS 140-2
Level 1 Validated
CP Assist - SHA-1
validated for FIPS 180-1 DES & TDES validated for
FIPS 46-3
© 2013 IBM Corporation
8. IBM System z
How does System z fulfill its security strategy:
ENHANCE its own host protection – A continuous process with advancements in digital
certificates, RACF in both z/OS and z/VM, tighter integration between Linux for System z,
z/OS, and z/VM – strengthening its compliance, auditing, and monitoring capabilities.
PROTECT the host interfaces and boundaries (this includes identities and data passing across
these borders) – Additions of technologies such as the security features of the z/OS
Communication Server, Tivoli Directory Server (LDAP) on both z/OS and z/VM, kerberos
enhancements, and PKI Services for z/OS.
EXTEND the security Quality of Service into the enterprise – Encryption Facility for z/OS (to
secure data if it has to leave the vault), Network Security Services and Policy Agent (for
managing network security policies), z/VM Guest LANs & Virtual Switches, Linux audit plug-in
as well as the PAM with LDAP, TKLM and Tivoli Insight (IBM’s SOA security is Websphere,
Tivoli, and vendor products, most of which can run on System z).
SIMPLIFY the design, implementation, administration, and monitoring
Facility (z/OSMF) and IBM Security zSecure for example.
Page 8
Mainframe Security Overview
June 2013
– z/OS Management
© 2013 IBM Corporation
9. IBM System z
What’s running inside the server
Various Logical
Partitions are
defined to run
multiple instances of
an OS.
System Files
APF Libraries
RACF Database
Master Catalog
Internal resources
like processors and
channels can be
shared among
LPARs. Memory is
NOT shared.
Applications
Programs
Each LPAR is a
separate system.
Data and Databases
There is no leakage
of information from
one LPAR to
another.
Page 9
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
10. IBM System z
What’s running inside an LPAR?
z/OS Tasks run in Address Spaces. A separate
Address Space is created for each active User,
Batch Job, or Started Task.
Each Address
Space is
assigned an
Access Control
Environment
Element that
describes the
User ID assigned
to the Address
Space.
Page 10
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
11. IBM System z
How are Address Spaces created?
Transactions
and requests
from other
systems
System Address Spaces are
created at start-up time or as
needed while the system is
up
Started Tasks can be
started by Operations
to perform pre-defined
tasks
Batch jobs are submitted
by users, a job scheduling
system, or other tasks.
When the Address Space is
created, the jobs authority
is validated by RACF.
Users Log-on after
being
authenticated
Page 11
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
12. IBM System z
One Key to z/OS Security is SAF
SAF is a component of MVS (z/OS BCP) - NOT part of RACF
SAF is the System Access Facility element of z/OS. Its purpose is to provide the
interface between those products requesting security services and the external
security manager (RACF or similar) installed on the z/OS system.
SAF provides an installation with centralized control over system security
processing by using a system service called the SAF router. The SAF router
provides a focal point and a common system interface for all products providing
resource control.
External security managers (ESMs) provide tables to SAF, which directs specific
calls for security functions to specific routines within the ESM. The use of these
tables allows z/OS to provide support for pluggable ESMs giving the installation
the flexibility to determine which ESM to use..
SAF and the SAF router are present on all z/OS systems regardless of whether
an ESM is installed.
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
13. IBM System z
RACF
RACF is the Resource Access Control Facility. It is NOT an
entitlement of the z/OS operating system, but is a priced feature.
Customers pay extra for RACF.
RACF provides the capability to uniquely describe resources,
users, and the relationships between them.
When users attempt to access a resource the system calls RACF
to indicate whether or not that user has the requested access
permissions.
It is then the system's decision, not RACF's, to allow or deny the
access request.
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
14. IBM System z
Basic Security Features and Functions
Page 14
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
15. IBM System z
Resource, user, and group profiles
A resource is any item on the system that may be exploited by a
user, including address spaces, application and DB systems
(CICS, DB2) and their transactions, data (volumes, data sets),
programs, the IP Stack, etc. etc.
A user is an exploiter of resources
A protection profile describes the resource
A user profile uniquely describes a user to the system
Users can be grouped together
Resource protection profiles are grouped together by Class
Access to resources can be provided to the group
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
16. IBM System z
Security Features with the z/OS TCP/IP
A view of the protocol stack
Protect the system
z/OS CS TCP/IP applications use SAF to
authenticate users and prevent
unauthorized access to datasets, files, and
SERVAUTH protected resources.
The SAF SERVAUTH class is used to
prevent unauthorized user access to
TCP/IP resources (stack, ports, networks)
Application layer
SAF protection
Application specific
API layer
(sockets plus extensions)
SSL /
TLS
Kerberos
TCP / UDP transport layer
SAF protection
AT-TLS
Intrusion detection services protect
against attacks of various types on the
system's legitimate (open) services. IDS
protection is provided at both the IP and
transport layers.
IP packet filtering blocks out all IP traffic
that this systems doesn't specifically
permit. These can be configured or can
be applied dynamically as "defensive
filters."
Page 16
Mainframe Security Overview
Intrusion Detection
Services
IP Networking layer
Intrusion Detection
Services
IP Filtering
IPSec
June 2013
Protect data in the network
Examples of application protocols with builtin security extensions are SNMPv3 and
OSPF.
Both Kerberos and SSL/TLS are located as
extensions to the sockets APIs and
applications have to be modified to make
use of these security functions. Both
SSL/TLS and Kerberos are connectionbased and only applicable to TCP (stream
sockets) applications, not UDP.
AT-TLS is TCP/IP stack service that
provides SSL/TLS services at the TCP
transport layer and is transparent to upperlayer protocols. It is available to TCP
applications in all programming languages
except PASCAL.
IP packet filters specify traffic that
requires IPSec
IPSec resides at the networking layer and is
transparent to upper-layer protocols, including
both transport layer protocol and application
protocol.
© 2013 IBM Corporation
17. IBM System z
And, of course, you need to Audit the z/OS TCP/IP
Configuration Definitions as well …
The z/OS network security policy is implemented via the Configuration Assistance Utility (now
part of zOSMF).
The network security features that are implemented (IPSec, AT-TLS, etc.) can be viewed via this
tool, as well as the rules for each of these features can be reviewed or printed.
Application
Transparent
TLS policy
Applications
Policy
Agent
IP security
policy
Sockets
Policy
Administration
System SSL calls
TCP
TLS Encrypted
IPSec
IP Networking Layer
Network Interfaces
Page 17
IDS policy
IDS
IDS
Mainframe Security Overview
IPSec
Encrypted
June 2013
© 2013 IBM Corporation
18. IBM System z
Overview – HW Crypto support in System zEC12
Processor Books
MCM
CPACF
PCIe I/O drawers
Crypto
Express4S
Trusted Key Entry (TKE)
Smart
Smart
Smart
CardSmart
CardSmart
CardSmart
CardSmart
CardSmart
CardSmart
CardSmart
Card
Card
Card
Smart Card
Readers
Mainframe Security Overview
June 2013
Smart Cards
© 2013 IBM Corporation
19. IBM System z
zEnterprise – Calling The Hardware Crypto
TSO
Terminal
Hardware Crypto
zEC12, z196, z114
Other systems
Clear/Encrypted Data
?
CPACF
?
?
?
...
Master Key
RACF
Crypto instructions
Crypto
Express
2/3/4s
ICSF
IBM Exploiters
Callable
Services
APIs
Encryption/Decryptio
n Key to use
z/OS
Home Grown
Applications
HCR7790
or instructions
in the application
DES keys encrypted
under the crypto
Master Key
TKE Workstation
(optional)
PKDS
CKDS
Asymmetric keys encrypted
under the PKA Master Key
....
TKDS
clear application key
in storage
OPTIONS
DATA
SET
ICSF run-time
options
PKCS11 under the token
Master Key
Access to the cryptographic services and keys can be controlled
by RACF with the CSFSERV and CSFKEYS classes
Page 19
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
20. IBM System z
Linux on System z Crypto Stack
openssh
Application (ssh, scp, sftp) Apache
(mod_ssl)
Layer
Standard
Crypto
Interfaces
GSKIT
WAS
Cust. SW
Java
JCA/JCE
PKCS11ImplProv
Customer
SW
opencryptoki
(pkcs#11)
ica
token
Ibmca
engine
cca
token
ICA
CCA
Kernel
IPSEC
dm-crypt
Kernel crypto framework
System z backend
zcrypt device driver
CPU
Hardware
clear key
protected key
secure key
NSS
openssl
System z
HW Crypto
Libraries
Operating
System
Apache
(mod_nss) SWGSW
CPACF
(DES/TDES, AES, SHA, PRNG)
Crypto Adapters
Accelerator
(RSA)
Coprocessor
(RSA, RNG, DES/TDES, AES,
ECC)
*Chart from Reinhard Buendgen
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
21. IBM System z
z/OS Public Key Infrastructure PKI Services Structure
CRL
HTTP Server for z/OS
End User
HTTP / HTTPS
HTTP Daemon
HTTP / HTTPS
OCSP/SCEP
Requester
VSAM
cert
Static Web Pages
PKI
Exit
RACF
Websphere Applicaton
Server
JSP/Servlet
Combined RA/CA process
VSAM
R_PKIServ
Callable
Service
request
cert/CRL
JNI
RACF
DB
Page 21
Mainframe Security Overview
Issued
Certificate
List
Program Call
OCSP- CMP
- SCEP CGI
PKI
Administrator
z/OS PKI
Services Daemon
RACF Linkage
Assist routine
CGI Scripts
HFS
June 2013
Object
Store
LDAP
Directory
VSAM
SMF
SMF
Extract
Tool
Audit
Records
© 2013 IBM Corporation
22. IBM System z
Other Options for
Identity Translation/Propagation/Synchronization
They may also access
the System z directly
Via TN3270, FTP, etc?
Access to
System z
.Net
Applications
Authenticated
to AD
Windows
Directory
Server
z/OS Resources include IMS, CICS,
DB2, Websphere, MQ,
All protected with RACF meaning
that they have to have a RACF
userid in their ACEE – need a
‘complete’ audit trail
z/OS LDAP installed
z/OS CommServer security features
z/OS PKI Services
Windows
Domain
Controller
Authenticated
to AD
Windows
Directory
Server
Authenticated
to AD
Windows
Domain
Controller
Page 22
Mainframe Security Overview
Windows
Directory
Server
Windows
Domain
Controller
June 2013
© 2013 IBM Corporation
23. IBM System z
Identify and Access Management
Imbedded with the z/OS features:
– Tivoli Directory Services (TDS – commonly called LDAP) extending System z
security as well as allowing for propagation of RACF information
– Digital Certificates and z/OS PKI Services
– Kerberos (within the RACF domain and building trust across separate KDC –
WAS & SPNEGO)
– Passtickets
– ID Propagation
zSecure for Admin and Audit (plus Command Verifier)
Federating Identities with Tivoli Federated Identity Manager
(TFIM) for web services
Tivoli Access Manager eb (ebusiness) for web security – bi for
business integration)
Managing Identities on System z or Across the Enterprise with
Tivoli Identity Manager (TIM)
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
24. IBM System z
IBM Tivoli Directory Services (LDAP) Overview
USS file
Optional
SSL
LDAP client
any LDAP client
(including JNDI)
Security
Server
Directory
(RACF DB)
CDBM
z/OS
RACF
slapd
daemon
TCP/IP
stack
USS
LDAP V3
SDBM
LDBM
Schema
General purpose
Directory (USS file)
USS file
GDBM
LDAP client
TDBM
DB2
Change log
Directory
(DB2 or USS)
General purpose
Directory (DB2)
z/OS LDAP API for C/C++
Page 24
Mainframe Security Overview
SSL Key
DB or RACF
keyring
ds.conf
June 2013
ds.envvars
© 2013 IBM Corporation
25. IBM System z
Identity & Access Management
With z/OS Identity
Propagation
z/OS Run-time
security context
System z
RACF
User’s Identity
• DN & Realm
User’s Identity
• RACF user-ID
• DN & Realm
CICS
WebSphere
Application Server
running
remotely or
on System z
DN & Realm
‘propagated’ into z/OS
security context.
Page 25
Mainframe Security Overview
z/OS
New data areas
IDID
ICRX
June 2013
Option to select
RACF user-ID here,
under RACF control
SMF
Audit
Audit Record
RACF user-ID
DN & Realm
© 2013 IBM Corporation
26. IBM System z
Host Firewalls
Linux
DMZ
Physically secure networking
z/OS
Perimeter
z/OS
Firewall & IDS
ISS
Proventia
ISS Proventia Server for Linux
Firewall / IDS
Network
IDS/IPS & Firewall
Application
Network
Linux
Protected
Application
z/VM
LPAR
Page 26
External
Network
Mainframe Security Overview
Firewall
Internet
June 2013
© 2013 IBM Corporation
27. IBM System z
Virtual Network Management
Multiple Security Zones
Control access
to Virtual Switch
(VSWITCH)
Use z/VM RACF Security Server to control
and audit Linux and other virtual server
access to networks.
web
web
web
web
z/VM
db
db
db
web
app
VSWITCH 1
app
app
Control and
audit guest
sniffing of virtual
networks
VSWITCH 2
To
outboard
databases
To
internet
Page 27
Mainframe Security Overview
Control access
to specific
VLANs on a
VSWITCH
June 2013
Better control of
multi-tenant
environments
© 2013 IBM Corporation
28. IBM System z
Customer Example of Utilizing RACF zVM and LDAP zVM
z/VM 5.4
Shared
R/O
Linux
Root
Management
Virtual Switch
Presentation
Virtual Switch
SLES 10 Linux
SLES 10 Linux
SLES 10 Linux
Config & Data
RACF VM
Application
RACF VM
Virtual Switch
FAST AR - Guests
SLES 10 Linux
Config & Data
Config & Data
Config & Data
Config & Data
SLES 10 Linux
Database
Virtual Switch
LDAP
LDAP
Linux guest access to a variety of
different virtual switches and
VLANs are controlled by RACF
controls.
Page 28
Mainframe Security Overview
June 2013
© 2013 IBM Corporation
29. IBM System z
Architecture overview for Identity Management
RACF
Developers
PAM
Linux
Directory
CICS
ITIM
RACF/VM
Agent
WebSphere
App Server
IBM Tivoli
Identity
Manager
z/OS
Services
LDAP
Server
ITIM
Server
Tivoli
Access
Manager
Policy
Server
Master
ACL
DMZ
Mainframe Security Overview
App 2
DATA
App 3
DATA
App n
DATA
ITIM TAM
Agent
Replica
ACL
Page 29
App 1
DATA
LDAP
ITIM RACF
Agent
WebSeal
WebSeal
WebSeal
WebSeal
e-Business
Users
z/OS
Mgmt/Dev Zone
June 2013
RACF
Database
Other User Registry(s)
TRUSTED Zone
© 2013 IBM Corporation
30. IBM System z
Elements of Enterprise Security
Tape encryption
Disk encryption
Secured Key
Storage &
Management
Crypto Express 3
TS1120
Event Logging
(SMF)
Multilevel security
DS8000
Enterprise Fraud
Solutions
Data Privacy
IBM Tivoli Security
Compliance Insight
Manager
IBM Tivoli zSecure Suite
Certificate Authority
Compliance
and Audit
Extended
Enterprise
DB2 Audit Management Expert
PKI Services
Enterprise Encryption
Services
Tivoli Identity Manager
Tivoli Federated Identity Mgr
Platform Infrastructure
ICSF
Directory Server
Network
Authentication
Service
RACF/SAF
LDAP
Common Criteria
Ratings
Support for
Audit, Authorization, Services and Scalable Enterprise Kerberos V5
Standards
Compliant
Directory
Authentication, and Key Storage for
Key Material
Access Control
Page 30
Mainframe Security Overview
June 2013
Secured Communications
SSL/TLS,
IPSec
IDS
© 2013 IBM Corporation
Editor's Notes To give you an idea of all the pieces around crypto and where they fit