Systemz Security Overview (for non-Mainframe folks)


Published on

A brief overview of the rich security suite available on System z. Intended for the non-Mainframe IT specialist, data security analysis, etc.

Published in: Technology
  • for Mainframe Technologies online training register at
    Are you sure you want to  Yes  No
    Your message goes here
  • Nice work! You touched on a topical issue. I would appreciate if you'd written about how to fill a form online. Try PDFfiller to fill IRS W-4 here It allows you to to fill out PDF files.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • To give you an idea of all the pieces around crypto and where they fit
  • Systemz Security Overview (for non-Mainframe folks)

    1. 1. IBM System z An Overview of Mainframe Security for Non-Mainframe Personnel June 2013 Mike Smith ( With thanks to Greg Boyd © 2013 IBM Corporation
    2. 2. IBM System z Trademarks The following are trademarks of the International Business Machines Corporation in the United States and/or other countries. IBM* IBM (logo)** AIX* BladeCenter* DataPower* CICS* DB2* DS4000* FICON* IMS Lotus* POWER7 ProtecTIER* RACF* Rational* System Storage System x* System z* System z10 Tivoli* WebSphere* XIV* zEnterprise z/OS* z/VM* z/VSE * Registered trademarks of IBM Corporation The following are trademarks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license there from. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. InfiniBand is a trademark and service mark of the InfiniBand Trade Association. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce. * All other products may be trademarks or registered trademarks of their respective companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. Page 2 Mainframe Security Overview June 2013 © 2013 IBM Corporation
    3. 3. IBM System z Agenda  System z, z/OS, and z/VM Security Strategy – Most Securable System – Protecting the Borders of System z and its Data – Extending System z’s Quality of Service (Security) to the Enterprise  Some of the Current Security Features – RACF for z/OS and z/VM – z/OS Communication Server and its Tools for Cybersecurity – System z Hardware Encryption Features – Providing Protection for Data in Transit – Encrypting Data at Rest and Backups – Managing Digital Certificates with z/OS PKI Services – Extending Identity Management and Auditing with LDAP (z/OS and z/VM) Page 3 Mainframe Security Overview June 2013 © 2013 IBM Corporation
    4. 4. IBM System z zEnterprise servers preserve and enhance the industry renown strengths of the IBM Security Framework without requiring changes of the current core business applications. IBM continues to leverage and enhance the leading security capabilities provided by the z/OS and z/VM operating systems to build the tightest IT Security Hub, and further enhance their enterprise security through new technology in Authentication, Authorization, Encryption, Auditing, and Administration. The IBM Security Framework Security Governance, Risk Management and Compliance Security Governance, Risk Management and Compliance People and Identity Data and Information Common Best Security Practices (the 5 A’s) Application and Process Network, Server, and End-point Physical Infrastructure Common Policy, Event Handling and Reporting Professional Services Page 4 Mainframe Security Overview Managed Services Hardware & Software June 2013 PCI-DSS Compliance and Legal Requirements HIPAA © 2013 IBM Corporation
    5. 5. IBM System z System z Integrity Statements Designed to help protect your system, data, transactions, and applications from accidental or malicious modification  System integrity is the inability to bypass the security on system resources  IBM will always take action to resolve if a case is found where the above can be circumvented System z integrity statements and the Common Criteria certifications can be helpful proof points in addressing compliance requirements. First Issued in 1973 – Over 3 decades !! For System z Security has been a state of mind from design to delivery IBM’s commitment to z/OS System Integrity reaffirmed in September 2007 Page 5 Mainframe Security Overview June 2013 © 2013 IBM Corporation
    6. 6. IBM System z What do you think of the Mainframe (System z)? Forrester Survey – “Please rank which operating system category you feel is inherently more secure?” April 10, 2007 Operating System Vendors: Do More To Help Users With Server Security by Jennifer Albornoz Mulligan Rank Mainframe Unix 3 Macintosh 4 Least secure 1 2 Most secure Linux 5 Windows Figure 3 - Security Decision-Makers’ Opinions On OSes’ Security   Page 6 Source: Forrester Research, Inc. 41887 Base: 75 decision-makers responsible for server security Mainframe Security Overview June 2013 © 2013 IBM Corporation
    7. 7. IBM System z System z Evaluations & Certifications z/VM The Common Criteria program establishes an organizational and technical framework to evaluate the trustworthiness of IT Products and protection profiles z/OS  Common Criteria  z/VM 5.3, 6.1 • EAL 4+ for CAPP and LSPP • System Integrity Statement z/OS • Common Criteria EAL4+ • with CAPP and LSPP • z/OS 1.7  1.10 + RACF • z/OS 1.11 + RACF (OSPP) • z/OS 1.12 + RACF (OSPP) • z/OS 1.13 + RACF (OSPP) • Common Criteria EAL5 • z/OS RACF 1.12 (OSPP) • z/OS 1.10 IPv6 Certification by JITC • IdenTrust™ certification for z/OS PKI Services • FIPS 140-2 • System SSL z/OS 1.10 1.12 & 1.13 • z/OS ICSF PKCS#11 Services – z/OS 1.11, 1.12, 1.13 • Statement of Integrity z/VM Linux on System z Linux on System z Virtualization with partitions Cryptography • zEnterprise zEC12, z196 & z114 • Common Criteria EAL5+ with specific target of Evaluation – LPAR: Logical partitions • Crypto Express2, Crypto Express3 & Crypto Express4S Coprocessors - FIPS 140-2 level 4 Hardware Evaluation - Approved by German ZKA • CP Assist - FIPS 197 (AES) - FIPS 46-3 (TDES) - FIPS 180-3 (Secure Hash) Mainframe Security Overview June 2013  Common Criteria  SUSE SLES10 certified at EAL4+ with CAPP  Red Hat EL5 EAL4+ with CAPP and LSPP  OpenSSL - FIPS 140-2 Level 1 Validated  CP Assist - SHA-1 validated for FIPS 180-1 DES & TDES validated for FIPS 46-3 © 2013 IBM Corporation
    8. 8. IBM System z How does System z fulfill its security strategy:  ENHANCE its own host protection – A continuous process with advancements in digital certificates, RACF in both z/OS and z/VM, tighter integration between Linux for System z, z/OS, and z/VM – strengthening its compliance, auditing, and monitoring capabilities.  PROTECT the host interfaces and boundaries (this includes identities and data passing across these borders) – Additions of technologies such as the security features of the z/OS Communication Server, Tivoli Directory Server (LDAP) on both z/OS and z/VM, kerberos enhancements, and PKI Services for z/OS.  EXTEND the security Quality of Service into the enterprise – Encryption Facility for z/OS (to secure data if it has to leave the vault), Network Security Services and Policy Agent (for managing network security policies), z/VM Guest LANs & Virtual Switches, Linux audit plug-in as well as the PAM with LDAP, TKLM and Tivoli Insight (IBM’s SOA security is Websphere, Tivoli, and vendor products, most of which can run on System z).  SIMPLIFY the design, implementation, administration, and monitoring Facility (z/OSMF) and IBM Security zSecure for example. Page 8 Mainframe Security Overview June 2013 – z/OS Management © 2013 IBM Corporation
    9. 9. IBM System z What’s running inside the server Various Logical Partitions are defined to run multiple instances of an OS. System Files APF Libraries RACF Database Master Catalog Internal resources like processors and channels can be shared among LPARs. Memory is NOT shared. Applications Programs Each LPAR is a separate system. Data and Databases There is no leakage of information from one LPAR to another. Page 9 Mainframe Security Overview June 2013 © 2013 IBM Corporation
    10. 10. IBM System z What’s running inside an LPAR? z/OS Tasks run in Address Spaces. A separate Address Space is created for each active User, Batch Job, or Started Task. Each Address Space is assigned an Access Control Environment Element that describes the User ID assigned to the Address Space. Page 10 Mainframe Security Overview June 2013 © 2013 IBM Corporation
    11. 11. IBM System z How are Address Spaces created? Transactions and requests from other systems System Address Spaces are created at start-up time or as needed while the system is up Started Tasks can be started by Operations to perform pre-defined tasks Batch jobs are submitted by users, a job scheduling system, or other tasks. When the Address Space is created, the jobs authority is validated by RACF. Users Log-on after being authenticated Page 11 Mainframe Security Overview June 2013 © 2013 IBM Corporation
    12. 12. IBM System z One Key to z/OS Security is SAF  SAF is a component of MVS (z/OS BCP) - NOT part of RACF  SAF is the System Access Facility element of z/OS. Its purpose is to provide the interface between those products requesting security services and the external security manager (RACF or similar) installed on the z/OS system.  SAF provides an installation with centralized control over system security processing by using a system service called the SAF router. The SAF router provides a focal point and a common system interface for all products providing resource control.  External security managers (ESMs) provide tables to SAF, which directs specific calls for security functions to specific routines within the ESM. The use of these tables allows z/OS to provide support for pluggable ESMs giving the installation the flexibility to determine which ESM to use..  SAF and the SAF router are present on all z/OS systems regardless of whether an ESM is installed. Mainframe Security Overview June 2013 © 2013 IBM Corporation
    13. 13. IBM System z RACF  RACF is the Resource Access Control Facility. It is NOT an entitlement of the z/OS operating system, but is a priced feature. Customers pay extra for RACF.  RACF provides the capability to uniquely describe resources, users, and the relationships between them.  When users attempt to access a resource the system calls RACF to indicate whether or not that user has the requested access permissions.  It is then the system's decision, not RACF's, to allow or deny the access request. Mainframe Security Overview June 2013 © 2013 IBM Corporation
    14. 14. IBM System z Basic Security Features and Functions Page 14 Mainframe Security Overview June 2013 © 2013 IBM Corporation
    15. 15. IBM System z Resource, user, and group profiles  A resource is any item on the system that may be exploited by a user, including address spaces, application and DB systems (CICS, DB2) and their transactions, data (volumes, data sets), programs, the IP Stack, etc. etc.  A user is an exploiter of resources  A protection profile describes the resource  A user profile uniquely describes a user to the system  Users can be grouped together  Resource protection profiles are grouped together by Class  Access to resources can be provided to the group Mainframe Security Overview June 2013 © 2013 IBM Corporation
    16. 16. IBM System z Security Features with the z/OS TCP/IP A view of the protocol stack Protect the system z/OS CS TCP/IP applications use SAF to authenticate users and prevent unauthorized access to datasets, files, and SERVAUTH protected resources. The SAF SERVAUTH class is used to prevent unauthorized user access to TCP/IP resources (stack, ports, networks) Application layer SAF protection Application specific API layer (sockets plus extensions) SSL / TLS Kerberos TCP / UDP transport layer SAF protection AT-TLS Intrusion detection services protect against attacks of various types on the system's legitimate (open) services. IDS protection is provided at both the IP and transport layers. IP packet filtering blocks out all IP traffic that this systems doesn't specifically permit. These can be configured or can be applied dynamically as "defensive filters." Page 16 Mainframe Security Overview Intrusion Detection Services IP Networking layer Intrusion Detection Services IP Filtering IPSec June 2013 Protect data in the network Examples of application protocols with builtin security extensions are SNMPv3 and OSPF. Both Kerberos and SSL/TLS are located as extensions to the sockets APIs and applications have to be modified to make use of these security functions. Both SSL/TLS and Kerberos are connectionbased and only applicable to TCP (stream sockets) applications, not UDP. AT-TLS is TCP/IP stack service that provides SSL/TLS services at the TCP transport layer and is transparent to upperlayer protocols. It is available to TCP applications in all programming languages except PASCAL. IP packet filters specify traffic that requires IPSec IPSec resides at the networking layer and is transparent to upper-layer protocols, including both transport layer protocol and application protocol. © 2013 IBM Corporation
    17. 17. IBM System z And, of course, you need to Audit the z/OS TCP/IP Configuration Definitions as well …  The z/OS network security policy is implemented via the Configuration Assistance Utility (now part of zOSMF).  The network security features that are implemented (IPSec, AT-TLS, etc.) can be viewed via this tool, as well as the rules for each of these features can be reviewed or printed. Application Transparent TLS policy Applications Policy Agent IP security policy Sockets Policy Administration System SSL calls TCP TLS Encrypted IPSec IP Networking Layer Network Interfaces Page 17 IDS policy IDS IDS Mainframe Security Overview IPSec Encrypted June 2013 © 2013 IBM Corporation
    18. 18. IBM System z Overview – HW Crypto support in System zEC12 Processor Books MCM CPACF PCIe I/O drawers Crypto Express4S Trusted Key Entry (TKE) Smart Smart Smart CardSmart CardSmart CardSmart CardSmart CardSmart CardSmart CardSmart Card Card Card Smart Card Readers Mainframe Security Overview June 2013 Smart Cards © 2013 IBM Corporation
    19. 19. IBM System z zEnterprise – Calling The Hardware Crypto TSO Terminal Hardware Crypto zEC12, z196, z114 Other systems Clear/Encrypted Data ? CPACF ? ? ? ... Master Key RACF Crypto instructions Crypto Express 2/3/4s ICSF IBM Exploiters Callable Services APIs Encryption/Decryptio n Key to use z/OS Home Grown Applications HCR7790 or instructions in the application DES keys encrypted under the crypto Master Key TKE Workstation (optional) PKDS CKDS Asymmetric keys encrypted under the PKA Master Key .... TKDS clear application key in storage OPTIONS DATA SET ICSF run-time options PKCS11 under the token Master Key Access to the cryptographic services and keys can be controlled by RACF with the CSFSERV and CSFKEYS classes Page 19 Mainframe Security Overview June 2013 © 2013 IBM Corporation
    20. 20. IBM System z Linux on System z Crypto Stack openssh Application (ssh, scp, sftp) Apache (mod_ssl) Layer Standard Crypto Interfaces GSKIT WAS Cust. SW Java JCA/JCE PKCS11ImplProv Customer SW opencryptoki (pkcs#11) ica token Ibmca engine cca token ICA CCA Kernel IPSEC dm-crypt Kernel crypto framework System z backend zcrypt device driver CPU Hardware clear key protected key secure key NSS openssl System z HW Crypto Libraries Operating System Apache (mod_nss) SWGSW CPACF (DES/TDES, AES, SHA, PRNG) Crypto Adapters Accelerator (RSA) Coprocessor (RSA, RNG, DES/TDES, AES, ECC) *Chart from Reinhard Buendgen Mainframe Security Overview June 2013 © 2013 IBM Corporation
    21. 21. IBM System z z/OS Public Key Infrastructure PKI Services Structure CRL HTTP Server for z/OS End User HTTP / HTTPS HTTP Daemon HTTP / HTTPS OCSP/SCEP Requester VSAM cert Static Web Pages PKI Exit RACF Websphere Applicaton Server JSP/Servlet Combined RA/CA process VSAM R_PKIServ Callable Service request cert/CRL JNI RACF DB Page 21 Mainframe Security Overview Issued Certificate List Program Call OCSP- CMP - SCEP CGI PKI Administrator z/OS PKI Services Daemon RACF Linkage Assist routine CGI Scripts HFS June 2013 Object Store LDAP Directory VSAM SMF SMF Extract Tool Audit Records © 2013 IBM Corporation
    22. 22. IBM System z Other Options for Identity Translation/Propagation/Synchronization They may also access the System z directly Via TN3270, FTP, etc? Access to System z .Net Applications Authenticated to AD Windows Directory Server z/OS Resources include IMS, CICS, DB2, Websphere, MQ, All protected with RACF meaning that they have to have a RACF userid in their ACEE – need a ‘complete’ audit trail z/OS LDAP installed z/OS CommServer security features z/OS PKI Services Windows Domain Controller Authenticated to AD Windows Directory Server Authenticated to AD Windows Domain Controller Page 22 Mainframe Security Overview Windows Directory Server Windows Domain Controller June 2013 © 2013 IBM Corporation
    23. 23. IBM System z Identify and Access Management  Imbedded with the z/OS features: – Tivoli Directory Services (TDS – commonly called LDAP) extending System z security as well as allowing for propagation of RACF information – Digital Certificates and z/OS PKI Services – Kerberos (within the RACF domain and building trust across separate KDC – WAS & SPNEGO) – Passtickets – ID Propagation  zSecure for Admin and Audit (plus Command Verifier)  Federating Identities with Tivoli Federated Identity Manager (TFIM) for web services  Tivoli Access Manager eb (ebusiness) for web security – bi for business integration)  Managing Identities on System z or Across the Enterprise with Tivoli Identity Manager (TIM) Mainframe Security Overview June 2013 © 2013 IBM Corporation
    24. 24. IBM System z IBM Tivoli Directory Services (LDAP) Overview USS file Optional SSL LDAP client any LDAP client (including JNDI) Security Server Directory (RACF DB) CDBM z/OS RACF slapd daemon TCP/IP stack USS LDAP V3 SDBM LDBM Schema General purpose Directory (USS file) USS file GDBM LDAP client TDBM DB2 Change log Directory (DB2 or USS) General purpose Directory (DB2) z/OS LDAP API for C/C++ Page 24 Mainframe Security Overview SSL Key DB or RACF keyring ds.conf June 2013 ds.envvars © 2013 IBM Corporation
    25. 25. IBM System z Identity & Access Management With z/OS Identity Propagation z/OS Run-time security context System z RACF User’s Identity • DN & Realm User’s Identity • RACF user-ID • DN & Realm CICS WebSphere Application Server running remotely or on System z DN & Realm ‘propagated’ into z/OS security context. Page 25 Mainframe Security Overview z/OS New data areas  IDID  ICRX June 2013 Option to select RACF user-ID here, under RACF control SMF Audit Audit Record  RACF user-ID  DN & Realm © 2013 IBM Corporation
    26. 26. IBM System z Host Firewalls Linux DMZ  Physically secure networking z/OS Perimeter  z/OS  Firewall & IDS ISS Proventia  ISS Proventia Server for Linux Firewall / IDS Network  IDS/IPS & Firewall Application Network  Linux Protected Application z/VM LPAR Page 26 External Network Mainframe Security Overview Firewall Internet June 2013 © 2013 IBM Corporation
    27. 27. IBM System z Virtual Network Management Multiple Security Zones  Control access to Virtual Switch (VSWITCH) Use z/VM RACF Security Server to control and audit Linux and other virtual server access to networks. web web web web z/VM db db db web app VSWITCH 1 app app  Control and audit guest sniffing of virtual networks VSWITCH 2 To outboard databases To internet Page 27 Mainframe Security Overview  Control access to specific VLANs on a VSWITCH June 2013  Better control of multi-tenant environments © 2013 IBM Corporation
    28. 28. IBM System z Customer Example of Utilizing RACF zVM and LDAP zVM z/VM 5.4 Shared R/O Linux Root Management Virtual Switch Presentation Virtual Switch SLES 10 Linux SLES 10 Linux SLES 10 Linux Config & Data RACF VM Application RACF VM Virtual Switch FAST AR - Guests SLES 10 Linux Config & Data Config & Data Config & Data Config & Data SLES 10 Linux Database Virtual Switch LDAP LDAP Linux guest access to a variety of different virtual switches and VLANs are controlled by RACF controls. Page 28 Mainframe Security Overview June 2013 © 2013 IBM Corporation
    29. 29. IBM System z Architecture overview for Identity Management RACF Developers PAM Linux Directory CICS ITIM RACF/VM Agent WebSphere App Server IBM Tivoli Identity Manager z/OS Services LDAP Server ITIM Server Tivoli Access Manager Policy Server Master ACL DMZ Mainframe Security Overview App 2 DATA App 3 DATA App n DATA ITIM TAM Agent Replica ACL Page 29 App 1 DATA LDAP ITIM RACF Agent WebSeal WebSeal WebSeal WebSeal e-Business Users z/OS Mgmt/Dev Zone June 2013 RACF Database Other User Registry(s) TRUSTED Zone © 2013 IBM Corporation
    30. 30. IBM System z Elements of Enterprise Security Tape encryption Disk encryption Secured Key Storage & Management Crypto Express 3 TS1120 Event Logging (SMF) Multilevel security DS8000 Enterprise Fraud Solutions Data Privacy IBM Tivoli Security Compliance Insight Manager IBM Tivoli zSecure Suite Certificate Authority Compliance and Audit Extended Enterprise DB2 Audit Management Expert PKI Services Enterprise Encryption Services Tivoli Identity Manager Tivoli Federated Identity Mgr Platform Infrastructure ICSF Directory Server Network Authentication Service RACF/SAF LDAP Common Criteria Ratings Support for Audit, Authorization, Services and Scalable Enterprise Kerberos V5 Standards Compliant Directory Authentication, and Key Storage for Key Material Access Control Page 30 Mainframe Security Overview June 2013 Secured Communications SSL/TLS, IPSec IDS © 2013 IBM Corporation
    31. 31. 31 IBM System z Page 31 Mainframe Security Overview June 2013 © 2013 IBM Corporation