You are previewing Reduce Risk and Improve Security on IBM Mainframes: Volume 2 Mainframe Communication and Networking Security.
O'Reilly logo
Reduce Risk and Improve Security on IBM Mainframes: Volume 2 Mainframe Communication and Networking Security

Book Description

This IBM® Redbooks® publication documents the strength and value of the IBM security strategy with IBM z Systems hardware and software (referred to in this book by the previous product name, IBM System z®). In an age of increasing security consciousness and more dangerous and advanced persistent threats, System z provides the capabilities to address today’s business security challenges. This book explores how System z hardware is designed to provide integrity, process isolation, and cryptographic capability to help address security requirements.

We highlight the features of IBM z/OS® and other operating systems that offer a variety of customizable security elements. We also describe z/OS and other operating systems and additional software that use the building blocks of System z hardware to meet business security needs. We explore these from the perspective of an enterprise security architect and how a modern mainframe must fit into an enterprise security architecture.

This book is part of a three-volume series that focuses on guiding principles for optimized mainframe security configuration within a holistic enterprise security architecture. The intended audience includes enterprise security architects, planners, and managers who are interested in exploring how the security design and features of the System z platform, the z/OS operating system, and associated software address current issues, such as data encryption, authentication, authorization, network security, auditing, ease of security administration, and monitoring.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. IBM Redbooks promotions
  4. Preface
    1. Authors
    2. Now you can become a published author, too
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  5. Chapter 1. Mainframe network concepts and functions
    1. 1.1 Introduction to mainframe networks
      1. 1.1.1 Technical overview
      2. 1.1.2 Communications Server features and benefits
      3. 1.1.3 Who supports the network
    2. 1.2 History of mainframe networks
    3. 1.3 Mainframe network architecture
    4. 1.4 Networking hardware
      1. 1.4.1 Network connections
    5. 1.5 Network protocols
      1. 1.5.1 TCP/IP
      2. 1.5.2 SMC-R
      3. 1.5.3 SNA
    6. 1.6 Additional network components
      1. 1.6.1 VTAM
      2. 1.6.2 TCP/IP stack and functions
      3. 1.6.3 Enterprise Extender
      4. 1.6.4 TN3270/E
      5. 1.6.5 Special features
    7. 1.7 Network tools and products
      1. 1.7.1 NetView Performance Monitor
      2. 1.7.2 OMEGAMON XE for Mainframe Networks
      3. 1.7.3 Session Manager for z/OS
      4. 1.7.4 Solve: Access Session Management
    8. 1.8 Operations and administration
      1. 1.8.1 Operational tasks
      2. 1.8.2 z/OS network administrator tasks
    9. 1.9 Securing mainframe networks
  6. Chapter 2. Cryptography for network security
    1. 2.1 Security concepts and architecture for network cryptography on System z
      1. 2.1.1 Basics of cryptography for network security
      2. 2.1.2 Definition of a secure communication model for networks
      3. 2.1.3 Applications of cryptosystems for network security
      4. 2.1.4 Overview of the z/OS TCP/IP cryptographic infrastructure
      5. 2.1.5 Transport Layer Security on z/OS
      6. 2.1.6 AT-TLS
      7. 2.1.7 IPSec
      8. 2.1.8 OpenSSH on z/OS
      9. 2.1.9 PKI services
    2. 2.2 Guiding principles for cryptography for network security
      1. 2.2.1 Choosing appropriate cryptographic algorithms for network security
      2. 2.2.2 Defining a cryptography strategy within your organization
      3. 2.2.3 Choosing Transport Layer Security implementations
      4. 2.2.4 Things to keep in mind when defining certificates
      5. 2.2.5 Guiding principles for IPSec
      6. 2.2.6 OpenSSH on z/OS UNIX, z/OS dependant features implementation
  7. Chapter 3. TCP/IP security
    1. 3.1 Introduction
      1. 3.1.1 IP network design
      2. 3.1.2 System z in a DMZ
      3. 3.1.3 Mixing environments
      4. 3.1.4 HiperSockets
    2. 3.2 Sockets and APIs
    3. 3.3 Telnet Server
      1. 3.3.1 Security concepts and architecture
    4. 3.4 FTP
      1. 3.4.1 Security concepts and architecture
    5. 3.5 InetD, the Internet daemon
      1. 3.5.1 Security concepts and architecture
    6. 3.6 Virtual IP addressing
      1. 3.6.1 Security concepts and architecture
    7. 3.7 z/OS IP filtering
      1. 3.7.1 Security concepts and architecture
    8. 3.8 IPSec
      1. 3.8.1 Security concepts and architecture
    9. 3.9 z/OS Intrusion Detection Services
      1. 3.9.1 Security concepts and architecture
    10. 3.10 IP resource security
      1. 3.10.1 SAF controls
      2. 3.10.2 Multi-level security
      3. 3.10.3 OSA-Express connection isolation
      4. 3.10.4 IP Profile Controls
  8. Chapter 4. SNA security
    1. 4.1 Introduction
    2. 4.2 SNA encryption versus IP encryption
    3. 4.3 Security controls using VTAM start options
      1. 4.3.1 Crypto-based start options
      2. 4.3.2 Access control start options
    4. 4.4 Transport security
      1. 4.4.1 Enterprise Extender
      2. 4.4.2 UDP/IP considerations
      3. 4.4.3 Network Address Translation considerations
      4. 4.4.4 Enterprise Extender IP security
    5. 4.5 TN3270 Security
      1. 4.5.1 Background
      2. 4.5.2 Securing TN3270 IP flow
      3. 4.5.3 SSL/TLS support
      4. 4.5.4 TN3270 SSL support
      5. 4.5.5 Securing DLSw connections
    6. 4.6 Searching security
      1. 4.6.1 Basics of searching
      2. 4.6.2 Subarea searches
      3. 4.6.3 Searching an APPN network
      4. 4.6.4 Controlling searches of other APPN networks
      5. 4.6.5 ADJCLUST tables
      6. 4.6.6 Controlling searches entering a network
      7. 4.6.7 Session Management Exit
      8. 4.6.8 Directory Services Management Exit
      9. 4.6.9 Searches that are not network-qualified
      10. 4.6.10 Authorized Cross-Net searches
    7. 4.7 Application security
      1. 4.7.1 Session-level encryption for data confidentiality
      2. 4.7.2 Message authentication for data integrity
      3. 4.7.3 LU 6.2 session-level authentication
      4. 4.7.4 LU 6.2 conversation-level authentication
    8. 4.8 Recap of recommendations
  9. Chapter 5. Shared Memory Communications over RDMA
    1. 5.1 Overview
      1. 5.1.1 SMC-R: A hybrid protocol
      2. 5.1.2 SMC-R eligibility
      3. 5.1.3 Enabling SMC-R and connection setup
    2. 5.2 Security characteristics of SMC-R connections
      1. 5.2.1 Protecting application data
      2. 5.2.2 Protecting network protocol headers
      3. 5.2.3 Firewalls and Deep Packet Inspection (DPI) devices
    3. 5.3 z/OS network security features and SMC-R
      1. 5.3.1 Interface-based SMC-R enablement
      2. 5.3.2 Port-based SMC-R exclusion
      3. 5.3.3 SAF-based network access controls
      4. 5.3.4 IP filter rules
      5. 5.3.5 IPSec
      6. 5.3.6 SSL/TLS, including Application Transparent TLS (AT-TLS)
      7. 5.3.7 SSH
      8. 5.3.8 Application layer security protocols and features
      9. 5.3.9 Integrated Intrusion Detection Services (IDS)
      10. 5.3.10 Multilevel Security (MLS)
  10. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Help from IBM
  11. Back cover