Page 1
IBMzSystemsSecurityConference| 27-30September| Montpellier
IBMSystems
IBMzSystemsSecurityConferenceBusinessSecurityfortodayandtomorrow
> 27-30September| Montpellier
MainframeSecurity– It’snotjustaboutyourESM!RuiMiguelFeioTechnical Lead– RSMPartners
1
Page 2
Agenda• Introductions• Objectives• NetworkControls• OtherControls• RealLifeExamples• TakingSecuritySeriously(orNot)• Conclusions• Questions
Page 3
Deliveringthebestinzservices,software,hardwareandtraining.Deliveringthebestinzservices,software,hardwareandtraining.
WorldClasszSpecialists
Page 4
ThispresentationInitiallycreatedbyMarkWilson Improvedandpresentedbyme!
Page 5
Introduction• TechnicalleadatRSMPartners
• Beenworkingwithmainframesforthepast17yearsandwithcomputerssince1984
• StartedasanMVSSystemsProgrammerwithIBMandendedupspecialisinginmainframesecurity
• Experienceinnon-mainframeplatformsaswell
• Igivepresentationsallovertheworld
Page 7
Objectives• Let’sstartwiththebasics:
– ESMstandsforExternalSecurityManager– RACF,ACF2,TSS– ESMhelpsprotectthemainframe
• Butwhatdoesitmean‘protectthemainframe’?
• WewillbelookingatsomeoftheothersecuritycontrolsavailableandanumberofnonESMrelatedsecuritycontrolsthatshouldbeusedtoprotectthemainframe
Page 8
SomeoftheNetworkControls
Page 9
Wekeephearingnon-mainframepeopleandevensomemainframetechnicianssay:
“Themainframeisfine,it’sbehindafirewall…”
Page 10
NetworkControls• Themainframeispartofanecosystemofdifferentplatformsand
devices
• Morethanlikelyoneormoredevicesandsystemsofthisecosystem(includingthemainframe)willbeconnectedtotheinternet
• Thismeansthatpotentiallytherearemanydifferentwaystoreachthemainframe
• Weneedtoconsider:– Intrusiondetectionservices(IDS),TCPIPsecurity,SENDMAILand
SMTPSecurity
Page 11
NetworkControls• Askyourself:“HowmuchdoIactuallyknowaboutnetworksecurity
andwhatfeatures/facilitiesIBMhavebuiltintothesystem?”
• Whointhisroomhasaclearunderstandingof:– TheSERVAUTHclass– TLS/SSLvs AT-TLSvs IPsec– IPFiltering– IntrusionDetectionServices(IDS)– DefenceManager(DM)
Let’scheckthisone
Page 12
SERVAUTHClass• TheSERVAUTHresourceclasssupportsTCP/IPsecurity
• ProfilesintheSERVAUTHclassareprefixedwithEZB
• Secondqualifierspecifiesthefunction(forexample):– EZB.STACKACCESS.**toprotectaccesstotheTCPstack– EZB.NETACCESS.**tospecifywhocanaccessaspecifiednetwork– EZB.TN3270.**toprotectTN3270SecureTelnetPortAccess– EZB.PORTACCESS.**tospecifywhocanusewhichTCPandUDPports
• SERVAUTHclassmustbeRACLISTed
Page 13
SERVAUTHClass• EZB.STACKACCESS.sysname.tcpname• EZB.NETACCESS.sysname.tcpname.netname• EZB.PORTACCESS.sysname.tcpname.portname• EZB.TN3270.sysname.tcpname.PORTnnnnn• EZB.NETSTAT.sysname.tcpname.netstatoption• EZB.FRCAACCESS.sysname.tcpname• EZB.MODDVIPA.sysname.tcpname• EZB.SOCKOPT.sysname.tcpname.SO_BROADCAST• EZB.NETMGMT.sysname.tcpname.SYSTCPDA• EZB.NETMGMT.sysname.tcpname.SYSTCPCN• EZB.NETMGMT.sysname.tcpname.SYSTCPSM
Page 14
TLS/SSLvs AT-TLSvsIPsec• Theyallprovideencryption/certificateforTCP/IP…
• Butwhatelsecanyoudowiththem?
• Whoknowsthedifferences?
• Whoknowstherestrictions?
Page 15
TLS/SSL• TLS– TransportLayerSecurity• SSL– SecureSocketsLayer• Encryptsend-to-endtotheapplicationbuffers• ApplicationmustsupportSystemSSL• Developmentmaintenanceoverhead• CannotworkforUDPservices(EE,DNSlookup,SNMP...)
Page 16
AT-TLS• AT-TLS– ApplicationTransparentTransportLayerSecurity• EncryptstoTCP/IPstackonz/OS• ComponentofCommunicationsServer• Definedperapplication• RemovesneedforapplicationtosupportSystemSSL• IBMrecommendedsolution• CannotworkforUDPservices(EE,DNSlookup,SNMP..)• Requirespolicyagent
Page 17
IPsec• IPsec– InternetProtocolsecurity• Providesanencrypted“tunnel”atIPlinklayer• Component ofCommunicationsServer• Tunnelcanbesharedbymultipleapplications/services• TunnelcanbeusedforTCPandUDPservices• Datacanflowincleartoapplicationwithindatacentre• Requirespolicyagent
Page 18
IPFiltering
• Effectivelyafirewallforz/OS• Component ofCommunicationsServer• Requirespolicyagent• Configuretoallow/rejectanyIPpacket• Youcanusethe:
– Target/OriginIPaddress– Target/OriginPort– Plusothermetrics…
• AuditlogwrittentoSyslogD
Page 19
IntrusionDetectionServices(IDS)• Ahackerdetectionmechanismforz/OS• Component ofCommunicationsServer• Looksforawiderangeofintrusionattacks
– ICMPattacks– UDPattacks– Portscans– TCPstateviolations– TCPmalformedpackets– Manymore…
• Requirespolicyagent• AuditlogwrittentoSyslogD
Page 20
IntrusionDetectionServices(IDS)• Weallunderstandthebusinessdisasterthatisadatabreachand
themillionsthatcancostanorganisation
• Butadenialofservicecancostanorganisationjustasmuch
• Whatifoneofyourmajorcompetitorshiredsomeonefromthe“DarkWeb”totakedownyoursystems…
• Whatiftheyhavemainframeknowledge?
• Hackerslearnquicklyandtheyareplatformagnostic.Aslongastheygetpaid,theydon’tcare.EverheardofHackingasaservice?
Page 21
IntrusionDetectionServices(IDS)
Page 22
SyslogD• Giventhisistypicallywherealltheusefulinformationiswritten…
• Howmanyofusactuallymonitororevenalertonwhat’swritteninhere?
• Borrowedthenextslidefromacomms servermanual
Page 23
SyslogD• Thesyslogd facilityusesa
commonmechanismforsegregatingmessages
• Thetableshowsthefacilitiesusedbyz/OSCommunicationsServerfunctionswhichwritemessagestosyslogd
• ThePrimarysyslogfacilitycolumnshowsthesyslogfacilityusedformostmessagesloggedbytheapplication
• Someapplicationsuseotherfacilitiesforcertainmessages
Page 24
FileTransfer• AnotherkeyareaisFTP
• ObviouslytheSERVAUTHprofileshelptosomeextent,butyoureallyneedanadditionallayerofsecurityforFTP/FTPSwhichyouhavetowriteyourselforpurchaseadditionalsoftwaretogetallthatyouneed
• Howaboutsftp andOpenSSH?
• Lesssupportforsecurityhereandtheyneedtobecarefullyconsidered
Page 25
SMTP• HowmanyofyouarerunningSMTP?
• Howareyoucontrollingit?
• Whatwouldbethebusinessandreputationalimpactforyourcompanyifsomeonewasabletoemailsensitivedatafromthemainframetotheoutsideworld?
• ‘PanamaPapers’anyone?
Page 27
OtherControls• It’snotjustaboutmainframesecuritycontrols
• It’saboutyourend-to-endsecurityposture
• Youneedtoworkthroughwhatawellmotivatedhacker,oradisgruntledemployeemaydo
• Youneedtostartthinkinglikethem
• It’sabouttheallecosystem:mainframe,otherplatformsanddevices
Page 28
Whataboutalltheotherstuff?• Subsystems(CICS,IMS,DB2,MQ)• Scheduler• Automation• SourceControland4eyechecking• AlltheISVproductsyouhave…• Howaboutvulnerabilityscanning:
– IBM– ISV– Internallydeveloped
Page 30
RealLifeExamples• Recentlyperformedamainframesecurityauditatafinancial
institutioninEurope(51risksidentified)
• LargenumberofuserswithREADaccesstoadailybackupcopyoftheRACFdatabase,Networkcontrolsnotproperlyprotected,…
Classification Score
Critical 11
Serious 23
Important 17
Page 31
RealLifeExamples• MainframesecurityauditatalargeenergycompanyintheUSthis
summer(72risksidentified)
• Networkcontrolsnotdefined• READaccesstosensitivedata!!
Classification Score
Critical 27
Serious 30
Important 15
Page 32
RealLifeExamples• SecurityanalysisofaproductionRACFDBatagovernmentagency
intheUKlastmonth• 33securityproblemsidentifiedintheRACFDB• SERVAUTHclassnotactive!!• LargenumberofuserswithALTERaccesstoMasterCatalog• AllOPERCMDSprofilesinWarningmodeincludingJES2.*and
MVS.*• RACFDatabaseswithUACCofREADandseveraluserswithALTER
andUPDATEaccess
Page 34
Takingsecurityseriously(ornot)
Page 35
OnaniceSundaymorning…
Page 36
OnitsTVscreenfacingthestreet
Page 37
Onthetrainonabusinesstrip…
Page 38
Onthetrainonabusinesstrip…
Page 39
Onasite,somewhereinEurope…
Page 40
Onasite,somewhereinEurope…
Page 42
Youneedaplan1.SecurityPolicy
2.SecurityDesign
3.SecurityProcedures
4.SecurityImplementation
5.SecurityAuditing
6.MeasurementAgainstPolicy
Page 43
It’sacontinuousprocess
Discovery
Attack(Optionally)Attackthesystemwithdiscoveryinformation.
Success?Usethefindingstoyourbenefittoenhanceyoursecurityposture.
DiscoverDiscovertheflawsinyoursystemwiththeknowledgegained.
EducationThisandmanyotherseesions
KnowledgeNowyouknowwhattodo!
Page 45
RuiMiguelFeioRSMPartners
Email:[email protected] :+44(0)7570911459LinkedIn: www.linkedin.com/in/rfeio
www.rsmpartners.com
Contact
Page 46
IBMzSystemsSecurityConference| 27-30September| Montpellier
IBMSystems
46
www.ibm.com/security