We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAlonso Gidley
Modified about 1 year ago
© 2006 IBM Corporation Introduction to z/OS Security Lesson 7: Communications and Network Security
© 2006 IBM Corporation Objectives In today’s world, the Internet plays a significant role in connecting computer systems. Systems are exposed to anyone with a laptop and a wireless connection to a service provider. Not everyone out there plays by the rules, so it is up to the installation to protect itself from attacks. At the completion of this chapter you should have a basic understanding of: –Why securing connections is important. –Secure Socket Layer and Transport Layer Security –Keys and how they are used to secure conversations across the internet –IP Filtering –Virtual Private Networks –TCP/IP and SNA security on z/OS –Public Key Infrastructure and the z/OS PKI Server –Intrusion Detection Services available on z/OS
© 2006 IBM Corporation Key Terms TCP/IP SSL SNA APPC/MVS APPL Communications Server Intrusion Detection Scan Attack Denial of Service
© 2006 IBM Corporation Introduction The primary protocol in use today is Telecommunications Protocol/Internet Protocol, commonly referred to as TCP/IP. Everything from small systems like personal digital assistants and laptops, to the largest systems such as z/OS and zLinux provide the ability to connect to the Internet. This capability is a powerful driver of business. Users can connect to your system without knowing what type of hardware it is running on, or the underlying operating system you have chosen to implement. The downside is that users can connect to your system without knowing what type of hardware it is running on, or the underlying operating system you have chosen to implement.
© 2006 IBM Corporation Introduction Communications security allows you to open your enterprise up to everyone on the Internet, or tailor the user community to only those who you feel comfortable servicing, You can turn security off completely for some daemons, but enforce strict controls on others. z/OS gives you the flexibility you need to manage your business and at the same time protect your critical network accessible resources. Let’s look at the methods of networking and the security that pertains to them.
© 2006 IBM Corporation TCP/IP and SSL When TCP/IP sessions are secured, it is generally through the use of SSL, and its follow-on variation – TLS. With Secure Socket Layer (SSL) protocol you can encrypt data flowing in and out of your system, either within or beyond the scope of your business. SSL assures clients that the server is genuine because it requires the server to authenticate to the client using a digital certificate. It allows you to be certain of the origin of any data flowing into your system, and you can be sure that the data was not altered from when it was created. SSL provides the ability for users of your services, such as FTP, HTTP, and Shell, to authenticate using complex digital certificates rather than the more simple user ID and password semantics.
© 2006 IBM Corporation SSL and TLS Establishing an SSL connection begins with a handshake during which the server is authenticated to the client using a digital certificate. During the handshake, security session parameters such as which cryptographic algorithms to use, are negotiated and session keys are created. After the handshake, the data flowing between the client and the server is protected though data encryption. Transport Layer Security (TLS) is the latest in the continuing evolution of SSL. TLS 1.0 might as readily have been titled SSL 3.1. In fact, when negotiating a TLS handshake, the client and server hello messages use version specification 3.1 (SSL 3.0 uses version specification 3.0).
© 2006 IBM Corporation TLS 3.1 TLS 3.1 is a protocol designed with the intent of allowing enhancements for future improvements to privacy over TCP/IP connections. The RFC for TLS 3.1 includes support for extensions which: –Allow TLS clients to provide to the TLS server the name of the server they are contacting. –Allow TLS clients and servers to negotiate the maximum fragment length to be sent. –Allow TLS clients and servers to negotiate the use of client certificate URLs. –Allow TLS clients to indicate to TLS servers which CA root keys they possess. –Allow TLS clients and servers to negotiate the use of truncated MACs. –Allow TLS clients and servers to negotiate that the server sends the client certificate status information (e.g., an Online Certificate Status Protocol (OCSP) [OCSP] response) during a TLS handshake. SSL does not provide for such enhancements.
© 2006 IBM Corporation IP Filtering As you open your system up to the Internet, you want to consider who will be accessing your resources from outside of your internal networks. The ability to filter out unknown and unwanted traffic is very useful. IP filters are rules defined to either discard or permit traffic coming into your system. These rules determine which packets will be received and processed and which will be ignored as if it was never received. You can apply different rules to decide how your filters will work You can base the filtering on the source or destination of the packet, the protocols being used, and even the socket number. By filtering TCP/IP packets you can eliminate some threats as they attempt to contact your systems
© 2006 IBM Corporation IPSec and Virtual Private Networks A Virtual Private Networks (VPN) enables an enterprise to extend its network across a public network such as the Internet through a secure tunnel (or security association). IPSec allows the creation of a VPN. IPSec and VPN enable the you to send data over a public network, like the Internet or within you own internal network. The figure below shows IPSec security associations between two firewalls, between client and firewall, and between client and System z server.
© 2006 IBM Corporation System Network Architecture (SNA) Systems Network Architecture (SNA) is a set of protocols which provide communication services to z/OS. SNA is based on the assumption that in order to communicate to a system, you must first be connected to the system. –In contrast, TCP/IP does not make this assumption. TCP/IP flows packets of data, or “datagrams” over the network. Each packet contains destination information and is received independently of any other packets that make up the entire message. SNA establishes a session between logical units on two systems. A conversation can then flow across the session. on z/OS, the Virtual Telecommunications Access Method (VTAM) component of the Communications Server provides the support for creating logical units, establishing sessions, and managing conversations. An example of a SNA application is Advanced Peer to Peer Communications (APPC). Let’s take a look at how APPC conversations are protected on z/OS.
© 2006 IBM Corporation APPC Security APPC/MVS provides a transaction scheduler that initiates and schedules transaction programs (TPs) in response to inbound requests from other TPs in an SNA network. As with any communications vehicle, APPC/MVS has ports of entry. These ports are defined in the Communications Server as logical units. Traffic flowing through the logical units must be secured. Communications Server provides several options for defining the security level required on an APPC/MVS logical unit. APPC/MVS uses type LU6.2 logical units.
© 2006 IBM Corporation APPC Security Several classes of APPC/MVS related security profiles are maintained by the ESM: – APPL - profiles in this class protect VTAM logical units. – APPCLU - profiles in this class protect LU-to-LU access authority for a specific LU and one or more of its partners – APPCTP - profiles in this class protect APPC/MVS transaction programs. – APPCSI - profiles in this class protect APPC/MVS side information – APPCPORT - profiles in this class protect APPC/MVS LUs by controlling which LU the user's request can come from.
© 2006 IBM Corporation APPC Security Security checking on the local system –The user ID on the local system requires at least READ access to the local LU6.2. If the allocation indicates that APPC/MVS should use side information, the local user ID needs READ access to the side information dataset and the requested side information within the dataset.
© 2006 IBM Corporation APPC Security Security checking on the partner system –As the request flows from one system to the other, the user ID provided on the allocation request needs at least READ access to the LU6.2 on the partner system. Of course, the user ID passed on the allocation must exist on the partner system. APPC/MVS maintains a database of transactions. The user ID on the incoming request requires at least READ access to this database, and the specific transaction that is being requested, and any protected resources touched by the transaction.
© 2006 IBM Corporation Intrusion Detection It is becoming increasingly important to not just protect systems from attacks but to detect patterns of usage that might indicate impending attacks. Many attacks follow a sequence of information gathering, unauthorized access to resources, and denial of service. While it can be difficult to determine the originator of denial of service attacks, correlating information gathering activities with access violation may help identify an intruder before they succeed.
© 2006 IBM Corporation Intrusion Detection Intrusion Detection Services (IDS) provides support for: – Scan detection and reporting – Attack detection, reporting and prevention As the popularity of your business grows your internet address becomes familiar to more people. Since you are on the World Wide Web anyone in the world can get to your system. You should implement intrusion detection devices to catch the ne’er- do-wells before they can bring your business to a halt. Remember, profits. Remember, a secure system is one that is available to users who have a legitimate reason for being on it, as well as unavailable for those who don’t.
© 2006 IBM Corporation Intrusion Detection Scan Detection –Scans are recognized as the result of multiple information gathering events from a single source IP within a defined period of time. –Scanning in and of itself is not harmful. However, many serious attacks, especially access violation attacks, are preceded by information gathering scans. Because scans by their nature must use reliable source IP addresses, they can be interesting events to monitor.
© 2006 IBM Corporation Intrusion Detection Attack Detection –An attack can be a single packet designed to crash or hang a system. An attack can also consist of multiple packets designed to consume a limited resource causing a network, system or application to be unavailable to its intended users (that is, denial of service). –IDS attack policy allows you to turn on attack detection for one or more categories of attacks independently of each other. In general, the types of actions that can be specified for an attack policy are event logging, statistics gathering, packet tracing, and removal of the attack packets
© 2006 IBM Corporation Summary –The internet is a wild and scary place for a computer system to live. There are crackers, hackers, and attackers out there waiting for an unsecured system to open up. They’ll clog your ports, ride Trojan horses, and tunnel in with worms. They want to shut you down, steal your data, and change your settings. It is up to you to stop them. –Secure your ports, baton down the hatches, make everyone declare themselves -no anonymous users! –Those who should use your system for legitimate reasons are free to do so, as long as they present the proper credentials
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Security+ Guide to Network Security Fundamentals.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
1 Chapter 13 – Network Security Password Protection Security Models Firewalls Security Protocols.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL) SSL was first used by Netscape. To ensure security of data sent through HTTP, LDAP or POP3.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Computer communications The exchange of information between computers for the purpose of cooperative action Computer network Two or more computers interconnected.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Chapter 12 Network Security. Security Policy Life Cycle A method for the development of a comprehensive network security policy is known as the security.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Intrusion Detection and Intrusion Prevention.
Security Awareness: Applying Practical Security in Your World Chapter 5: Network Security.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Intranet, Extranet, Firewall. Intranet and Extranet.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Web Server Administration Chapter 10 Securing the Web Environment.
6.1 Overview of IPsec Benefits of IPsec Recommended Uses of IPsec Tools Used to Configure IPsec What are Connection Security Rules ?
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security Network Perimeter Security Intrusion Detection and Prevention.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
Tunneling and Securing TCP Services Nathan Green.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Role Of Network IDS in Network Perimeter Defense.
© 2017 SlidePlayer.com Inc. All rights reserved.