IBMzSystemsSecurityConference| 27-30September| Montpellier

IBMSystems

IBMzSystemsSecurityConferenceBusinessSecurityfortodayandtomorrow

> 27-30September| Montpellier

MainframeSecurity– It’snotjustaboutyourESM!RuiMiguelFeioTechnical Lead– RSMPartners

1

Agenda• Introductions• Objectives• NetworkControls• OtherControls• RealLifeExamples• TakingSecuritySeriously(orNot)• Conclusions• Questions

Deliveringthebestinzservices,software,hardwareandtraining.Deliveringthebestinzservices,software,hardwareandtraining.

WorldClasszSpecialists

ThispresentationInitiallycreatedbyMarkWilson Improvedandpresentedbyme!

Introduction• TechnicalleadatRSMPartners

• Beenworkingwithmainframesforthepast17yearsandwithcomputerssince1984

• StartedasanMVSSystemsProgrammerwithIBMandendedupspecialisinginmainframesecurity

• Experienceinnon-mainframeplatformsaswell

• Igivepresentationsallovertheworld

Objectives

Objectives• Let’sstartwiththebasics:

– ESMstandsforExternalSecurityManager– RACF,ACF2,TSS– ESMhelpsprotectthemainframe

• Butwhatdoesitmean‘protectthemainframe’?

• WewillbelookingatsomeoftheothersecuritycontrolsavailableandanumberofnonESMrelatedsecuritycontrolsthatshouldbeusedtoprotectthemainframe

SomeoftheNetworkControls

Wekeephearingnon-mainframepeopleandevensomemainframetechnicianssay:

“Themainframeisfine,it’sbehindafirewall…”

NetworkControls• Themainframeispartofanecosystemofdifferentplatformsand

devices

• Morethanlikelyoneormoredevicesandsystemsofthisecosystem(includingthemainframe)willbeconnectedtotheinternet

• Thismeansthatpotentiallytherearemanydifferentwaystoreachthemainframe

• Weneedtoconsider:– Intrusiondetectionservices(IDS),TCPIPsecurity,SENDMAILand

SMTPSecurity

NetworkControls• Askyourself:“HowmuchdoIactuallyknowaboutnetworksecurity

andwhatfeatures/facilitiesIBMhavebuiltintothesystem?”

• Whointhisroomhasaclearunderstandingof:– TheSERVAUTHclass– TLS/SSLvs AT-TLSvs IPsec– IPFiltering– IntrusionDetectionServices(IDS)– DefenceManager(DM)

Let’scheckthisone

SERVAUTHClass• TheSERVAUTHresourceclasssupportsTCP/IPsecurity

• ProfilesintheSERVAUTHclassareprefixedwithEZB

• Secondqualifierspecifiesthefunction(forexample):– EZB.STACKACCESS.**toprotectaccesstotheTCPstack– EZB.NETACCESS.**tospecifywhocanaccessaspecifiednetwork– EZB.TN3270.**toprotectTN3270SecureTelnetPortAccess– EZB.PORTACCESS.**tospecifywhocanusewhichTCPandUDPports

• SERVAUTHclassmustbeRACLISTed

SERVAUTHClass• EZB.STACKACCESS.sysname.tcpname• EZB.NETACCESS.sysname.tcpname.netname• EZB.PORTACCESS.sysname.tcpname.portname• EZB.TN3270.sysname.tcpname.PORTnnnnn• EZB.NETSTAT.sysname.tcpname.netstatoption• EZB.FRCAACCESS.sysname.tcpname• EZB.MODDVIPA.sysname.tcpname• EZB.SOCKOPT.sysname.tcpname.SO_BROADCAST• EZB.NETMGMT.sysname.tcpname.SYSTCPDA• EZB.NETMGMT.sysname.tcpname.SYSTCPCN• EZB.NETMGMT.sysname.tcpname.SYSTCPSM

TLS/SSLvs AT-TLSvsIPsec• Theyallprovideencryption/certificateforTCP/IP…

• Butwhatelsecanyoudowiththem?

• Whoknowsthedifferences?

• Whoknowstherestrictions?

TLS/SSL• TLS– TransportLayerSecurity• SSL– SecureSocketsLayer• Encryptsend-to-endtotheapplicationbuffers• ApplicationmustsupportSystemSSL• Developmentmaintenanceoverhead• CannotworkforUDPservices(EE,DNSlookup,SNMP...)

AT-TLS• AT-TLS– ApplicationTransparentTransportLayerSecurity• EncryptstoTCP/IPstackonz/OS• ComponentofCommunicationsServer• Definedperapplication• RemovesneedforapplicationtosupportSystemSSL• IBMrecommendedsolution• CannotworkforUDPservices(EE,DNSlookup,SNMP..)• Requirespolicyagent

IPsec• IPsec– InternetProtocolsecurity• Providesanencrypted“tunnel”atIPlinklayer• Component ofCommunicationsServer• Tunnelcanbesharedbymultipleapplications/services• TunnelcanbeusedforTCPandUDPservices• Datacanflowincleartoapplicationwithindatacentre• Requirespolicyagent

IPFiltering

• Effectivelyafirewallforz/OS• Component ofCommunicationsServer• Requirespolicyagent• Configuretoallow/rejectanyIPpacket• Youcanusethe:

– Target/OriginIPaddress– Target/OriginPort– Plusothermetrics…

• AuditlogwrittentoSyslogD

IntrusionDetectionServices(IDS)• Ahackerdetectionmechanismforz/OS• Component ofCommunicationsServer• Looksforawiderangeofintrusionattacks

– ICMPattacks– UDPattacks– Portscans– TCPstateviolations– TCPmalformedpackets– Manymore…

• Requirespolicyagent• AuditlogwrittentoSyslogD

IntrusionDetectionServices(IDS)• Weallunderstandthebusinessdisasterthatisadatabreachand

themillionsthatcancostanorganisation

• Butadenialofservicecancostanorganisationjustasmuch

• Whatifoneofyourmajorcompetitorshiredsomeonefromthe“DarkWeb”totakedownyoursystems…

• Whatiftheyhavemainframeknowledge?

• Hackerslearnquicklyandtheyareplatformagnostic.Aslongastheygetpaid,theydon’tcare.EverheardofHackingasaservice?

IntrusionDetectionServices(IDS)

SyslogD• Giventhisistypicallywherealltheusefulinformationiswritten…

• Howmanyofusactuallymonitororevenalertonwhat’swritteninhere?

• Borrowedthenextslidefromacomms servermanual

SyslogD• Thesyslogd facilityusesa

commonmechanismforsegregatingmessages

• Thetableshowsthefacilitiesusedbyz/OSCommunicationsServerfunctionswhichwritemessagestosyslogd

• ThePrimarysyslogfacilitycolumnshowsthesyslogfacilityusedformostmessagesloggedbytheapplication

• Someapplicationsuseotherfacilitiesforcertainmessages

FileTransfer• AnotherkeyareaisFTP

• ObviouslytheSERVAUTHprofileshelptosomeextent,butyoureallyneedanadditionallayerofsecurityforFTP/FTPSwhichyouhavetowriteyourselforpurchaseadditionalsoftwaretogetallthatyouneed

• Howaboutsftp andOpenSSH?

• Lesssupportforsecurityhereandtheyneedtobecarefullyconsidered

SMTP• HowmanyofyouarerunningSMTP?

• Howareyoucontrollingit?

• Whatwouldbethebusinessandreputationalimpactforyourcompanyifsomeonewasabletoemailsensitivedatafromthemainframetotheoutsideworld?

• ‘PanamaPapers’anyone?

OtherControls

OtherControls• It’snotjustaboutmainframesecuritycontrols

• It’saboutyourend-to-endsecurityposture

• Youneedtoworkthroughwhatawellmotivatedhacker,oradisgruntledemployeemaydo

• Youneedtostartthinkinglikethem

• It’sabouttheallecosystem:mainframe,otherplatformsanddevices

Whataboutalltheotherstuff?• Subsystems(CICS,IMS,DB2,MQ)• Scheduler• Automation• SourceControland4eyechecking• AlltheISVproductsyouhave…• Howaboutvulnerabilityscanning:

– IBM– ISV– Internallydeveloped

RealLifeExamples

RealLifeExamples• Recentlyperformedamainframesecurityauditatafinancial

institutioninEurope(51risksidentified)

• LargenumberofuserswithREADaccesstoadailybackupcopyoftheRACFdatabase,Networkcontrolsnotproperlyprotected,…

Classification Score

Critical 11

Serious 23

Important 17

RealLifeExamples• MainframesecurityauditatalargeenergycompanyintheUSthis

summer(72risksidentified)

• Networkcontrolsnotdefined• READaccesstosensitivedata!!

Classification Score

Critical 27

Serious 30

Important 15

RealLifeExamples• SecurityanalysisofaproductionRACFDBatagovernmentagency

intheUKlastmonth• 33securityproblemsidentifiedintheRACFDB• SERVAUTHclassnotactive!!• LargenumberofuserswithALTERaccesstoMasterCatalog• AllOPERCMDSprofilesinWarningmodeincludingJES2.*and

MVS.*• RACFDatabaseswithUACCofREADandseveraluserswithALTER

andUPDATEaccess

RealExamples

Takingsecurityseriously(ornot)

OnaniceSundaymorning…

OnitsTVscreenfacingthestreet

Onthetrainonabusinesstrip…

Onthetrainonabusinesstrip…

Onasite,somewhereinEurope…

Onasite,somewhereinEurope…

Conclusions

Youneedaplan1.SecurityPolicy

2.SecurityDesign

3.SecurityProcedures

4.SecurityImplementation

5.SecurityAuditing

6.MeasurementAgainstPolicy

It’sacontinuousprocess

Discovery

Attack(Optionally)Attackthesystemwithdiscoveryinformation.

Success?Usethefindingstoyourbenefittoenhanceyoursecurityposture.

DiscoverDiscovertheflawsinyoursystemwiththeknowledgegained.

EducationThisandmanyotherseesions

KnowledgeNowyouknowwhattodo!

Questions

RuiMiguelFeioRSMPartners

Email:ruif@rsmpartners.comMobile:+44(0)7570911459LinkedIn: www.linkedin.com/in/rfeio

www.rsmpartners.com

Contact

IBMzSystemsSecurityConference| 27-30September| Montpellier

IBMSystems

46

www.ibm.com/security