Date post: | 18-Jan-2017 |
Category: |
Technology |
Upload: | rui-miguel-feio |
View: | 73 times |
Download: | 5 times |
IBMzSystemsSecurityConference| 27-30September| Montpellier
IBMSystems
IBMzSystemsSecurityConferenceBusinessSecurityfortodayandtomorrow
> 27-30September| Montpellier
MainframeSecurity– It’snotjustaboutyourESM!RuiMiguelFeioTechnical Lead– RSMPartners
1
Agenda• Introductions• Objectives• NetworkControls• OtherControls• RealLifeExamples• TakingSecuritySeriously(orNot)• Conclusions• Questions
Deliveringthebestinzservices,software,hardwareandtraining.Deliveringthebestinzservices,software,hardwareandtraining.
WorldClasszSpecialists
ThispresentationInitiallycreatedbyMarkWilson Improvedandpresentedbyme!
Introduction• TechnicalleadatRSMPartners
• Beenworkingwithmainframesforthepast17yearsandwithcomputerssince1984
• StartedasanMVSSystemsProgrammerwithIBMandendedupspecialisinginmainframesecurity
• Experienceinnon-mainframeplatformsaswell
• Igivepresentationsallovertheworld
Objectives
Objectives• Let’sstartwiththebasics:
– ESMstandsforExternalSecurityManager– RACF,ACF2,TSS– ESMhelpsprotectthemainframe
• Butwhatdoesitmean‘protectthemainframe’?
• WewillbelookingatsomeoftheothersecuritycontrolsavailableandanumberofnonESMrelatedsecuritycontrolsthatshouldbeusedtoprotectthemainframe
SomeoftheNetworkControls
Wekeephearingnon-mainframepeopleandevensomemainframetechnicianssay:
“Themainframeisfine,it’sbehindafirewall…”
NetworkControls• Themainframeispartofanecosystemofdifferentplatformsand
devices
• Morethanlikelyoneormoredevicesandsystemsofthisecosystem(includingthemainframe)willbeconnectedtotheinternet
• Thismeansthatpotentiallytherearemanydifferentwaystoreachthemainframe
• Weneedtoconsider:– Intrusiondetectionservices(IDS),TCPIPsecurity,SENDMAILand
SMTPSecurity
NetworkControls• Askyourself:“HowmuchdoIactuallyknowaboutnetworksecurity
andwhatfeatures/facilitiesIBMhavebuiltintothesystem?”
• Whointhisroomhasaclearunderstandingof:– TheSERVAUTHclass– TLS/SSLvs AT-TLSvs IPsec– IPFiltering– IntrusionDetectionServices(IDS)– DefenceManager(DM)
Let’scheckthisone
SERVAUTHClass• TheSERVAUTHresourceclasssupportsTCP/IPsecurity
• ProfilesintheSERVAUTHclassareprefixedwithEZB
• Secondqualifierspecifiesthefunction(forexample):– EZB.STACKACCESS.**toprotectaccesstotheTCPstack– EZB.NETACCESS.**tospecifywhocanaccessaspecifiednetwork– EZB.TN3270.**toprotectTN3270SecureTelnetPortAccess– EZB.PORTACCESS.**tospecifywhocanusewhichTCPandUDPports
• SERVAUTHclassmustbeRACLISTed
SERVAUTHClass• EZB.STACKACCESS.sysname.tcpname• EZB.NETACCESS.sysname.tcpname.netname• EZB.PORTACCESS.sysname.tcpname.portname• EZB.TN3270.sysname.tcpname.PORTnnnnn• EZB.NETSTAT.sysname.tcpname.netstatoption• EZB.FRCAACCESS.sysname.tcpname• EZB.MODDVIPA.sysname.tcpname• EZB.SOCKOPT.sysname.tcpname.SO_BROADCAST• EZB.NETMGMT.sysname.tcpname.SYSTCPDA• EZB.NETMGMT.sysname.tcpname.SYSTCPCN• EZB.NETMGMT.sysname.tcpname.SYSTCPSM
TLS/SSLvs AT-TLSvsIPsec• Theyallprovideencryption/certificateforTCP/IP…
• Butwhatelsecanyoudowiththem?
• Whoknowsthedifferences?
• Whoknowstherestrictions?
TLS/SSL• TLS– TransportLayerSecurity• SSL– SecureSocketsLayer• Encryptsend-to-endtotheapplicationbuffers• ApplicationmustsupportSystemSSL• Developmentmaintenanceoverhead• CannotworkforUDPservices(EE,DNSlookup,SNMP...)
AT-TLS• AT-TLS– ApplicationTransparentTransportLayerSecurity• EncryptstoTCP/IPstackonz/OS• ComponentofCommunicationsServer• Definedperapplication• RemovesneedforapplicationtosupportSystemSSL• IBMrecommendedsolution• CannotworkforUDPservices(EE,DNSlookup,SNMP..)• Requirespolicyagent
IPsec• IPsec– InternetProtocolsecurity• Providesanencrypted“tunnel”atIPlinklayer• Component ofCommunicationsServer• Tunnelcanbesharedbymultipleapplications/services• TunnelcanbeusedforTCPandUDPservices• Datacanflowincleartoapplicationwithindatacentre• Requirespolicyagent
IPFiltering
• Effectivelyafirewallforz/OS• Component ofCommunicationsServer• Requirespolicyagent• Configuretoallow/rejectanyIPpacket• Youcanusethe:
– Target/OriginIPaddress– Target/OriginPort– Plusothermetrics…
• AuditlogwrittentoSyslogD
IntrusionDetectionServices(IDS)• Ahackerdetectionmechanismforz/OS• Component ofCommunicationsServer• Looksforawiderangeofintrusionattacks
– ICMPattacks– UDPattacks– Portscans– TCPstateviolations– TCPmalformedpackets– Manymore…
• Requirespolicyagent• AuditlogwrittentoSyslogD
IntrusionDetectionServices(IDS)• Weallunderstandthebusinessdisasterthatisadatabreachand
themillionsthatcancostanorganisation
• Butadenialofservicecancostanorganisationjustasmuch
• Whatifoneofyourmajorcompetitorshiredsomeonefromthe“DarkWeb”totakedownyoursystems…
• Whatiftheyhavemainframeknowledge?
• Hackerslearnquicklyandtheyareplatformagnostic.Aslongastheygetpaid,theydon’tcare.EverheardofHackingasaservice?
IntrusionDetectionServices(IDS)
SyslogD• Giventhisistypicallywherealltheusefulinformationiswritten…
• Howmanyofusactuallymonitororevenalertonwhat’swritteninhere?
• Borrowedthenextslidefromacomms servermanual
SyslogD• Thesyslogd facilityusesa
commonmechanismforsegregatingmessages
• Thetableshowsthefacilitiesusedbyz/OSCommunicationsServerfunctionswhichwritemessagestosyslogd
• ThePrimarysyslogfacilitycolumnshowsthesyslogfacilityusedformostmessagesloggedbytheapplication
• Someapplicationsuseotherfacilitiesforcertainmessages
FileTransfer• AnotherkeyareaisFTP
• ObviouslytheSERVAUTHprofileshelptosomeextent,butyoureallyneedanadditionallayerofsecurityforFTP/FTPSwhichyouhavetowriteyourselforpurchaseadditionalsoftwaretogetallthatyouneed
• Howaboutsftp andOpenSSH?
• Lesssupportforsecurityhereandtheyneedtobecarefullyconsidered
SMTP• HowmanyofyouarerunningSMTP?
• Howareyoucontrollingit?
• Whatwouldbethebusinessandreputationalimpactforyourcompanyifsomeonewasabletoemailsensitivedatafromthemainframetotheoutsideworld?
• ‘PanamaPapers’anyone?
OtherControls
OtherControls• It’snotjustaboutmainframesecuritycontrols
• It’saboutyourend-to-endsecurityposture
• Youneedtoworkthroughwhatawellmotivatedhacker,oradisgruntledemployeemaydo
• Youneedtostartthinkinglikethem
• It’sabouttheallecosystem:mainframe,otherplatformsanddevices
Whataboutalltheotherstuff?• Subsystems(CICS,IMS,DB2,MQ)• Scheduler• Automation• SourceControland4eyechecking• AlltheISVproductsyouhave…• Howaboutvulnerabilityscanning:
– IBM– ISV– Internallydeveloped
RealLifeExamples
RealLifeExamples• Recentlyperformedamainframesecurityauditatafinancial
institutioninEurope(51risksidentified)
• LargenumberofuserswithREADaccesstoadailybackupcopyoftheRACFdatabase,Networkcontrolsnotproperlyprotected,…
Classification Score
Critical 11
Serious 23
Important 17
RealLifeExamples• MainframesecurityauditatalargeenergycompanyintheUSthis
summer(72risksidentified)
• Networkcontrolsnotdefined• READaccesstosensitivedata!!
Classification Score
Critical 27
Serious 30
Important 15
RealLifeExamples• SecurityanalysisofaproductionRACFDBatagovernmentagency
intheUKlastmonth• 33securityproblemsidentifiedintheRACFDB• SERVAUTHclassnotactive!!• LargenumberofuserswithALTERaccesstoMasterCatalog• AllOPERCMDSprofilesinWarningmodeincludingJES2.*and
MVS.*• RACFDatabaseswithUACCofREADandseveraluserswithALTER
andUPDATEaccess
RealExamples
Takingsecurityseriously(ornot)
OnaniceSundaymorning…
OnitsTVscreenfacingthestreet
Onthetrainonabusinesstrip…
Onthetrainonabusinesstrip…
Onasite,somewhereinEurope…
Onasite,somewhereinEurope…
Conclusions
Youneedaplan1.SecurityPolicy
2.SecurityDesign
3.SecurityProcedures
4.SecurityImplementation
5.SecurityAuditing
6.MeasurementAgainstPolicy
It’sacontinuousprocess
Discovery
Attack(Optionally)Attackthesystemwithdiscoveryinformation.
Success?Usethefindingstoyourbenefittoenhanceyoursecurityposture.
DiscoverDiscovertheflawsinyoursystemwiththeknowledgegained.
EducationThisandmanyotherseesions
KnowledgeNowyouknowwhattodo!
Questions
RuiMiguelFeioRSMPartners
Email:[email protected]:+44(0)7570911459LinkedIn: www.linkedin.com/in/rfeio
www.rsmpartners.com
Contact
IBMzSystemsSecurityConference| 27-30September| Montpellier
IBMSystems
46
www.ibm.com/security