MAINFRAME > Hot Topics

Monitor the Cryptographic Protection of Your z/OS Network Traffic

Cryptographic Protection

Hot Topics content is written by IBM technical experts - the people that design and write the code. The articles provide insight into products and functionality from a developer's perspective.

Imagine being directed by your manager to identify the overall quality of the cryptographic protection for your z/OS network. What exposures do you have? Who is using unapproved protection protocols, or worse, not using any protection at all? Where would you start?

There are numerous methods for cryptographically protecting TCP/IP traffic available on z/OS such as System SSL, Java Secure Sockets Extension (JSSE), Communications Server’s Integrated IPSec, z/OS OpenSSH and AT-TLS. The typical configuration of these methods allows for the specification of multiple permutations of acceptable security attributes. Even if you acquired a deep understanding of each method’s configuration, you would only know which security attributes were possible in your network. You would still not know which attributes had been negotiated by the security endpoints for any given connection. Existing SMF records and trace records might give you some hints, but you would have to work hard and long to turn those hints into a comprehensive understanding of the security of your network’s traffic patterns. In the end, you would still probably have some missing pieces.

Protection Monitoring

z/OS Communications Server V2.3 introduces a new feature to provide you with what you need to answer your manager’s request: z/OS Encryption Readiness Technology (zERT). zERT allows a z/OS network security administrator to determine which TCP and Enterprise Extender (EE) traffic patterns to and from their z/OS systems meet approved network encryption policies and which don’t. It does this by collecting and recording, in SMF record format, the cryptographic protection attributes for TLS, SSL, SSH, and IPSec security sessions that terminate on the local stack. The following terms, as used within zERT, are:

  • An application connection is a TCP connection or EE User Datagram Protocol channel over which two application programs communicate with each other. An application connection might or might not have cryptographic security, and the type and level of security coverage might change during the life of the connection.
  • A security session is the combination of a unique set of security attributes for a specific security protocol as applied to one or more application connections that are associated with the same traffic pattern. For TCP, a traffic pattern means a distinct client IP address and server IP address/port combination. For EE, a traffic pattern means a distinct remote peer IP address/port and local IP peer address/port combination. For zERT, a security session might be used repeatedly by many different application connections over time.

Zero or more security sessions can protect a given application connection at any given time. For example, a connection might be flowing in the clear (e.g., no security sessions), it might be protected by a TLS session only (e.g., one security session) or it might be protected by both TLS and IPSec at the same time (e.g., multiple security sessions). Additionally, the type and level of security coverage might change during the life of the connection. For instance, an FTP control connection can transmit data as clear text, change to use TLS security protocols and return to transmitting data as clear text.

Security sessions take into account how data is protected for a given traffic pattern. Multiple application connections using identical cryptographic protection and matching the same traffic pattern map to the same security session. A single application connection using multiple security protocols map to multiple security sessions. Figure 1 shows the relationship between application connections and security sessions.

Chris Meyer, CISSP, is a senior software engineer in Research Triangle Park, N.C. He is the z/OS Communications Server security architect and has been developing IBM OSs, file systems and security-related software products for over 30 years.

Dave Wierbowski is a senior software engineer in Endicott, N.Y. A member of the z/OS Communications Server development team, his area of expertise is IPSec and he currently serves as the z/OS Encryption Readiness Technology technical lead.

Michael Gierlach is an advisory software engineer in z/OS Communications Server in Research Triangle Park, N.C. Mike has worked on VTAM, TCP/IP and z/OS Communications Server for 25 years, most recently on z/OS Encryption Readiness Technology.

Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.

comments powered by Disqus



2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters