440 likes | 714 Views
z/VM Module 12: Security. Objectives . What fundamental needs for computer security were identified in the early days of computing? List and explain the four major security techniques uses to protect any computer system Explain the four overall aspects of z/VM system security.
E N D
Objectives • What fundamental needs for computer security were identified in the early days of computing? • List and explain the four major security techniques uses to protect any computer system • Explain the four overall aspects of z/VM system security
Objectives continued • Describe the major z/VM security features: • User authentication • Authorization • Intrusion detection • Virtual processor security • Data in memory protection • Disk, tape storage, and virtual I/O protection • Virtual networking • Describe the cryptography support on zSeries and how it is used
Objectives, continued • List and describe the z/VM best practices for security • Describe the major functions of the IBM security product RACF • Describe the major functions of the Computer Associates security product eTrust
An Overview of Computer Security • The use of computers and the fear of informational attacks has caused an increase in security awareness and the need for protection • Technical and administrative measures can be considered under these four categories: • User authentication • Logging/Auditing • Encryption • Communication and Networking
User Authentication Techniques • A prerequisite for almost any kind of security is accurate user identification. • All password schemes have problems. • Other more promising technologies are: • Voice recognition • Hand/fingerprint identification • Signature analysis • Digital certificates
Logging • Logging consists of recording events so that they can be monitored at a later time. • A typical entry in a log might include: • The user’s identity • A transaction or job identifier • The name of the object being accessed • Useful features in a logging facility include: • Ways to specify the events to be logged within a minimal amount of time • Ways to start and stop logging of selected events dynamically • Programs to generate reports from the log
Encryption • To encrypt data means to transform it into a form that cannot be understood until it is retransformed to its original form. • The encrypted data is only useful to someone who possesses the special knowledge needed to restore it to its original form. • These processes may be expressed as follows: • Encryption: C = Ek(P) • Decryption: P = Dk(C)
Communication and Network Security • The transmission mechanisms used for data communications are vulnerable to two types of intrusion: • A passive intruder listens to the communications • An active intruder can alter, insert, or redirect messages • These vulnerabilities are of great importance in cash flow applications
z/VM and System Security • z/VM security deals with these issues: • Sharing • Isolation • Reconfiguration • Management of resources • Without better awareness of good data-security practices, computer literacy advances could result in a higher likelihood of unauthorized persons accessing, modifying, or destroying data, either inadvertently or deliberately!
z/VM: User Authentication • Once the user supplies the user ID and password, CP validates the information. • The only way gain access to sensitive material is by using the correct password. • Remote access protocols such as rexec, ftp, and nfs require the client to authenticate using a z/VM user ID and password. • Network applications for z/VM can provide a Kerberos server and the programming interfaces that permit programs to take advantage of Kerberos authentication and encryption facilities.
z/VM: Authorization • Once logged into the z/VM system, virtual machine users can access various types of resources within the z/VM system, including: • Entire DASD volumes • Minidisks • Tape drives • Network adapters • User files • System files • The security facility provided by z/VM can be enhanced according to any special or specific requirements for the customer’s environment by the addition of an ESM.
z/VM: Intrusion Detection • As an element of z/VM intrusion detection capabilities, if a login is denied, the denial is tracked and a security journal is made when the number of denials exceeds an installation defined maximum. • When a second maximum is reached, logon to the user ID is disabled, an operator message is issued, and the terminal session is terminated. • The TCP/IP component of z/VM will detect and report network intrusions, such as: • Smurf • Fraggle • Ping o’ Death • SynFlood
z/VM: Virtual Processor Security • The z/VM CP defines and assigns virtual processors to the virtual machine. • If the operating system running in the virtual machine is capable of using multiple processors, it will dispatch its workload on its virtual processors as if it were running in a dedicated hardware environment. • Overall, there is no significant security risk if the virtual, logical, or physical processor configuration is changed or dispatched on different physical processors.
z/VM: Data in Memory Protection • Each virtual memory has its own virtual address space, which is its main memory. • When a virtual machine touches a page that is no longer in real storage, a page fault occurs and the CP brings the missing virtual page back into real storage. • The CP also allows the sharing of virtual pages by a number of virtual machines. • To protect sensitive data from exposure, it is possible to use shared segments to restrict other guests from accessing the data without explicit authorization.
z/VM: Disk, Tape Storage Protection and Virtual I/O • z/VM partitions DASD volumes into minidisks to be owned and accessed by individual virtual machines. • DirMaint is an additional priced feature that allows a user to manipulate and control DASD volumes and minidisks. • z/VM creates temporary minidisks (T-disks), which last only until they are detached or the virtual machine logs off. • z/VM can also create virtual minidisks (VDISKs), which are actually mapped into real storage.
z/VM: Virtual Networking • Communication between virtual machines is provided by various devices or facilities that are unique to the z/VM operating system. • Virtual networks should be planned with the same care and attention to security as would be taken for a real, physical network. • Some virtual network devices are: • HiperSockets • Guest LANs • Virtual Channel-To-Channel (VCTC) • Inter-User Communication Vehicle (IUCV)
Cryptography on the zSeries • The IBM CCA defines a set of cryptographic functions, external interfaces, and key management rules that pertain both to the DES and to PKA. • The DES is based on symmetric algorithms and the PKA on asymmetric algorithms. Together, they provide a consistent, end-to-end, cryptographic architecture across different IBM platforms. • Control vectors are a fixed pattern defined for each key type that the cryptographic facility exclusively ORs with the Master KEY.
Crypto Support for z/VM • The PCICC enhances the encryption capabilities of zSeries servers by providing additional scalability and programmability. • The z90crypt driver available for Linux for zSeries and S/390 exploits the PCICC and PCICA cryptographic hardware for those asymmetric algorithms used by SSL. • A z/VM system can support the use of all three cryptographic options simultaneously by different guests on a z/VM system.
Best z/VM Security Practices • These are a set of security suggestions: • After installing a new z/VM system, remember to change the default logon and minidisk passwords for all users in the system directory. • Do not give virtual machines more authority than they require. • Use an External Security Manager. • Use a z/VM directory management product. • Implement a password management policy.
Security Products Computer Associates eTrust IBM RACF/VM
RACF: Overview • RACF works together with the existing system features of VM to provide improved data security, RACF provides these features: • Protection of installation-defined resources • Flexible control of access to protect resources • The ability to store information for other products • A choice of centralized or decentralized control profiles • An ISPF panel interface and a command interface • Transparency to end users • Exits for installation-written routines
RACF: Storage Capabilities of Other Products • RACF provides additional support for interaction with: • VM RSCS • AMMR • DirMaint • PSF/VM • DFSMS
The RACROUTE Macro Interface and RACF’s Purpose • The RACROUTE macro interface on VM allows RACF to make control decisions for resource managers and application programs running in a virtual machine. • RACF provides the ability to control and audit a subset of VM commands, diagnosis codes, and system functions. • RACF gives you the ability to: • Identify and authenticate users • Authorize users to access the protected resources • Log and report all attempts of unauthorized access to protected resources • Control the means of access to resource • Allow applications to use the RACF macros
Identifying and Authenticating Users • For a software access control mechanism to work effectively, RACF must be able to: • Identify the person who is trying to gain access to the system • Authenticate the user by verifying that the user is really that person • RACF uses a user ID to identify the user and a password to authenticate that user, set up by the system administrator. • A PassTicket can be generated by RACF or by another authorization function, such as Kerberos, as discussed earlier.
Controlling Access to Resources • RACF protects general resources, such as minidisks, SFS files and directories, VM commands, user IDs, terminals, and printers. • When a user requests access to a resource that has a security classification, RACF performs two checks: • RACF compares the security level in the user and resource profiles • RACF compares the list of categories in the user’s profile with the list of categories in the resource profile
How You Can Use RACF • Data security is the protection of data from accidental or deliberate unauthorized disclosure, modification, or destruction. • The security administrator, as the focal point for planning security at your installation, needs to: • Determine which RACF function to use • Identify the level of RACF protection • Identify which data RACF is to protect • Identify administrative structures • Set up the resources to be protected
RACF: Conclusion • RACF works together with the existing system features of z/VM to provide improved data security. • RACF can: • Protect installation-defined resources • Control access to protect resources • Store information for other products • Create centralized or decentralized control profiles • Be used with an ISPF panel interface or a command interface • Be made transparent to end users • Provide exits for installation-written routines • RACF also has the ability to identify and authenticate users, authorize users to access the protected resources, log and report various attempts of unauthorized access to protected resources, etc.
Computer Associates: eTrust • CA’s eTrust security management solutions provide a holistic approach to virtually all aspects of managing business security • Security remains one of the most pressing IT concerns today. • Most organizations are struggling to protect an increasing amount of disparate resources, allow for additional users, and manage the risk of malevolent threats and malicious attacks. CA eTrust was created to help solve these problems.
eTrust Identity Management • CA’s eTrust Identity Manager centralizes and automates the creation of user accounts, holistically provisioning both IT and non-IT resources while reducing costs through process automation • The eTrust Identity Management solution set includes: • eTrust Admin • eTrust Directory • eTrust OCSPro • eTrust PKI • eTrust Single Sign-On
eTrust Access Management • Employees, business partners, and customers require secure access to business-critical applications spanning disparate platforms and operating systems • CA’s eTrust Access Management solutions secure business-critical assets by centralizing and strengthening security from end to end, regardless of operating system, platform or business application, and whether or not resources are web-based
eTrust Threat Management • Today’s organizations want to profit from the power of the Internet and improve communication channels without exposing themselves to attacks and threats. • CA’s eTrust Threat Management solutions effectively and cost-efficiently detect, analyze, warn, prevent and cure attacks across IT environments.
eTrust Security Command Center • CA developed an innovative solution that transforms security information into business security intelligence. • Its centralized command and control capability improves administrator efficiencies and helps reduce costs while integration and automation improve effectiveness and enhance security. • eTrust Security Command Center includes: • Advance Management Technology • eTrust Audit • eTrust 20/20
eTrust: Conclusion • CA’s strategy is to protect your investment in computer resources by continually enhancing the eTrust product; their key strategic objectives include: • Maintaining technological superiority • Exploiting new technology • Extending security controls • Integrating security across platforms • Streamlining security administration • CA eTrust can help manage your z/VM system to deter malicious and harmful attacks.
Conclusion • The major objective of computer security functions is to put hardware, software, and data out of danger from loss caused by malicious attacks and unauthorized access. • z/VM is an operating system with many security features built in. • For added security, customers use such products as: • IBM RACF/VM • CA eTrust
Glossary Common Cryptographic Architecture (CCA) – defines a set of cryptographic functions, external interfaces, and key management rules that pertain to both DES and PKA Control Vector (CV) – A fixed pattern defined for each key type that the cryptographic facility exclusively ORs with the Master Key to produce a Master Key variant that is used to encrypt the key. • Data Encryption Standard (DES) -- is based on a symmetric algorithm • Decryption – Converting data back to its original form • Encryption – An attempt to translate data into a form where the only practical way to reconstruct it is by knowing a specific algorithm and a key
Glossary • External Security Manager (ESM) -- any security product not originally installed in the basic z/VM system, such as RACF and eTrust • PCI – A 32-bit bus that normally runs at a maximum of 33 MHz, which is controlled by special circuitry in the chipset designed to handle PCI • PCICA– another crypto coprocessor designed specifically for exploitation by SSL • PCICC – enhances the encryption capabilities of zSeries servers by providing additional scalability and programmability
References Altmark, Alan. z/VM Security and Integrity. IBM Corporation, May 2002 Cummings, Glinda. eTrust Security for z/OS and OS/390. Computer Associates, March 2003. IBM, RACF General Information: Version1 Release 10. Form Number: GC28-0722-19, August 2003.
References IBM, zSeries Crypto Guide Update. 2003 Summers, R. C. An overview of computer security. IBM Systems Journal, 1984. Vincent, Jim. VM Security Overview and ESM Options. SHARE, March 2002.