Securing Mainframe File Transfers and TN3270

Transcription

1 Securing Mainframe File Transfers and TN3270 with SSH Tectia Server for IBM z/os White Paper October 2007 SSH Tectia provides a versatile, enterprise-class Secure Shell protocol (SSH2) implementation for IBM mainframes. SSH Tectia Server for IBM z/os offers secure file transfers to and from IBM mainframes and secure TN3270 and Unix shell connections for system administration SSH Communications Security Corp. All rights reserved. ssh and Tectia are registered trademarks of SSH Communications Security Corp in the United States and in certain other jurisdictions. The SSH and Tectia logos are trademarks of SSH Communications Security Corp and may be registered in certain jurisdictions. All other names and marks are the property of their respective owners.

2 THE MAINFRAME SECURITY CHALLENGE Mainframe Vulnerabilities and Risks IBM mainframes are deployed by large enterprises worldwide for the purpose of providing the most reliable environment for business-critical data operations. Reliability, availability, and scalability are among the key characteristics for mainframe systems. But how about security? Many organizations are still today using plaintext FTP (File Transfer Protocol) for exchanging sensitive files between mainframes and servers. Another commonly used connection method is the terminal-based TN3270 access from Windows workstations to mainframe applications. Both FTP and TN3270 are inherently unsecured as they completely lack all cryptographic data security features. The proliferation of application connectivity, increasing TCP/IP networking, and more advanced attack techniques are putting unprotected data communications at risk. Threats and exploits include the following: Passwords and user IDs are sent as plaintext, making password sniffing easy with readily available network tools. The data content can be passively eavesdropped which can compromise sensitive business data. Connections can be hijacked for gaining control over application sessions. Another driver for more comprehensive data security is the pressure of legislations and industry regulations such as HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), and SOX (Sarbanes-Oxley Act), to ensure confidentiality of corporate and private customer data. Figure 1 The logon profile demo1 and password demo1 for an unsecured FTP connection are easy to capture Securing Mainframe File Transfers and TN

3 Mainframe Security Requirements Large enterprises are today faced with the task of securing their existing mainframe file transfers and TN3270 terminal connections. Changing the existing environment can cause major costs when the deployment of new software demands re-writing and re-testing of existing file transfer scripts. However, major cost savings can be reached if the new security solution is transparent to the users and applications, as then a huge amount of setup, configuration, and training needs can be eliminated. Performance is a critical requirement when installing security software on mainframes. Given the business-critical nature of mainframe data operations and expensive CPU resources, security solutions should avoid introducing any additional processing overhead. For example, cryptographic solutions should utilize hardware acceleration, where available, to free CPU power for its primary purpose and save costs. Diverse enterprise IT environments require adaptable IT security solutions that provide security through crossplatform networks. Critical cross-platform operations include Windows terminal access to mainframe and file transfers between mainframes and Unix, Linux, and Windows servers. INTRODUCING SSH TECTIA SSH Tectia The SSH Tectia solution from SSH Communications Security Corp addresses the most critical communications security needs of financial institutions, retail industry, government agencies, and educational institutions. With SSH Tectia, organizations can cost-effectively secure their system administration, file transfers and application connectivity against both internal and external security risks. As the original developer of the Secure Shell protocol and other key network security technologies, SSH Communications Security has for over 10 years developed end-to-end communications security solutions specifically for the enterprise. The centralized management capabilities of SSH Tectia Manager support centralized deployment, maintenance, and monitoring of communications security, facilitating improved regulatory compliance and reduced total costs. The SSH Tectia solution is available for a broad range of platforms including common Unix, Linux, Windows, and IBM mainframe operating systems. The FIPS certification of the cryptographic libraries makes SSH Tectia an ideal solution for even the most demanding government and enterprise environments. For more information on SSH Tectia, please visit Secure Shell The SSH Tectia solution is based on Secure Shell, which is the standard protocol used by millions worldwide for secure remote login, remote command execution, and file transfer over TCP/IP networks. The protocol was originally developed in 1995 by Tatu Ylönen, the founder of SSH Communications Security, in response to password sniffing and other emerging communication security threats in open networks. Today, Secure Shell is the standard secure drop-in replacement for Telnet, Rlogin, and FTP allowing system administrators to manage servers in a secure manner, both remotely and within the local network. Applications for SSH Tectia The key application areas for SSH Tectia are secure file transfer, secure system administration, and secure application connectivity. Secure File Transfer SSH Tectia enables secure automated and interactive file transfers throughout the network, both for internal and remote file sharing. We provide a secure drop-in replacement for FTP (File Transfer Protocol) with application programming interfaces to facilitate effortless transition from legacy file transfers to strong file transfer security. Securing Mainframe File Transfers and TN

4 Figure 2 Application areas of SSH Tectia for IBM z/os Secure System Administration SSH Tectia allows system administrators to remotely manage servers in heterogeneous operating system environments. It provides secure TN3270 connections and replaces Telnet, Rlogin, and other unsecured login and remote command execution methods with centrally managed enterprise-class Secure Shell tools. Secure Application Connectivity SSH Tectia brings end-to-end confidentiality, data integrity, and authentication to application connections between workstations and servers. It protects both in-house and commercial business applications transparently without the need to modify the applications or the supporting IT infrastructure. SSH TECTIA SERVER FOR IBM Z/OS Overview SSH Tectia Server for IBM z/os is available for z/os versions 1.6, 1.7, and 1.8. The key applications of the product include: Secure file transfers with SFTP (Secure File Transfer Protocol) including interactive GUI and command line file transfer access to MVS datasets and Unix System Services files Transparent, secure tunneling of FTP connections from the mainframe Transparent, secure TN3270 application connectivity to the mainframe with Secure Shell tunneling Secure terminal access to z/os Unix System Services (USS). Key features include: Secure, cross-platform connectivity between mainframes and Unix, Linux, and Windows servers and workstations Direct access for native MVS datasets Full and configurable ASCII/EBCDIC translation Support for RACF, ACF2, and Top Secret Authentication with password, x.509 certificate, and public-key authentication methods Hardware acceleration of cryptographic operations for increased throughput and scalability, and reduced CPU usage. Securing Mainframe File Transfers and TN

5 Secure File Transfer using SFTP SSH Tectia Server for IBM z/os includes both client and serverside SFTP (Secure File Transfer Protocol) functionality for secure transfer of files between mainframes and all other enterprise servers including Unix, Linux, and Windows. In addition to the SFTP server, SSH Tectia Server includes client-side SCP (Secure Copy) and SFTP programs with command-line interfaces for easy scripting of automated file transfers such as overnight JCL-based (Job Control Language) batch transfers, log file gathering, and database backups. SSH Tectia Server for IBM z/os supports transfer of both binary and ASCII text files. For the latter, configurable ASCII/EBCDIC conversion is performed either before or during the transfer. The MVS (z/os) file system is supported for directly accessing and transferring BSAM and VSAM datasets and PDS and PDSE members. GDG is also supported. MVS dataset listing with the read and write capability allows interactive listing of datasets as files and folders with command-line SFTP tools and Windows client GUI, providing easy interactive file transfers. Secure File Transfer using Transparent FTP Tunneling The client component of SSH Tectia Server for IBM z/os supports transparent FTP tunneling, providing a quick and easy way to secure FTP file transfers without the need to change the existing FTP jobs. Transparent FTP tunneling can be used to secure both interactive and unattended FTP sessions. On the server side, any server running Secure Shell and FTP is supported. Secure TN3270 Connectivity SSH Tectia can tunnel connections made with common TN3270 terminal clients from workstations to mainframe systems. SSH Tectia protects all passwords and data traffic on these connections. Thanks to the transparent tunneling capabilities of SSH Tectia Connector on Windows, securing TN3270 connections is fully invisible for the end user and does not require any changes to the terminal client or its configuration. Customized, in-house TN3270 applications including HLLAPI (High-Level Language API) or FTP can be securely used without any application-level changes. As a result, a full-scale deployment of secure TN3270 connectivity can be implemented very cost-effectively as there will be no need for additional user training or losses in end-user productivity. Also, existing RACF (Resource Access Control Facility), ACF2, and TSS (Top Secret Security) passwords and certificates can be used for authenticating Secure Shell tunnels, thus eliminating the need to introduce additional passwords or authentication methods for users. All centralized authentication management features can be used as before. The end-user transparency makes the SSH Tectia solution unparalleled in terms of fast implementation speed and low implementation cost. Secure Shell Terminal In addition to secure TN3270 application connectivity, SSH Tectia includes the award-winning Secure Shell terminal client used by system administrators worldwide for secure remote administration of Unix and Linux servers. SSH Tectia Client provides Unix shell access to IBM mainframes for terminal operations and interactive SFTP-based file transfers. Figure 3 Windows GUI of SSH Tectia Client Installation and Operation The current version of SSH Tectia Server for IBM z/os is installed in the USS (Unix System Services) area of z/os. Client programs can be run from OMVS and via JCL. SSH Tectia Server can be run as a started task. To facilitate easy status monitoring and console automation, SSH Tectia Server provides system information to the mainframe console. Securing Mainframe File Transfers and TN

6 Mainframe Authentication and Auditing The SSH Tectia client/server solution supports mutual authentication of the client (user) and server (host) when establishing secure connections. SSH Tectia supports the IBM mainframe password authentication methods provided by RACF, ACF2, and Top Secret via SAF (Secure Authorization Facility) standard calls. SSH Tectia Server for IBM z/os also supports client and server authentication using X.509 certificates. Certificates and private keys can be stored and used on hardware devices using ICSF (Integrated Crypto Services Facility), on RACF/ACF2/TSS key rings using SAF, or on HFS files. The SSH Tectia validator service provides complete certificate validation, including fetching CRLs (Certificate Revocation List) from LDAP or HTTP servers, and OCSP (Online Certificate Status Protocol) for retrieving online certificate status information. Also traditional public-key authentication is supported. Certificate and public-key authentication can be used, for example, for strong two-factor authentication or automated authentication when running JCL-based jobs. SSH Tectia supports SMF records and the syslog facility to gather login and file transfer information for auditing use. Hardware Acceleration SSH Tectia Server for IBM z/os supports hardware acceleration of cryptographic operations for increased throughput and optimized CPU usage by utilizing cryptographic hardware through IBM ICSF. All IBM-provided cryptographic hardware including CCF, PCICA, PCICC, PCIXCC, CPACF, and CryptoExpress2 are supported for acceleration. Note that the availability of hardware acceleration depends on the server hardware in use. The supported hardware-accelerated cryptographic algorithms are: 3DES (symmetric cipher) AES (symmetric cipher) SHA-1 (hash algorithm) SUMMARY While mainframes are used for the most business-critical data operations in enterprises, the security of file transfers and application connections to mainframes is often overlooked. As a result, accessing user passwords or sensitive business data is easy with readily available network monitoring tools for anyone who has access to the same network. SSH Tectia Server for IBM z/os, from the original developers of Secure Shell, ensures confidentiality, integrity, and authentication of system administration, file transfers, and secure TN3270 application connections in mainframe environments. The broad platform support makes SSH Tectia an ideal solution to protect diverse, cross-platform enterprise environments that have connections between both IBM mainframes and Unix, Linux, or Windows systems. Enterprises can reduce their system integration costs and compatibility issues by using a single Secure Shell solution for all enterprise platforms. SSH Tectia offers versatile utilities and APIs for implementing automated file transfers based on the SFTP standard. SSH Tectia secures TN3270 application connections fully transparently, eliminating the need for costly end-user training. End users can continue to use their familiar terminal clients and applications since SSH Tectia does not introduce additional user interfaces or user interactions to daily application usage. SSH Tectia is the only Secure Shell solution for IBM mainframes that addresses the key enterprise requirements including hardware acceleration for reduced CPU overhead and increased throughput, z/os dataset support, ASCII/ EBCDIC translations, and support for RACF authentication. Securing Mainframe File Transfers and TN