Session zse4187 Virtual Security Zones on z/vm

Similar documents
Virtual Security Zones on z/vm

Virtual Security Zones

Virtual Security Zones on z/vm

Security Zones on z/vm

Redpaper. Security Zones on IBM System z: Defining and Enforcing Multiple Security Zones. Introduction. Alan Altmark

The z/vm Virtual Switch Advancing the Art of Virtual Networking

z/vm Security and Integrity

z/vm Virtual Switch: The Basics

HiperSockets for System z Newest Functions

High Availability and Automatic Network Failover of the z/vm VSWITCH

RACF/VM: Protecting your z/vm system from vandals and other cyberspace miscreants

z/vm Security Essentials

z/vm 6.3 Installation or Migration or Upgrade Hands-on Lab Sessions

z/vm Live Guest Relocation Planning and Use

IBM Client Center z/vm 6.2 Single System Image (SSI) & Life Guest Relocation (LGR) DEMO

z/vm Live Guest Relocation - Planning and Use

z/vm 6.3 A Quick Introduction

SHARE in Pittsburgh Session 15801

Dynamic Routing: Exploiting HiperSockets and Real Network Devices

ZVM20: z/vm PAV and HyperPAV Support

Best Practices for WebSphere Application Server on System z Linux

IBM ^ iseries Logical Partition Isolation and Integrity

z/vm: The Value of zseries Virtualization Technology for Linux

Ensemble Enabling z/vm V6.2 and Linux for System z

Dynamic Routing: Exploiting HiperSockets and Real Network Devices

Introduction to RACF on z/vm

IBM Cloud Manager with OpenStack: z/vm Integration Considerations

z/vm Single System Image and Guest Mobility Preview

z/vm Data Collection for zpcr and zcp3000 Collecting the Right Input Data for a zcp3000 Capacity Planning Model

z/vm Evaluation Edition

Enterprise Workload Manager Overview and Implementation

ZVM17: z/vm Device Support Overview

IBM i Version 7.2. Systems management Logical partitions IBM

SAP on IBM z Systems. Customer Conference. April 12-13, 2016 IBM Germany Research & Development

IBM Tivoli Directory Server for z/os. Saheem Granados, CISSP IBM Monday, August 6,

VM Parallel Access Volume (PAV) and HyperPAV Support

System z Virtualization and Linux Workshop Bootcamp System z Hardware / Architecture

V6R1 System i Navigator: What s New

Roundtable: Shaping the Future of z/os System Programmer Tasks Discussion

Introduction to. z/vm and Linux on System z. Malcolm Beattie Linux Technical Consultant, IBM UK. From a presentation by Ralf Schiefelbein, IBM Germany

z/osmf 2.1 User experience Session: 15122

Migration Roadmap for LANRES For z/vm Customers - Where to go from here?

Advanced Configuration and Auditing with RACF on z/vm

Session V61. Systems Management on z/vm Christine Casey z/vm Development - IBM Endicott, NY. IBM System z Expo September 17-21, 2007 San Antonio, TX

z/osmf 2.1 Advanced Programming

CSE For High Availability and System Management

CSE For High Availability and System Management

IBM zenterprise Unified Resource Manager Overview

Running Linux-HA on a IBM System z

z/vm TCP/IP Configuration Miguel Delapaz z/vm TCP/IP Development Sunday, 20 April 2008

WebSphere Application Server Base Performance

Computing as a Service

KVM for IBM z Systems

Greg Daynes z/os Software Deployment

Linux Platform Options Selecting Linux on IBM System z9 and zseries

The Basics of Using z/vm

L12. Linux Platform Options Selecting Linux on IBM System z9 and zseries. Jim Elliott San Francisco, CA. September 19-23, 2005

IBM Cluster Systems Management V1.7 extends hardware and operating system support

Understanding VLANs when Sharing OSA Ports on System z

z/os 2.1 HCD HMCwide Dynamic Activate

Introduction to Virtualization: z/vm Basic Concepts and Terminology

IBM Tape Manager for z/vm and DFSMSRMS z/vm in a TS7700 Tape Grid Environment

Setting up IBM zaware Step by Step

Introduction to Virtualization: z/vm Basic Concepts and Terminology

iseries Tech Talk Linux on iseries Technical Update 2004

IBM Geographically Dispersed Resiliency for Power Systems. Version Release Notes IBM

Finding your Way The z/vm Website, Documentation and Other Hints for the New User

Cloud on z Systems Solution Overview: IBM Cloud Manager with OpenStack

High Availability for Linux on IBM System z Servers

13196: HiperSockets on System zec12 Overview

RACF Advanced Configuration and Auditing on z/vm Bruce Hayden IBM Advanced Technical Skills Endicott, NY

z/os Data Set Encryption In the context of pervasive encryption IBM z systems IBM Corporation

IBM Application Runtime Expert for i

A Pragmatic Path to Compliance. Jaffa Law

IBM zenterprise System

IBM Multi-Factor Authentication in a Linux on IBM Z environment - Example with z/os MFA infrastructure

Advanced Technical Skills (ATS) North America. John Burg Brad Snyder Materials created by John Fitch and Jim Shaw IBM Washington Systems Center

Server for IBM i. Dawn May Presentation created by Tim Rowe, 2008 IBM Corporation

Implementation of Red Hat Linux on z: User Experiences at Isracard

The zenterprise Unified Resource Manager IBM Corporation

System z: Checklist for Establishing Group Capacity Profiles

Behind the Glitz - Is Life Better on Another Database Platform?

z/vm Platform Update Steve Wilkins IBM Endicott z/vm Development CAVMEN User Group Meeting October 20, 2011 Version 6

Session 9112 z/vm TCP/IP Stack Configuration

zenterprise exposed! Experiences with zenterprise Unified Resource Manager

RACF Advanced Configuration and Auditing on z/vm

Lawson M3 7.1 Large User Scaling on System i

Active Energy Manager. Image Management. TPMfOSD BOFM. Automation Status Virtualization Discovery

Linux and z Systems in the Datacenter Berthold Gunreben

# All Security All The Time: System z Security Update for CA ACF2, IBM RACF, CA Top Secret

A Look into Linux on System z with DB2 LUW

Planning and Migrating to z/vm Single System Image (SSI)

How Smarter Systems Deliver Smarter Economics and Optimized Business Continuity

Implementing Linux on z: User Experiences at Isracard

TPF Toolkit for WebSphere Studio V3 V Using an Internal Update Site

New Offering MainView Console Management for zenterprise

IBM Mainframe Life Cycle History

Oracle PeopleSoft Applications for IBM z Systems

Introduction to Virtualization: z/vm Basic Concepts and Terminology

TPF Users Group Fall 2006

Transcription:

Session zse4187 Virtual Security Zones on z/vm Alan Altmark Senior Managing z/vm Consultant IBM Systems Lab Services

Trademarks The following are trademarks of the International Business Machines Corporation in the United States and/or other countries. IBM* IBM logo* System Storage* System z* System z9* System z10* z9* z10 z/os* z/vm* zenterprise* * Registered trademarks of IBM Corporation The following are trademarks or registered trademarks of other companies. Intel is a trademark of Intel Corporation in the United States, other countries, or both. Java and all Java-related trademarks and logos are trademarks of Sun Microsystems, Inc., in the United States and other countries Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Red Hat, the Red Hat "Shadow Man" logo, and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc., in the United States and other countries. * All other products may be trademarks or registered trademarks of their respective companies. Notes: All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-ibm products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. 2

Agenda Introduction Securing System z hardware A multi-zone network VLANs and traffic separation Enforcing the rules 3

The Myth of Mainframe Security 4

The Reality of Mainframe Security 5

Securing the Hardware 6

z/vm Security begins with System z security Protect the HMC Don t share user IDs but don t be afraid to connect it to your internal network Limit span of control as ropriate; add roles Protect the I/O configuration Create a separate LPAR that is authorized to modify the I/O configuration Give partitions access only to devices they require 7

System z Hardware Security LPAR 1 LPAR 2 LPAR 3 z/vm production z/os production Dynamic I/O configuration management authority Minimal z/os or z/vm PR/SM I/O device access is controlled by PR/SM Ethernet HiperSockets 8

Warning: Shared Open Systems Adapters LPAR 1 LPAR 3 LPAR 2 Application Zone Application Zone Data Zone PR/SM? A shared OSA creates a short circuit between LPARs unless QDIO data connection isolation is used 9

Warning: HiperSockets LPAR 1 LPAR 2 LPAR 3 Application Zone Application Zone Data Zone PR/SM? A HiperSocket is a LAN segment. Treat is like one. 10

Multi-zone Networks 11

Multi-zone Network DMZ / Applications db Data network A DMZ (demilitarized zone) is the name given to the subnet that insulates critical network components (servers) from a public network. 12

Multi-zone Network on System z Web / DMZ Applications db Data System z network 13

Firewalls Where, oh, where has my firewall gone? 14

Inboard (internal) firewalls data System z data data Internet 15

Outboard (external) firewalls data data data Internet 16

Guest LANs with HiperSockets LPAR 1 LPAR 2 z/vm z/os DB2 PR/SM HiperSockets Internet = Firewall Router 17

HiperSockets & z/os packet filters LPAR 1 LPAR 2 z/vm z/os DB2 Comms Server packet filter PR/SM HiperSockets Internet = Firewall Router 18

VLAN Separation 19

VLAN-unaware VSWITCH Linux1 SET VSWITCH FLOOR2 GRANT LINUXn Linux2 Linux3 Linux4 Virtual access port FLOOR2 Physical access port on VLAN 10 Cisco Corp 20

VLAN-aware VSWITCH SET VSWITCH FLOOR1 GRANT ROUTER PORTTYPE TRUNK VLAN 10 20 Linux1 Router Linux2 SET VSWITCH FLOOR1 GRANT LINUX2 PORTTYPE ACCESS VLAN 20 Virtual trunk port Virtual access port FLOOR1 VLAN 10 VLAN 20 Physical trunk port Cisco Corp 21

Network with VSWITCH (fully shared) LPAR 1 LPAR 2 z/vm db db db z/os DB2 VSWITCH To internet With 1 VSWITCH, 3 VLANs, and a multi-domain firewall 22

Multi-zone Network with VSWITCH (red zone physical isolation) LPAR 1 LPAR 2 z/vm db db db z/os DB2 VSWITCH INTERNET APPDATA To internet With 2 VSWITCHes, 3 VLANs, and a multi-domain firewall 23

Enforcing the Separation 24

Turn off backchannel communications No user-defined Guest LANs VMLAN LIMIT TRANSIENT 0 No virtual CTC MODIFY COMMAND DEFINE IBMCLASS G PRIVCLASS M No IUCV Use explicit IUCV authorization in the directory, not IUCV ALLOW or IUCV ANY No secondary consoles MODIFY COMMAND SET SUBCMD SECUSER IBMCLASS G PRIVCLASS M But what else might there be? 25

Turn off backchannel communications VMCF MODIFY DIAGNOSE DIAG068 IBMCLASS G PRIVCLASS M ESA/XC mode address space sharing DCSS New interfaces added by APAR or new releases Google less than class g by Rob van der Heij Too hard for some folks Consider RACF Mandatory Access Controls instead SELinux provide the same capabilities for Linux 26

Multi-Zoning with RACF Mandatory access controls override end user controls Users are assigned to one or more named projects Minidisks, guest LANs, VSWITCHes, and VLAN IDs, NSSes, DCSSes, spool files all represent data in those same projects Users can only access data in their assigned projects Overrides user- or admin-given permissions 27

Multi-Zoning with RACF A Security Label combines the concepts of Security clearance (secret, top secret, eyes only) Information zones Information zones ly to any place data may exist disks, networks, and other users Security clearance Ensures servers cannot see extra-sensitive data in their information zone Prevents copying of data to medium that is readable by servers with lower security clearance ( No write down ) Not prevalent since there is no equivalent in distributed networking solutions Label dominance is established based on intersection of zones and security clearance Not just a simple string comparison 28

Multi-zone z/vm LPAR with RACF Security Label Enforcement Backup Linux 1 Linux 4 Linux 2 Linux 3 Linux 5 CMS 29

Multi-Zoning with RACF Create security levels and data partitions RDEFINE SECDATA SECLEVEL ADDMEM( DEFAULT/100 ) RDEFINE SECDATA CATEGORY ADDMEM( DMZ APPS DATA ) RDEFINE SECLABEL RED SECLEVEL( DEFAULT ) ADDCATEGORY( DMZ ) RDEFINE SECLABEL GREEN SECLEVEL( DEFAULT ) ADDCATEGORY( APPS ) RDEFINE SECLABEL BLUE SECLEVEL( DEFAULT ) ADDCATEGORY( DATA ) 30

Multi-Zoning with RACF Assign virtual machines their SECLABELs PERMIT BLUE CL(SECLABEL) ID(LINUX1) ACC( READ ) ALTUSER LINUX1 SECLABEL( BLUE ) PERMIT RED CL(SECLABEL) ID(LINUX2 LINUX4) AC(READ) ALTUSER LINUX2 LINUX4 SECLABEL( RED ) PERMIT GREEN CL(SECLABEL) ID(LINUX3 LINUX5) AC(READ) ALTUSER LINUX3 LINUX5 SECLABEL( GREEN ) 31

Multi-Zoning with RACF But sometimes a server serves the Greater Good, providing services to all users Exempt server from label checking Assign predefined label SYSNONE PERMIT SYSNONE CLASS(SECLABEL) ID(TCPIP) ACCESS(READ) ALTUSER TCPIP SECLABEL(SYSNONE) 32

Multi-Zoning with RACF Example: Assign labels to resources VMMDISK: Minidisk VMLAN: Guest LANs and Virtual Switches RALTER VMMDISK LINUX1.191 SECLABEL( BLUE ) RALTER VMMDISK LINUX1.191 SECLABEL( BLUE ) RALTER VMMDISK LINUX2.191 SECLABEL( RED ) RALTER VMMDISK LINUX2.191 SECLABEL( RED ) RALTER VMLAN SYSTEM.INTERNET SECLABEL( RED ) RALTER VMLAN SYSTEM.APPDATA SECLABEL(SYSNONE) RALTER VMLAN SYSTEM.APPDATA.0010 SECLABEL(BLUE) RALTER VMLAN SYSTEM.APPDATA.0020 SECLABEL(RED) PERMIT SYSTEM.APPDATA.0010 CL(VMLAN) ID(LINUX1) ACC(UPDATE) PERMIT SYSTEM.APPDATA.0020 CL(VMLAN) ID(LINUX2) ACC(UPDATE) 33

Multi-Zoning with RACF Activate RACF protection: SETROPTS CLASSACT(SECLABEL VMMDISK VMLAN) SETROPTS RACLIST(SECLABEL) SETROPTS MLACTIVE(WARNINGS) If resource doesn t have a seclabel, message is issued and seclabels are ignored. Or SETROPTS MLACTIVE(FAILURES) If resource doesn t have a seclabel, command fails. This is more secure! 34

Summary Check network design with network architect Place firewalls where the network security team wants them to go Use common sense Protect the hardware Protect your data Protect your servers Protect your company Protect yourself!! 35

Reference Information This presentation http://www.vm.ibm.com/devpages/altmarka/present.html z/vm Security resources http://www.vm.ibm.com/security z/vm Secure Configuration Guide http://publibz.boulder.ibm.com/epubs/pdf/hcss0b30.pdf System z Security http://www.ibm.com/systems/z/advantages/security/ z/vm Home Page http://www.vm.ibm.com 36

Contact Information Alan C. Altmark Senior Managing z/vm Consultant z Systems Delivery Practice IBM Systems Lab Services IBM 1701 North Street Endicott, NY 13760 Mobile 607 321 7556 Fax 607 429 3323 Email: alan_altmark@us.ibm.com Mailing lists: IBMTCP-L@vm.marist.edu IBMVM@listserv.uark.edu LINUX-390@vm.maris.edu See http://ibm.com/vm/techinfo/listserv.html for details 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback