IBM zVM Module 12 Security 2004 IBM Corporation

IBM ^ z/VM Module 12: Security © 2004 IBM Corporation

IBM ^ Objectives § What fundamental needs for computer security were identified in the early days of computing? § List and explain the four major security techniques uses to protect any computer system § Explain the four overall aspects of z/VM system security © 2004 IBM Corporation

IBM ^ Objectives continued § Describe the major z/VM security features: 4 User authentication 4 Authorization 4 Intrusion detection 4 Virtual processor security 4 Data in memory protection 4 Disk, tape storage, and virtual I/O protection 4 Virtual networking § Describe the cryptography support on z. Series and how it is used © 2004 IBM Corporation

IBM ^ Objectives, continued § List and describe the z/VM best practices for security § Describe the major functions of the IBM security product RACF § Describe the major functions of the Computer Associates security product e. Trust © 2004 IBM Corporation

IBM ^ An Overview of Computer Security § The use of computers and the fear of informational attacks has caused an increase in security awareness and the need for protection § Technical and administrative measures can be considered under these four categories: 4 User authentication 4 Logging/Auditing 4 Encryption 4 Communication and Networking © 2004 IBM Corporation

IBM ^ User Authentication Techniques § A prerequisite for almost any kind of security is accurate user identification. § All password schemes have problems. § Other more promising technologies are: 4 Voice recognition 4 Hand/fingerprint identification 4 Signature analysis 4 Digital certificates © 2004 IBM Corporation

IBM ^ Logging § Logging consists of recording events so that they can be monitored at a later time. § A typical entry in a log might include: 4 The user’s identity 4 A transaction or job identifier 4 The name of the object being accessed § Useful features in a logging facility include: 4 Ways to specify the events to be logged within a minimal amount of time 4 Ways to start and stop logging of selected events dynamically 4 Programs to generate reports from the log © 2004 IBM Corporation

IBM ^ Encryption § To encrypt data means to transform it into a form that cannot be understood until it is retransformed to its original form. § The encrypted data is only useful to someone who possesses the special knowledge needed to restore it to its original form. § These processes may be expressed as follows: 4 Encryption: C = Ek(P) 4 Decryption: P = Dk(C) © 2004 IBM Corporation

IBM ^ Communication and Network Security § The transmission mechanisms used for data communications are vulnerable to two types of intrusion: 4 A passive intruder listens to the communications 4 An active intruder can alter, insert, or redirect messages § These vulnerabilities are of great importance in cash flow applications © 2004 IBM Corporation

IBM ^ z/VM and System Security § z/VM security deals with these issues: 4 Sharing 4 Isolation 4 Reconfiguration 4 Management of resources § Without better awareness of good data-security practices, computer literacy advances could result in a higher likelihood of unauthorized persons accessing, modifying, or destroying data, either inadvertently or deliberately! © 2004 IBM Corporation

IBM ^ z/VM: User Authentication § Once the user supplies the user ID and password, CP validates the information. § The only way gain access to sensitive material is by using the correct password. § Remote access protocols such as rexec, ftp, and nfs require the client to authenticate using a z/VM user ID and password. § Network applications for z/VM can provide a Kerberos server and the programming interfaces that permit programs to take advantage of Kerberos authentication and encryption facilities. © 2004 IBM Corporation

IBM ^ z/VM: Authorization § Once logged into the z/VM system, virtual machine users can access various types of resources within the z/VM system, including: 4 4 4 Entire DASD volumes Minidisks Tape drives Network adapters User files System files § The security facility provided by z/VM can be enhanced according to any special or specific requirements for the customer’s environment by the addition of an ESM. © 2004 IBM Corporation

IBM ^ z/VM: Intrusion Detection § As an element of z/VM intrusion detection capabilities, if a login is denied, the denial is tracked and a security journal is made when the number of denials exceeds an installation defined maximum. § When a second maximum is reached, logon to the user ID is disabled, an operator message is issued, and the terminal session is terminated. § The TCP/IP component of z/VM will detect and report network intrusions, such as: 4 Smurf 4 Fraggle 4 Ping o’ Death 4 Syn. Flood © 2004 IBM Corporation

IBM ^ z/VM: Virtual Processor Security § The z/VM CP defines and assigns virtual processors to the virtual machine. § If the operating system running in the virtual machine is capable of using multiple processors, it will dispatch its workload on its virtual processors as if it were running in a dedicated hardware environment. § Overall, there is no significant security risk if the virtual, logical, or physical processor configuration is changed or dispatched on different physical processors. © 2004 IBM Corporation

IBM ^ z/VM: Data in Memory Protection § Each virtual memory has its own virtual address space, which is its main memory. § When a virtual machine touches a page that is no longer in real storage, a page fault occurs and the CP brings the missing virtual page back into real storage. § The CP also allows the sharing of virtual pages by a number of virtual machines. § To protect sensitive data from exposure, it is possible to use shared segments to restrict other guests from accessing the data without explicit authorization. © 2004 IBM Corporation

IBM ^ z/VM: Disk, Tape Storage Protection and Virtual I/O § z/VM partitions DASD volumes into minidisks to be owned and accessed by individual virtual machines. § Dir. Maint is an additional priced feature that allows a user to manipulate and control DASD volumes and minidisks. § z/VM creates temporary minidisks (T-disks), which last only until they are detached or the virtual machine logs off. § z/VM can also create virtual minidisks (VDISKs), which are actually mapped into real storage. © 2004 IBM Corporation

IBM ^ z/VM: Virtual Networking § Communication between virtual machines is provided by various devices or facilities that are unique to the z/VM operating system. § Virtual networks should be planned with the same care and attention to security as would be taken for a real, physical network. § Some virtual network devices are: 4 Hiper. Sockets 4 Guest LANs 4 Virtual Channel-To-Channel (VCTC) 4 Inter-User Communication Vehicle (IUCV) © 2004 IBM Corporation

IBM ^ Cryptography on the z. Series § The IBM CCA defines a set of cryptographic functions, external interfaces, and key management rules that pertain both to the DES and to PKA. § The DES is based on symmetric algorithms and the PKA on asymmetric algorithms. Together, they provide a consistent, end-toend, cryptographic architecture across different IBM platforms. § Control vectors are a fixed pattern defined for each key type that the cryptographic facility exclusively ORs with the Master KEY. © 2004 IBM Corporation

IBM ^ Crypto Support for z/VM § The PCICC enhances the encryption capabilities of z. Series servers by providing additional scalability and programmability. § The z 90 crypt driver available for Linux for z. Series and S/390 exploits the PCICC and PCICA cryptographic hardware for those asymmetric algorithms used by SSL. § A z/VM system can support the use of all three cryptographic options simultaneously by different guests on a z/VM system. © 2004 IBM Corporation

IBM ^ Best z/VM Security Practices § These are a set of security suggestions: 4 After installing a new z/VM system, remember to change the default logon and minidisk passwords for all users in the system directory. 4 Do not give virtual machines more authority than they require. 4 Use an External Security Manager. 4 Use a z/VM directory management product. 4 Implement a password management policy. © 2004 IBM Corporation

IBM ^ Security Products Computer Associates e. Trust IBM RACF/VM © 2004 IBM Corporation

IBM ^ RACF: Overview § RACF works together with the existing system features of VM to provide improved data security, RACF provides these features: 4 Protection of installation-defined resources 4 Flexible control of access to protect resources 4 The ability to store information for other products 4 A choice of centralized or decentralized control profiles 4 An ISPF panel interface and a command interface 4 Transparency to end users 4 Exits for installation-written routines © 2004 IBM Corporation

IBM ^ RACF: Storage Capabilities of Other Products § RACF provides additional support for interaction with: 4 VM RSCS 4 AMMR 4 Dir. Maint 4 PSF/VM 4 DFSMS © 2004 IBM Corporation

IBM ^ How RACF Works with the Operating System © 2004 IBM Corporation

IBM ^ The RACROUTE Macro Interface and RACF’s Purpose § The RACROUTE macro interface on VM allows RACF to make control decisions for resource managers and application programs running in a virtual machine. § RACF provides the ability to control and audit a subset of VM commands, diagnosis codes, and system functions. § RACF gives you the ability to: 4 Identify and authenticate users 4 Authorize users to access the protected resources 4 Log and report all attempts of unauthorized access to protected resources 4 Control the means of access to resource 4 Allow applications to use the RACF macros © 2004 IBM Corporation

IBM ^ Identifying and Authenticating Users § For a software access control mechanism to work effectively, RACF must be able to: Identify the person who is trying to gain access to the system 4 Authenticate the user by verifying that the user is really that person 4 § RACF uses a user ID to identify the user and a password to authenticate that user, set up by the system administrator. § A Pass. Ticket can be generated by RACF or by another authorization function, such as Kerberos, as discussed earlier. © 2004 IBM Corporation

IBM ^ Checking Authorization © 2004 IBM Corporation

IBM ^ Logging and Reporting © 2004 IBM Corporation

IBM ^ Logging and Reporting © 2004 IBM Corporation

IBM ^ Controlling Access to Resources § RACF protects general resources, such as minidisks, SFS files and directories, VM commands, user IDs, terminals, and printers. § When a user requests access to a resource that has a security classification, RACF performs two checks: 4 RACF compares the security level in the user and resource profiles 4 RACF compares the list of categories in the user’s profile with the list of categories in the resource profile © 2004 IBM Corporation

IBM ^ How You Can Use RACF § Data security is the protection of data from accidental or deliberate unauthorized disclosure, modification, or destruction. § The security administrator, as the focal point for planning security at your installation, needs to: 4 Determine which RACF function to use 4 Identify the level of RACF protection 4 Identify which data RACF is to protect 4 Identify administrative structures 4 Set up the resources to be protected © 2004 IBM Corporation

IBM ^ RACF: Conclusion § RACF works together with the existing system features of z/VM to provide improved data security. § RACF can: 4 4 4 4 Protect installation-defined resources Control access to protect resources Store information for other products Create centralized or decentralized control profiles Be used with an ISPF panel interface or a command interface Be made transparent to end users Provide exits for installation-written routines § RACF also has the ability to identify and authenticate users, authorize users to access the protected resources, log and report various attempts of unauthorized access to protected resources, etc. © 2004 IBM Corporation

IBM ^ Computer Associates: e. Trust § Security remains one of the most pressing IT concerns today. § Most organizations are struggling to protect an increasing amount of disparate resources, allow for additional users, and manage the risk of malevolent threats and malicious attacks. CA e. Trust was created to help solve these problems. • CA’s e. Trust security management solutions provide a holistic approach to virtually all aspects of managing business security © 2004 IBM Corporation

IBM ^ A New Standard in Security © 2004 IBM Corporation

IBM ^ e. Trust Identity Management § CA’s e. Trust Identity Manager centralizes and automates the creation of user accounts, holistically provisioning both IT and non-IT resources while reducing costs through process automation § The e. Trust Identity Management solution set includes: 4 e. Trust Admin 4 e. Trust Directory 4 e. Trust OCSPro 4 e. Trust PKI 4 e. Trust Single Sign-On © 2004 IBM Corporation

IBM ^ e. Trust Access Management § Employees, business partners, and customers require secure access to business-critical applications spanning disparate platforms and operating systems § CA’s e. Trust Access Management solutions secure business-critical assets by centralizing and strengthening security from end to end, regardless of operating system, platform or business application, and whether or not resources are web-based © 2004 IBM Corporation

IBM ^ e. Trust Threat Management § Today’s organizations want to profit from the power of the Internet and improve communication channels without exposing themselves to attacks and threats. § CA’s e. Trust Threat Management solutions effectively and cost-efficiently detect, analyze, warn, prevent and cure attacks across IT environments. © 2004 IBM Corporation

IBM ^ e. Trust Security Command Center § CA developed an innovative solution that transforms security information into business security intelligence. § Its centralized command control capability improves administrator efficiencies and helps reduce costs while integration and automation improve effectiveness and enhance security. § e. Trust Security Command Center includes: 4 Advance Management Technology 4 e. Trust Audit 4 e. Trust 20/20 © 2004 IBM Corporation

IBM ^ e. Trust: Conclusion § CA’s strategy is to protect your investment in computer resources by continually enhancing the e. Trust product; their key strategic objectives include: 4 Maintaining technological superiority 4 Exploiting new technology 4 Extending security controls 4 Integrating security across platforms 4 Streamlining security administration § CA e. Trust can help manage your z/VM system to deter malicious and harmful attacks. © 2004 IBM Corporation

IBM ^ Conclusion § The major objective of computer security functions is to put hardware, software, and data out of danger from loss caused by malicious attacks and unauthorized access. § z/VM is an operating system with many security features built in. § For added security, customers use such products as: 4 IBM RACF/VM 4 CA e. Trust © 2004 IBM Corporation

IBM ^ Glossary Common Cryptographic Architecture (CCA) – defines a set of cryptographic functions, external interfaces, and key management rules that pertain to both DES and PKA Control Vector (CV) – A fixed pattern defined for each key type that the cryptographic facility exclusively ORs with the Master Key to produce a Master Key variant that is used to encrypt the key. § Data Encryption Standard (DES) -- is based on a symmetric algorithm § Decryption – Converting data back to its original form § Encryption – An attempt to translate data into a form where the only practical way to reconstruct it is by knowing a specific algorithm and a key © 2004 IBM Corporation

IBM ^ Glossary § External Security Manager (ESM) -- any security product not originally installed in the basic z/VM system, such as RACF and e. Trust § PCI – A 32 -bit bus that normally runs at a maximum of 33 MHz, which is controlled by special circuitry in the chipset designed to handle PCI § PCICA – another crypto coprocessor designed specifically for exploitation by SSL § PCICC – enhances the encryption capabilities of z. Series servers by providing additional scalability and programmability © 2004 IBM Corporation

IBM ^ References Altmark, Alan. z/VM Security and Integrity. IBM Corporation, May 2002 Cummings, Glinda. e. Trust Security for z/OS and OS/390. Computer Associates, March 2003. IBM, RACF General Information: Version 1 Release 10. Form Number: GC 28 -0722 -19, August 2003. © 2004 IBM Corporation

IBM ^ References IBM, z. Series Crypto Guide Update. 2003 Summers, R. C. An overview of computer security. IBM Systems Journal, 1984. Vincent, Jim. VM Security Overview and ESM Options. SHARE, March 2002. © 2004 IBM Corporation