© 2004 IBM Corporation
IBM ^
z/VM Module 12: Security
© 2004 IBM Corporation
IBM ^
Objectives
What fundamental needs for computer security were identified in the early days of computing?
List and explain the four major security techniques uses to protect any computer system
Explain the four overall aspects of z/VM system security
© 2004 IBM Corporation
IBM ^
Objectives continued
Describe the major z/VM security features: User authentication
Authorization
Intrusion detection
Virtual processor security
Data in memory protection
Disk, tape storage, and virtual I/O protection
Virtual networking Describe the cryptography support on zSeries and how it is used
© 2004 IBM Corporation
IBM ^
Objectives, continued
List and describe the z/VM best practices for security Describe the major functions of the IBM security product RACF Describe the major functions of the Computer Associates
security product eTrust
© 2004 IBM Corporation
IBM ^
An Overview of Computer Security
The use of computers and the fear of informational attacks has caused an increase in security awareness and the need for protection
Technical and administrative measures can be considered under these four categories:
User authentication
Logging/Auditing
Encryption
Communication and Networking
© 2004 IBM Corporation
IBM ^
User Authentication Techniques
A prerequisite for almost any kind of security is accurate user identification.
All password schemes have problems. Other more promising technologies are:
Voice recognition
Hand/fingerprint identification
Signature analysis
Digital certificates
© 2004 IBM Corporation
IBM ^
Logging
Logging consists of recording events so that they can be monitored at a later time.
A typical entry in a log might include: The user’s identity A transaction or job identifier The name of the object being accessed
Useful features in a logging facility include: Ways to specify the events to be logged within a minimal amount of time Ways to start and stop logging of selected events dynamically Programs to generate reports from the log
© 2004 IBM Corporation
IBM ^
Encryption
To encrypt data means to transform it into a form that cannot be understood until it is retransformed to its original form.
The encrypted data is only useful to someone who possesses the special knowledge needed to restore it to its original form.
These processes may be expressed as follows: Encryption: C = Ek(P)
Decryption: P = Dk(C)
© 2004 IBM Corporation
IBM ^
Communication and Network Security
The transmission mechanisms used for data communications are vulnerable to two types of intrusion:
A passive intruder listens to the communications
An active intruder can alter, insert, or redirect messages These vulnerabilities are of great importance in cash flow
applications
© 2004 IBM Corporation
IBM ^
z/VM and System Security
z/VM security deals with these issues: Sharing
Isolation
Reconfiguration
Management of resources Without better awareness of good data-security practices, computer
literacy advances could result in a higher likelihood of unauthorized persons accessing, modifying, or destroying data, either inadvertently or deliberately!
© 2004 IBM Corporation
IBM ^
z/VM: User Authentication
Once the user supplies the user ID and password, CP validates the information.
The only way gain access to sensitive material is by using the correct password.
Remote access protocols such as rexec, ftp, and nfs require the client to authenticate using a z/VM user ID and password.
Network applications for z/VM can provide a Kerberos server and the programming interfaces that permit programs to take advantage of Kerberos authentication and encryption facilities.
© 2004 IBM Corporation
IBM ^
z/VM: Authorization
Once logged into the z/VM system, virtual machine users can access various types of resources within the z/VM system, including:
Entire DASD volumes Minidisks Tape drives Network adapters User files System files
The security facility provided by z/VM can be enhanced according to any special or specific requirements for the customer’s environment by the addition of an ESM.
© 2004 IBM Corporation
IBM ^
z/VM: Intrusion Detection
As an element of z/VM intrusion detection capabilities, if a login is denied, the denial is tracked and a security journal is made when the number of denials exceeds an installation defined maximum.
When a second maximum is reached, logon to the user ID is disabled, an operator message is issued, and the terminal session is terminated.
The TCP/IP component of z/VM will detect and report network intrusions, such as:
Smurf Fraggle Ping o’ Death SynFlood
© 2004 IBM Corporation
IBM ^
z/VM: Virtual Processor Security
The z/VM CP defines and assigns virtual processors to the virtual machine.
If the operating system running in the virtual machine is capable of using multiple processors, it will dispatch its workload on its virtual processors as if it were running in a dedicated hardware environment.
Overall, there is no significant security risk if the virtual, logical, or physical processor configuration is changed or dispatched on different physical processors.
© 2004 IBM Corporation
IBM ^
z/VM: Data in Memory Protection
Each virtual memory has its own virtual address space, which is its main memory.
When a virtual machine touches a page that is no longer in real storage, a page fault occurs and the CP brings the missing virtual page back into real storage.
The CP also allows the sharing of virtual pages by a number of virtual machines.
To protect sensitive data from exposure, it is possible to use shared segments to restrict other guests from accessing the data without explicit authorization.
© 2004 IBM Corporation
IBM ^
z/VM: Disk, Tape Storage Protection and Virtual I/O
z/VM partitions DASD volumes into minidisks to be owned and accessed by individual virtual machines.
DirMaint is an additional priced feature that allows a user to manipulate and control DASD volumes and minidisks.
z/VM creates temporary minidisks (T-disks), which last only until they are detached or the virtual machine logs off.
z/VM can also create virtual minidisks (VDISKs), which are actually mapped into real storage.
© 2004 IBM Corporation
IBM ^
z/VM: Virtual Networking
Communication between virtual machines is provided by various devices or facilities that are unique to the z/VM operating system.
Virtual networks should be planned with the same care and attention to security as would be taken for a real, physical network.
Some virtual network devices are: HiperSockets Guest LANs Virtual Channel-To-Channel (VCTC) Inter-User Communication Vehicle (IUCV)
© 2004 IBM Corporation
IBM ^
Cryptography on the zSeries
The IBM CCA defines a set of cryptographic functions, external interfaces, and key management rules that pertain both to the DES and to PKA.
The DES is based on symmetric algorithms and the PKA on asymmetric algorithms. Together, they provide a consistent, end-to-end, cryptographic architecture across different IBM platforms.
Control vectors are a fixed pattern defined for each key type that the cryptographic facility exclusively ORs with the Master KEY.
© 2004 IBM Corporation
IBM ^
Crypto Support for z/VM
The PCICC enhances the encryption capabilities of zSeries servers by providing additional scalability and programmability.
The z90crypt driver available for Linux for zSeries and S/390 exploits the PCICC and PCICA cryptographic hardware for those asymmetric algorithms used by SSL.
A z/VM system can support the use of all three cryptographic options simultaneously by different guests on a z/VM system.
© 2004 IBM Corporation
IBM ^
Best z/VM Security Practices
These are a set of security suggestions: After installing a new z/VM system, remember to change the
default logon and minidisk passwords for all users in the system directory.
Do not give virtual machines more authority than they require.
Use an External Security Manager.
Use a z/VM directory management product.
Implement a password management policy.
© 2004 IBM Corporation
IBM ^
Security Products
Computer Associates eTrustIBM RACF/VM
© 2004 IBM Corporation
IBM ^
RACF: Overview
RACF works together with the existing system features of VM to provide improved data security, RACF provides these features:
Protection of installation-defined resources
Flexible control of access to protect resources
The ability to store information for other products
A choice of centralized or decentralized control profiles
An ISPF panel interface and a command interface
Transparency to end users
Exits for installation-written routines
© 2004 IBM Corporation
IBM ^
RACF: Storage Capabilities of Other Products
RACF provides additional support for interaction with: VM RSCS
AMMR
DirMaint
PSF/VM
DFSMS
© 2004 IBM Corporation
IBM ^
How RACF Works with the Operating System
© 2004 IBM Corporation
IBM ^
The RACROUTE Macro Interface and RACF’s Purpose
The RACROUTE macro interface on VM allows RACF to make control decisions for resource managers and application programs running in a virtual machine.
RACF provides the ability to control and audit a subset of VM commands, diagnosis codes, and system functions.
RACF gives you the ability to: Identify and authenticate users Authorize users to access the protected resources Log and report all attempts of unauthorized access to protected resources Control the means of access to resource Allow applications to use the RACF macros
© 2004 IBM Corporation
IBM ^
Identifying and Authenticating Users
For a software access control mechanism to work effectively, RACF must be able to:
Identify the person who is trying to gain access to the system Authenticate the user by verifying that the user is really that person
RACF uses a user ID to identify the user and a password to authenticate that user, set up by the system administrator.
A PassTicket can be generated by RACF or by another authorization function, such as Kerberos, as discussed earlier.
© 2004 IBM Corporation
IBM ^
Checking Authorization
© 2004 IBM Corporation
IBM ^
Logging and Reporting
© 2004 IBM Corporation
IBM ^
Logging and Reporting
© 2004 IBM Corporation
IBM ^
Controlling Access to Resources
RACF protects general resources, such as minidisks, SFS files and directories, VM commands, user IDs, terminals, and printers.
When a user requests access to a resource that has a security classification, RACF performs two checks:
RACF compares the security level in the user and resource profiles
RACF compares the list of categories in the user’s profile with the list of categories in the resource profile
© 2004 IBM Corporation
IBM ^
How You Can Use RACF
Data security is the protection of data from accidental or deliberate unauthorized disclosure, modification, or destruction.
The security administrator, as the focal point for planning security at your installation, needs to:
Determine which RACF function to use
Identify the level of RACF protection
Identify which data RACF is to protect
Identify administrative structures
Set up the resources to be protected
© 2004 IBM Corporation
IBM ^
RACF: Conclusion
RACF works together with the existing system features of z/VM to provide improved data security.
RACF can: Protect installation-defined resources Control access to protect resources Store information for other products Create centralized or decentralized control profiles Be used with an ISPF panel interface or a command interface Be made transparent to end users Provide exits for installation-written routines
RACF also has the ability to identify and authenticate users, authorize users to access the protected resources, log and report various attempts of unauthorized access to protected resources, etc.
© 2004 IBM Corporation
IBM ^
Computer Associates: eTrust
Security remains one of the most pressing IT concerns today.
Most organizations are struggling to protect an increasing amount of disparate resources, allow for additional users, and manage the risk of malevolent threats and malicious attacks. CA eTrust was created to help solve these problems.
• CA’s eTrust security management solutions provide a holistic approach to virtually all aspects of managing business security
© 2004 IBM Corporation
IBM ^
A New Standard in Security
© 2004 IBM Corporation
IBM ^
eTrust Identity Management
CA’s eTrust Identity Manager centralizes and automates the creation of user accounts, holistically provisioning both IT and non-IT resources while reducing costs through process automation
The eTrust Identity Management solution set includes:eTrust AdmineTrust DirectoryeTrust OCSProeTrust PKIeTrust Single Sign-On
© 2004 IBM Corporation
IBM ^
eTrust Access Management Employees, business partners, and customers require secure access to
business-critical applications spanning disparate platforms and operating systems
CA’s eTrust Access Management solutions secure business-critical assets by centralizing and strengthening security from end to end, regardless of operating system, platform or business application, and whether or not resources are web-based
© 2004 IBM Corporation
IBM ^
eTrust Threat Management
Today’s organizations want to profit from the power of the Internet and improve communication channels without exposing themselves to attacks and threats.
CA’s eTrust Threat Management solutions effectively and cost-efficiently detect, analyze, warn, prevent and cure attacks across IT environments.
© 2004 IBM Corporation
IBM ^
eTrust Security Command Center
CA developed an innovative solution that transforms security information into business security intelligence.
Its centralized command and control capability improves administrator efficiencies and helps reduce costs while integration and automation improve effectiveness and enhance security.
eTrust Security Command Center includes: Advance Management Technology eTrust Audit eTrust 20/20
© 2004 IBM Corporation
IBM ^
eTrust: Conclusion
CA’s strategy is to protect your investment in computer resources by continually enhancing the eTrust product; their key strategic objectives include:
Maintaining technological superiority Exploiting new technology Extending security controls Integrating security across platforms Streamlining security administration
CA eTrust can help manage your z/VM system to deter malicious and harmful attacks.
© 2004 IBM Corporation
IBM ^
Conclusion
The major objective of computer security functions is to put hardware, software, and data out of danger from loss caused by malicious attacks and unauthorized access.
z/VM is an operating system with many security features built in. For added security, customers use such products as:
IBM RACF/VM
CA eTrust
© 2004 IBM Corporation
IBM ^
Glossary
Common Cryptographic Architecture (CCA) – defines a set of cryptographic functions, external interfaces, and key management rules that pertain to both DES and PKA
Control Vector (CV) – A fixed pattern defined for each key type that the cryptographic facility exclusively ORs with the Master Key to produce a Master Key variant that is used to encrypt the key.
Data Encryption Standard (DES) -- is based on a symmetric algorithm
Decryption – Converting data back to its original form Encryption – An attempt to translate data into a form where the
only practical way to reconstruct it is by knowing a specific algorithm and a key
© 2004 IBM Corporation
IBM ^
Glossary
External Security Manager (ESM) -- any security product not originally installed in the basic z/VM system, such as RACF and eTrust
PCI – A 32-bit bus that normally runs at a maximum of 33 MHz, which is controlled by special circuitry in the chipset designed to handle PCI
PCICA – another crypto coprocessor designed specifically for exploitation by SSL
PCICC – enhances the encryption capabilities of zSeries servers by providing additional scalability and programmability
© 2004 IBM Corporation
IBM ^
References
Altmark, Alan. z/VM Security and Integrity. IBM Corporation, May 2002
Cummings, Glinda. eTrust Security for z/OS and OS/390. Computer Associates, March 2003.
IBM, RACF General Information: Version1 Release 10. Form Number: GC28-0722-19, August 2003.
© 2004 IBM Corporation
IBM ^
References
IBM, zSeries Crypto Guide Update. 2003
Summers, R. C. An overview of computer security. IBM Systems Journal, 1984.
Vincent, Jim. VM Security Overview and ESM Options. SHARE, March 2002.