© 2004 IBM Corporation IBM ^ z/VM Module 12: Security

© 2004 IBM Corporation

IBM ^

z/VM Module 12: Security


IBM ^

Objectives

What fundamental needs for computer security were identified in the early days of computing?

List and explain the four major security techniques uses to protect any computer system

Explain the four overall aspects of z/VM system security


IBM ^

Objectives continued

Describe the major z/VM security features: User authentication

Authorization

Intrusion detection

Virtual processor security

Data in memory protection

Disk, tape storage, and virtual I/O protection

Virtual networking Describe the cryptography support on zSeries and how it is used


IBM ^

Objectives, continued

List and describe the z/VM best practices for security Describe the major functions of the IBM security product RACF Describe the major functions of the Computer Associates

security product eTrust


IBM ^

An Overview of Computer Security

The use of computers and the fear of informational attacks has caused an increase in security awareness and the need for protection

Technical and administrative measures can be considered under these four categories:

User authentication

Logging/Auditing

Encryption

Communication and Networking


IBM ^

User Authentication Techniques

A prerequisite for almost any kind of security is accurate user identification.

All password schemes have problems. Other more promising technologies are:

Voice recognition

Hand/fingerprint identification

Signature analysis

Digital certificates


IBM ^

Logging

Logging consists of recording events so that they can be monitored at a later time.

A typical entry in a log might include: The user’s identity A transaction or job identifier The name of the object being accessed

Useful features in a logging facility include: Ways to specify the events to be logged within a minimal amount of time Ways to start and stop logging of selected events dynamically Programs to generate reports from the log


IBM ^

Encryption

To encrypt data means to transform it into a form that cannot be understood until it is retransformed to its original form.

The encrypted data is only useful to someone who possesses the special knowledge needed to restore it to its original form.

These processes may be expressed as follows: Encryption: C = Ek(P)

Decryption: P = Dk(C)


IBM ^

Communication and Network Security

The transmission mechanisms used for data communications are vulnerable to two types of intrusion:

A passive intruder listens to the communications

An active intruder can alter, insert, or redirect messages These vulnerabilities are of great importance in cash flow

applications


IBM ^

z/VM and System Security

z/VM security deals with these issues: Sharing

Isolation

Reconfiguration

Management of resources Without better awareness of good data-security practices, computer

literacy advances could result in a higher likelihood of unauthorized persons accessing, modifying, or destroying data, either inadvertently or deliberately!


IBM ^

z/VM: User Authentication

Once the user supplies the user ID and password, CP validates the information.

The only way gain access to sensitive material is by using the correct password.

Remote access protocols such as rexec, ftp, and nfs require the client to authenticate using a z/VM user ID and password.

Network applications for z/VM can provide a Kerberos server and the programming interfaces that permit programs to take advantage of Kerberos authentication and encryption facilities.


IBM ^

z/VM: Authorization

Once logged into the z/VM system, virtual machine users can access various types of resources within the z/VM system, including:

Entire DASD volumes Minidisks Tape drives Network adapters User files System files

The security facility provided by z/VM can be enhanced according to any special or specific requirements for the customer’s environment by the addition of an ESM.


IBM ^

z/VM: Intrusion Detection

As an element of z/VM intrusion detection capabilities, if a login is denied, the denial is tracked and a security journal is made when the number of denials exceeds an installation defined maximum.

When a second maximum is reached, logon to the user ID is disabled, an operator message is issued, and the terminal session is terminated.

The TCP/IP component of z/VM will detect and report network intrusions, such as:

Smurf Fraggle Ping o’ Death SynFlood


IBM ^

z/VM: Virtual Processor Security

The z/VM CP defines and assigns virtual processors to the virtual machine.

If the operating system running in the virtual machine is capable of using multiple processors, it will dispatch its workload on its virtual processors as if it were running in a dedicated hardware environment.

Overall, there is no significant security risk if the virtual, logical, or physical processor configuration is changed or dispatched on different physical processors.


IBM ^

z/VM: Data in Memory Protection

Each virtual memory has its own virtual address space, which is its main memory.

When a virtual machine touches a page that is no longer in real storage, a page fault occurs and the CP brings the missing virtual page back into real storage.

The CP also allows the sharing of virtual pages by a number of virtual machines.

To protect sensitive data from exposure, it is possible to use shared segments to restrict other guests from accessing the data without explicit authorization.


IBM ^

z/VM: Disk, Tape Storage Protection and Virtual I/O

z/VM partitions DASD volumes into minidisks to be owned and accessed by individual virtual machines.

DirMaint is an additional priced feature that allows a user to manipulate and control DASD volumes and minidisks.

z/VM creates temporary minidisks (T-disks), which last only until they are detached or the virtual machine logs off.

z/VM can also create virtual minidisks (VDISKs), which are actually mapped into real storage.


IBM ^

z/VM: Virtual Networking

Communication between virtual machines is provided by various devices or facilities that are unique to the z/VM operating system.

Virtual networks should be planned with the same care and attention to security as would be taken for a real, physical network.

Some virtual network devices are: HiperSockets Guest LANs Virtual Channel-To-Channel (VCTC) Inter-User Communication Vehicle (IUCV)


IBM ^

Cryptography on the zSeries

The IBM CCA defines a set of cryptographic functions, external interfaces, and key management rules that pertain both to the DES and to PKA.

The DES is based on symmetric algorithms and the PKA on asymmetric algorithms. Together, they provide a consistent, end-to-end, cryptographic architecture across different IBM platforms.

Control vectors are a fixed pattern defined for each key type that the cryptographic facility exclusively ORs with the Master KEY.


IBM ^

Crypto Support for z/VM

The PCICC enhances the encryption capabilities of zSeries servers by providing additional scalability and programmability.

The z90crypt driver available for Linux for zSeries and S/390 exploits the PCICC and PCICA cryptographic hardware for those asymmetric algorithms used by SSL.

A z/VM system can support the use of all three cryptographic options simultaneously by different guests on a z/VM system.


IBM ^

Best z/VM Security Practices

These are a set of security suggestions: After installing a new z/VM system, remember to change the

default logon and minidisk passwords for all users in the system directory.

Do not give virtual machines more authority than they require.

Use an External Security Manager.

Use a z/VM directory management product.

Implement a password management policy.


IBM ^

Security Products

Computer Associates eTrustIBM RACF/VM


IBM ^

RACF: Overview

RACF works together with the existing system features of VM to provide improved data security, RACF provides these features:

Protection of installation-defined resources

Flexible control of access to protect resources

The ability to store information for other products

A choice of centralized or decentralized control profiles

An ISPF panel interface and a command interface

Transparency to end users

Exits for installation-written routines


IBM ^

RACF: Storage Capabilities of Other Products

RACF provides additional support for interaction with: VM RSCS

AMMR

DirMaint

PSF/VM

DFSMS


IBM ^

How RACF Works with the Operating System


IBM ^

The RACROUTE Macro Interface and RACF’s Purpose

The RACROUTE macro interface on VM allows RACF to make control decisions for resource managers and application programs running in a virtual machine.

RACF provides the ability to control and audit a subset of VM commands, diagnosis codes, and system functions.

RACF gives you the ability to: Identify and authenticate users Authorize users to access the protected resources Log and report all attempts of unauthorized access to protected resources Control the means of access to resource Allow applications to use the RACF macros


IBM ^

Identifying and Authenticating Users

For a software access control mechanism to work effectively, RACF must be able to:

Identify the person who is trying to gain access to the system Authenticate the user by verifying that the user is really that person

RACF uses a user ID to identify the user and a password to authenticate that user, set up by the system administrator.

A PassTicket can be generated by RACF or by another authorization function, such as Kerberos, as discussed earlier.


IBM ^

Checking Authorization


IBM ^

Logging and Reporting


IBM ^

Logging and Reporting


IBM ^

Controlling Access to Resources

RACF protects general resources, such as minidisks, SFS files and directories, VM commands, user IDs, terminals, and printers.

When a user requests access to a resource that has a security classification, RACF performs two checks:

RACF compares the security level in the user and resource profiles

RACF compares the list of categories in the user’s profile with the list of categories in the resource profile


IBM ^

How You Can Use RACF

Data security is the protection of data from accidental or deliberate unauthorized disclosure, modification, or destruction.

The security administrator, as the focal point for planning security at your installation, needs to:

Determine which RACF function to use

Identify the level of RACF protection

Identify which data RACF is to protect

Identify administrative structures

Set up the resources to be protected


IBM ^

RACF: Conclusion

RACF works together with the existing system features of z/VM to provide improved data security.

RACF can: Protect installation-defined resources Control access to protect resources Store information for other products Create centralized or decentralized control profiles Be used with an ISPF panel interface or a command interface Be made transparent to end users Provide exits for installation-written routines

RACF also has the ability to identify and authenticate users, authorize users to access the protected resources, log and report various attempts of unauthorized access to protected resources, etc.


IBM ^

Computer Associates: eTrust

Security remains one of the most pressing IT concerns today.

Most organizations are struggling to protect an increasing amount of disparate resources, allow for additional users, and manage the risk of malevolent threats and malicious attacks. CA eTrust was created to help solve these problems.

• CA’s eTrust security management solutions provide a holistic approach to virtually all aspects of managing business security


IBM ^

A New Standard in Security


IBM ^

eTrust Identity Management

CA’s eTrust Identity Manager centralizes and automates the creation of user accounts, holistically provisioning both IT and non-IT resources while reducing costs through process automation

The eTrust Identity Management solution set includes:eTrust AdmineTrust DirectoryeTrust OCSProeTrust PKIeTrust Single Sign-On


IBM ^

eTrust Access Management Employees, business partners, and customers require secure access to

business-critical applications spanning disparate platforms and operating systems

CA’s eTrust Access Management solutions secure business-critical assets by centralizing and strengthening security from end to end, regardless of operating system, platform or business application, and whether or not resources are web-based


IBM ^

eTrust Threat Management

Today’s organizations want to profit from the power of the Internet and improve communication channels without exposing themselves to attacks and threats.

CA’s eTrust Threat Management solutions effectively and cost-efficiently detect, analyze, warn, prevent and cure attacks across IT environments.


IBM ^

eTrust Security Command Center

CA developed an innovative solution that transforms security information into business security intelligence.

Its centralized command and control capability improves administrator efficiencies and helps reduce costs while integration and automation improve effectiveness and enhance security.

eTrust Security Command Center includes: Advance Management Technology eTrust Audit eTrust 20/20


IBM ^

eTrust: Conclusion

CA’s strategy is to protect your investment in computer resources by continually enhancing the eTrust product; their key strategic objectives include:

Maintaining technological superiority Exploiting new technology Extending security controls Integrating security across platforms Streamlining security administration

CA eTrust can help manage your z/VM system to deter malicious and harmful attacks.


IBM ^

Conclusion

The major objective of computer security functions is to put hardware, software, and data out of danger from loss caused by malicious attacks and unauthorized access.

z/VM is an operating system with many security features built in. For added security, customers use such products as:

IBM RACF/VM

CA eTrust


IBM ^

Glossary

Common Cryptographic Architecture (CCA) – defines a set of cryptographic functions, external interfaces, and key management rules that pertain to both DES and PKA

Control Vector (CV) – A fixed pattern defined for each key type that the cryptographic facility exclusively ORs with the Master Key to produce a Master Key variant that is used to encrypt the key.

Data Encryption Standard (DES) -- is based on a symmetric algorithm

Decryption – Converting data back to its original form Encryption – An attempt to translate data into a form where the

only practical way to reconstruct it is by knowing a specific algorithm and a key


IBM ^

Glossary

External Security Manager (ESM) -- any security product not originally installed in the basic z/VM system, such as RACF and eTrust

PCI – A 32-bit bus that normally runs at a maximum of 33 MHz, which is controlled by special circuitry in the chipset designed to handle PCI

PCICA – another crypto coprocessor designed specifically for exploitation by SSL

PCICC – enhances the encryption capabilities of zSeries servers by providing additional scalability and programmability


IBM ^

References

Altmark, Alan. z/VM Security and Integrity. IBM Corporation, May 2002

Cummings, Glinda. eTrust Security for z/OS and OS/390. Computer Associates, March 2003.

IBM, RACF General Information: Version1 Release 10. Form Number: GC28-0722-19, August 2003.


IBM ^

References

IBM, zSeries Crypto Guide Update. 2003

Summers, R. C. An overview of computer security. IBM Systems Journal, 1984.

Vincent, Jim. VM Security Overview and ESM Options. SHARE, March 2002.

Documents

© 2004 IBM Corporation IBM ^ z/VM Module 12: Security