With cyber security and cyber resiliency top priorities for organizations, is enough focus given to the wider network, asks Tony Amies of Vertali
How can you confirm that your network access control settings are correct and are working as intended?
How can you make sure you’re detecting and so responding to new or unexpected network activity to and from the mainframe?
How can you ensure access for everyone who needs it, authorized users only, while denying everyone else?
In a connected world, cyber criminals see the mainframe as just another server to be hacked, and its data to be harvested. Until relatively recently, mainframers never really considered the wider network connecting into and out of the mainframe, and all the potential risks that poses, at least not in great detail. There has also been the mistaken belief that the mainframe is inherently secure. It’s not.
The mainframe no longer exists in splendid isolation; we have to lift our heads and constantly scan the horizon for new threats like never before. One of the many things on our “to do” list is finding a way to detect, monitor and, if wanted, enforce the correct levels of network access in a way that doesn’t suck in too much time, effort and costs. Ensuring your network security policies are correct and regularly updated is critical. And the key element in achieving that is having a full, accurate and constantly updated picture of your network resources, connections, and traffic patterns.
You may, for example, have applications to which all connectivity must be encrypted or systems that no longer need to access certain applications and should be isolated, for regulatory or compliance purposes. You may be giving access to people and systems who simply shouldn’t have that access. And we know there are bad actors out there, as well as insider threats, keen to access our systems, applications and data for their own nefarious ends.
Too many connections, not enough visibility
While many mainframe sites can have a reasonable view on who’s using applications at the userid level, most don’t have an up-to-date and accurate picture of real-life network activity.
The original objective of TCP/IP was to allow any-to-any connectivity with minimal configuration. However, this conflicts with security policies that aim to limit connectivity to only those authorized to do so. While some controls are available in z/OS Communications Server and SAF to limit TCP/IP connectivity, the default for many sites is to allow all connections. For example, TCP Ports can be protected by SAF so that only permitted applications can open them, but there are often no controls on which remote IP devices can access these applications. Although it’s common to protect TCP Ports known to be in use, it’s also common for the remaining ports (potentially more than 64,000) not to be controlled. Mainframe network security is not just limited to simple TCP connections, TN3270 for example provides a gateway to legacy VTAM applications running on any connected system, often with the data transported in clear across UDP protocols. Your encrypted TN3270 data may actually be unencrypted for part of its journey to the application.
Most security mechanisms focus on incoming IPv4 TCP connections, but few look at controlling outbound connections too. Without specific controls in place, any user can initiate an outbound connection to a remote system, and hackers use outbound connections as a backdoor to mainframe services. In this escalating threat landscape, you want to understand from where users are coming, attempted but rejected connections to applications, attempted connections to closed ports, outbound connection activity, UDP activity, IPv6 activity, and so on.
The problem is that many of these metrics are not readily available in typical SMF records and, even for the ones that are, the volume of SMF records required on a production system would typically be unacceptable. This is where network discovery comes in: a full and accurate analysis of network activity involving the mainframe without having to depend on high volume SMF processing.
Discover your network and take control
Opportunities presented by network discovery include, for example, the ability to limit application access to a specific network segment or specific network device, providing that additional layer of security. Co-existing with controls managed by the z/OS Enterprise Security Manager (ESM) – RACF, ACF2, TSS – network micro-segmentation is a way to better protect specific applications or entire systems and ensure compliance with standards such as PCI DSS, HIPPAA and GDPR.
You can use standard SAF controls and commands to isolate specific parts of the mainframe environment at the network level. You then control access by permitting network segments to access specific TCPIP and VTAM applications – rather than blocking or enabling access to the mainframe in its entirety. Such an approach means you reduce the number in scope, focusing your security policies on only the segments needed. And while it is possible to do this manually, the time and costs can make it prohibitive for large and complex organizations.
What is accessing your mainframe network, and how?
Encryption is another important aspect. You need to be able to detect whether connections are encrypted or not, and implement your network segmentation based on that. In other words, defining a SAF permission to allow a network segment to access a specific application but only if the connection is encrypted. All unencrypted connections would be blocked.
The important thing is always knowing exactly what is accessing (or trying to access) your network, compiling and mapping a comprehensive and constantly updated network knowledge base. When you have controls in place, you need to be confident they are working and in the dynamic world of modern networks, changes are detected so controls can be updated. Knowledge is power, as they say. You want a solution that avoids the tedious complexities involved in manually creating and maintaining policy agent access control lists. Organizations want to reduce the time, effort and costs involved in ensuring and proving compliance, with easier reporting for audits.
All such efforts contribute to improved cyber resiliency and more secure operations in general as we move closer towards a Zero Trust security stance.
A specialist in designing and developing leading-edge system software products, Tony Amies has more than 40 years’ experience in IBM z mainframes and related fields. A recognized expert in networking and communications, he is Software Technical Director at Vertali. www.vertali.com