Security Information & Event Management Blog | SIEM

Guest blog post, z/OS security, from Barry Schrager Part 6 of 7: Is the network connected to your mainframe secure?

Posted by Barry Schrager on Apr 20, 2016 12:00:00 PM

This segment of my series was authored by Peter Hager and Earl CorreLog Network SecurityRasmussen of Net’Q ( I thank them for their input since the network connected to our mainframes must also be secured.

In today’s world we are all connected. There was a time that mainframe access was reserved to the datacenter. Those days are long gone….

The evolution of the internet, emergence of cloud computing and increased mobility have made computing a near ubiquitous environment. Users and businesses have capabilities that a decade ago were unimaginable. Yet, the mainframe remains the backbone infrastructure to support this continued evolution and growth enabling access to information anytime and anywhere. These new capabilities provide significant business benefits in productivity and improved customer satisfaction but not without challenges. A key challenge is to ensure we realize the evolving threats and secure this emerging and promising environment.

Is your network secure? How do you secure it? Do you use single sign-on, multi-factored authentication, encryption or firewalls? How do you manage your mobile environment? Are sessions encrypted? Are session parameters configured securely? Are sessions accessing through a secure port? Are security certificates reliable? How do you know? Have you implemented an IP based firewall? How do you secure your underlying System Network Architecture (SNA) / Advanced Peer-to-Peer Networking (APPN) network? How do you ensure mobile and BYOD connections are secure? There are so many potential vulnerabilities. Moreover, the growth of the mobile workforce and BYOD implementation create even more considerations especially in the realm of security.

CorreLog z/OS File Integrity Monitoring Whitepaper download

Many of our critical systems lie behind IP firewalls. Often, we seem to be satisfied with our network firewall to protect the network. However, Internet Protocol (IP) security is not enough. This layer provides a false sense of security. While many mainframe applications have migrated to a TCP/IP network transport interface, they retain their reliance internally on SNA / APPN. Despite the move to TCP/IP as a transport mechanism SNA based applications have continued to increase and remain a foundation of how mainframe applications communicate. The transition to SNA occurs on the edges after passing through the IP firewall. Unfortunately, the IP firewall does not protect against vulnerabilities in the SNA / APPN environment.

Have you optimized security features for your SNA/APPN sessions? Is the trusted neighbor system really trusted? Hundreds of parameters affect security during session initiation. These parameters may affect areas such as how a neighbor system is treated and whether it is authenticated or not; whether the Security Authentication Facility (ACF2, RACF, TSS) is even engaged; or what the Subarea Network Visit Count (SNVC) is, which determines how widely searches (Resource Discovery Search (RDS) / Search and Locate) may be broadcast across the network.

Let’s look at a couple of examples:

Session Hijacking / Man in the Middle. This method may include session rerouting or session hijacking. Hence, even secure logins and passwords become ineffective. The session is rerouted until a secure session has been established it is then redirected to the penetrating system. We examined one system and identified that rogue intermediate software (man in the middle) was tracking user usage and performing switching functions to enable an outside party to execute transactions appearing completely authorized. We discovered that the infiltration had been going on for over 8 months completely undetected. The system compromise occurred using SNA/APPN/APPC based protocols from outside the organization’s network.

User Data. An analysis of a large organization revealed that USERDATA was being transmitted during “RDS / Search and Locate requests” and “session initiation requests”. Confidential information was transmitted unsecure by means of the broadcast. This essentially enabled third parties from external to the organization to obtain the confidential information and initiate fraudulent logins and transactions using authorized user credentials. In this scenario, USERDATA can be transmitted without an actual session/connection being established. Moreover, this unencrypted USERDATA is accessible at each Control Point (CP) along the session/search route despite the potential use of TCP/IP encryption use.

Mobile applications are ever increasing and supporting multiple functions requiring access to enterprise/mainframe servers. Estimates are that increased mobility has resulted in over 40% increase in mainframe processing. Applications may include banking, investment, procurement, logistics, locations, social media, travel and many more. There are even publicly available mobile applications that allow for TN3270 terminal emulation and direct connection to mainframe systems via mobile devices. Correspondingly, mobile attacks have significantly increased. In the past year, mobile-based attacks have jumped over 500%. Moreover, it is estimated are that over 50% of TN3270 connections through the internet to mainframes are unencrypted. Yes, that means user data, logins, passwords, etc. traveling unencrypted through who knows where. How do you manage your mobile workforce? Who? How? Where? What? Secure or Unsecure?

While the advantages of increased mobility to business is exceptional there has been little progress or rather too little attention given to protecting against mobile threats. In addition to the obvious customer and business advantages, there have also been advances in opportunities for infiltrators. Vulnerabilities and corresponding exploits enabled by the growth of mobility now exist in the z/OS Enterprise Environment.

A Multi-layered approach is needed to address the ever-increasing threats in today’s networked enterprise environment – TCP/IP, SNA/APPN, and Mobile all needed to be examined closely and secured.

Next – Part 7 – Monitoring the Security of Your z/OS System

Topics: insider threat, compliance standards, network security, security threat, z/OS security, mainframe security

Subscribe via Email

Connect with CorreLog