With the increasing number of corporate, industry, and government regulations regarding cryptographic protection of data in flight, as well as discoveries of weaknesses in existing cryptographic protocols and algorithms, it is very important for z/OS® administrators and auditors to be able to assess the quality of the cryptographic network protection being applied to their key z/OS workloads.
Currently, z/OS provides 4 mechanisms for cryptographic protection of TCP/IP traffic:
- TLS/SSL direct usage
- Application Transparent TLS (AT-TLS)
- Virtual Private Networks using IPSec and IKE
- Secure Shell using SSH
However, the 4 mechanisms vary widely in protocol, configuration methods, and audit and log records. Given these variations, it can be difficult to clearly understand the overall state of cryptographic network protection for your z/OS system.
This all leads to the question: how do you effectively ensure that your z/OS network traffic is properly protected?
Don't worry, zERT is here to the rescue!
z/OS Encryption Readiness Technology, known as zERT, positions the z/OS TCP/IP stack as a central collection and reporting point for the cryptographic protection attributes for TLS, SSL, SSH and IPSec security sessions that are protecting TCP and Enterprise Extender connections that terminate on the local stack.
zERT is designed for z/OS network security administrators who are typically z/OS systems programmers with responsibility over z/OS Communications Server security features. Two methods are used to discover the security sessions and their attributes:
- Stream observation (for TLS, SSL and SSH) - the TCP/IP stack observes the protocol handshakes as they flow over the TCP connection
- Advice of the cryptographic protocol provider (z/OS System SSL, z/OS OpenSSH, z/OS TCP/IP's IPsec support)
The cryptographic attributes are reported through new SMF 119 records via SMF and/or new real-time NMI services.
To help you better monitor cryptographic network protection, we are happy to the zERT family.
zERT discovery is available with z/OS V2R3. With zERT discovery, attributes are collected and recorded at the connection level. These attributes are provided in SMF 119 subtype 11 "zERT Connection Detail" records. These records describe the cryptographic protection history of each TCP and EE connection. At least one record is written for every such connection, so the number of subtype 11 records could be quite large in some environments.
zERT aggregation was introduced in March 2018 via new function APAR PI83362. With zERT aggregation, attributes collected by zERT discovery are aggregated by security session. These attributes are provided in SMF 119 subtype 12 "zERT Summary" records. These records describe the repeated use of security sessions over time. Aggregation can greatly reduce the volume of SMF records while maintaining the fidelity of the information, which is well suited for reporting applications.
With zERT discovery and aggregation in place, more advanced capabilities for analyzing z/OS network cryptographic protection become possible. In fact, as of this writing, there are over a dozen z/OS-based products from a variety of Independent Software Vendors as well as IBM that consume zERT SMF data and present it within the context of the specific product.
IBM zERT Network Analyzer is a z/OSMF plugin that provides a web-based graphical user interface that z/OS network security administrators can use to analyze and report on data reported in zERT Summary records. The zERT Network Analyzer ingests SMF 119 subtype 12 “zERT Summary” records from SMF dump datasets and populates a Db2 for z/OS database with a specialized schema. Once the database is populated, z/OS network security administrators can use the zERT Network Analyzer UI to create and run their own queries to investigate the specific aspects of TLS/SSL, SSH, and IPsec protection on their z/OS systems that interest them. The query results can be viewed in a hierarchical HTML report format or can be exported to a CSV file for later processing.
zERT policy-based enforcement (sometimes called simply zERT enforcement), introduced with z/OS V2R5, is a z/OS Communications Server technology that lets you use the valuable data that zERT discovery collects to enforce your local z/OS network crypto standards in real time. zERT enforcement uses the policy agent to install rules into the z/OS TCP/IP stack. When a new connection is established on that stack, its cryptographic protection attributes are compared against those described in the stack’s zERT enforcement rules. When a rule is matched, the action specified on the rule is executed. Several actions are supported including silently allowing the connection to proceed, generating a log message, writing a specialized SMF record, and even dropping the connection. Most actions can be specified in combination (for example, we recommend generating a log message any time the drop action is used).
zERT enforcement rules are created and managed using the IBM Network Configuration Assistant (NCA), which is another z/OSMF plugin. The NCA’s zERT perspective guides you through the creation of zERT rules for one or more cryptographic protocols on one or more z/OS systems. Once the rules are complete, NCA generates and installs the zERT enforcement policy files that the policy agent will read.
Watch this space for more articles about zERT – they will be coming your way soon!
|