DOCSLIB.ORG

Introduction to the New Mainframe: Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Introduction to the New Mainframe: Security Front cover Introduction to the New Mainframe: Security Fundamentals of security Security on mainframe hardware and software Compliance with security standards Rica Weller William C Johnston Ross Clements Patrick Kappeler Ken Dugdale Linda Kochersberger Per Fremstad Abey Tedla Olegario Hernandez Jeff Thompson Ashwin Venkatraman ibm.com/redbooks International Technical Support Organization Introduction to the New Mainframe: Security March 2007 SG24-6776-00 Note: Before using this information and the product it supports, read the information in “Notices” on page 505. First Edition (March 2007) © Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Preface . xv How this text is organized . xvi How each chapter is organized . xvii About the authors . xvii Acknowledgements . xix Comments welcome . xx Part 1. Overview of security fundamentals . 1 Chapter 1. Security and the mainframe. 3 1.1 Business security in real life . 4 1.1.1 Security means staying in business - even in a disaster. 4 1.1.2 What is security. 5 1.1.3 Classifying the value of data . 6 1.1.4 Security is about managing risk . 6 1.2 What is a mainframe . 7 1.2.1 Mainframes lead the industry . 8 1.2.2 Ability should not exceed authority . 9 1.3 Summary . 9 1.4 Key terms . 10 1.5 Questions for review . 11 1.6 Topics for further discussion . 11 Chapter 2. The Internet Bookstore - a case study . 13 2.1 The business scenario . 15 2.2 The core business of the bookstore . 16 2.3 The IT environment for the case study . 17 2.3.1 Your customer. 18 2.3.2 Your Internet Bookstore business processes . 19 2.3.3 The bank . 20 2.3.4 The courier . 20 2.4 Securing your business . 21 2.5 Summary . 22 2.6 Key terms . 23 2.7 Questions for review . 23 2.8 Topics for discussion. 23 2.9 Exercises. 23 © Copyright IBM Corp. 2007. All rights reserved. iii Chapter 3. Security concepts. 25 3.1 Introducing confidentiality, integrity, availability. 26 3.2 Confidentiality . 28 3.2.1 Threats to confidentiality . 30 3.2.2 Confidentiality models . 32 3.3 Integrity . 33 3.3.1 Threats to integrity . 34 3.3.2 Integrity models. 36 3.4 Availability . 37 3.5 Risk . 39 3.6 Summary . 40 3.7 Key terms . 42 3.8 Questions for review . 42 3.9 Questions for discussion . 42 3.10 Exercises. 43 Chapter 4. Elements of security. 45 4.1 Identification . 46 4.1.1 User ID definition. 46 4.1.2 Passwords. 47 4.2 Digital certificates and secure channels . 48 4.3 Authentication . 49 4.4 Roles and separation of duties . 51 4.5 Authorization . 52 4.5.1 Access control lists and rules . 54 4.5.2 Classification of data and users . 57 4.5.3 Conditional access and temporal access . 58 4.5.4 Discretionary access controls and mandatory access controls. 59 4.6 Encryption and cryptography. 59 4.6.1 When do we use encryption . 60 4.6.2 Symmetric encryption and asymmetric encryption . 60 4.7 Logging and auditing . 61 4.8 Summary . 62 4.9 Key terms . 63 4.10 Questions for review . 64 4.11 Questions for discussion . 64 4.12 Exercises. 64 Part 2. Hardware and networking security . 65 Chapter 5. System z architecture and security. 67 5.1 Privacy and trust at the bottom line . 68 5.2 The system architecture . 68 5.3 A very particular user: the operating system . 69 iv Introduction to the New Mainframe: Security 5.4 Looking deeper into the operating system . 70 5.4.1 Control instructions and general instructions . 70 5.5 Controlling the execution of instruction flows . 72 5.5.1 The program status word (PSW). 73 5.5.2 How the PSW is primed . 74 5.6 The interruption concept and mechanism . 75 5.6.1 The interruption mechanism . 77 5.7 Storage protection . ..
Load more

Recommended publications
  • Oracle Database Gateway for Adabas User's Guide, 11G Release 2 (11.2) E12074-01
    Oracle® Database Gateway for Adabas User’s Guide 11g Release 2 (11.2) E12074-01 July 2009 Oracle Database Gateway for Adabas User's Guide, 11g Release 2 (11.2) E12074-01 Copyright © 2008, 2009, Oracle and/or its affiliates. All rights reserved. Primary Author: Jeanne Wiegelmann Contributing Author: Maitreyee Chaliha, Sami Zeitoun, Oussama Mkaabal Contributor: Vira Goorah, Peter Wong This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007).
    [Show full text]
  • Decimal Layouts for IEEE 754 Strawman3
    IEEE 754-2008 ECMA TC39/TG1 – 25 September 2008 Mike Cowlishaw IBM Fellow Overview • Summary of the new standard • Binary and decimal specifics • Support in hardware, standards, etc. • Questions? 2 Copyright © IBM Corporation 2008. All rights reserved. IEEE 754 revision • Started in December 2000 – 7.7 years – 5.8 years in committee (92 participants + e-mail) – 1.9 years in ballot (101 voters, 8 ballots, 1200+ comments) • Removes many ambiguities from 754-1985 • Incorporates IEEE 854 (radix-independent) • Recommends or requires more operations (functions) and more language support 3 Formats • Separates sets of floating-point numbers (and the arithmetic on them) from their encodings (‘interchange formats’) • Includes the 754-1985 basic formats: – binary32, 24 bits (‘single’) – binary64, 53 bits (‘double’) • Adds three new basic formats: – binary128, 113 bits (‘quad’) – decimal64, 16-digit (‘double’) – decimal128, 34-digit (‘quad’) 4 Why decimal? A web page… • Parking at Manchester airport… • £4.20 per day … … for 10 days … … calculated on-page using ECMAScript Answer shown: 5 Why decimal? A web page… • Parking at Manchester airport… • £4.20 per day … … for 10 days … … calculated on-page using ECMAScript Answer shown: £41.99 (Programmer must have truncated to two places.) 6 Where it costs real money… • Add 5% sales tax to a $ 0.70 telephone call, rounded to the nearest cent • 1.05 x 0.70 using binary double is exactly 0.734999999999999986677323704 49812151491641998291015625 (should have been 0.735) • rounds to $ 0.73, instead of $ 0.74
    [Show full text]
  • Data Networks
    Second Ed ition Data Networks DIMITRI BERTSEKAS Massachusetts Institute of Technology ROBERT GALLAGER Massachusetts Institute ofTechnology PRENTICE HALL, Englewood Cliffs, New Jersey 07632 2 Node A Node B Time at B --------- Packet 0 Point-to-Point Protocols and Links 2.1 INTRODUCTION This chapter first provides an introduction to the physical communication links that constitute the building blocks of data networks. The major focus of the chapter is then data link control (i.e., the point-to-point protocols needed to control the passage of data over a communication link). Finally, a number of point-to-point protocols at the network, transport, and physical layers are discussed. There are many similarities between the point-to-point protocols at these different layers, and it is desirable to discuss them together before addressing the more complex network-wide protocols for routing, flow control, and multiaccess control. The treatment of physical links in Section 2.2 is a brief introduction to a very large topic. The reason for the brevity is not that the subject lacks importance or inherent interest, but rather, that a thorough understanding requires a background in linear system theory, random processes, and modem communication theory. In this section we pro­ vide a sufficient overview for those lacking this background and provide a review and perspective for those with more background. 37 38 Point-to-Point Protocols and Links Chap. 2 In dealing with the physical layer in Section 2.2, we discuss both the actual com­ munication channels used by the network and whatever interface modules are required at the ends of the channels to transmit and receive digital data (see Fig 2.1).
    [Show full text]
  • Paper Mainframe
    Club des Responsables d’Infrastructures et de Production IT Infrastructure and Operations IT INFRAsTRucTuRE & Operations MANAgEMENT Best Practices PAPER MAINFRAME IBM zSeries Mainframe Cost Control te i Authors Laurent Buscaylet, Frédéric Didier Bernard Dietisheim, Bruno Koch, Fabrice Vallet sponsored by september 2012 Wh PAgE 2 table of contents INTRODucTION 5 1. “z” POsITIONINg AND Strategy wIThIN A Company 6 1.1 Role of the Mainframe in the eyes of cRIP’s Members 6 1.2 The Position of system z vs. Distributed systems (windows, uNIX, Linux) 6 1.3 system z - Banking/Finance/Insurance vs. general Industry sectors 7 1.4 Evolution strategies for system z 9 2. z Platform OVERVIEw 11 2.1 Technical terms of reference 11 2.1.1 Servers 11 2.1.2 SAN & Networks 12 2.1.3 Storage 13 2.1.4 Backups 15 2.1.5 technical Architecture & Organization 16 2.1.6 Business Continuity 19 2.2 Mainframe software vendors (IsV’s) analysis & positioning 20 2.2.1 the Main Suppliers (ISV’s) 22 2.2.2 the Secondary Suppliers (ISV’s) 22 2.3 survey Results 3. z PLATFORM cOsT cONTROL 28 3.1 controling software cost 28 3.1.1 IBM Contractual Arrangements 28 3.1.2 ISV negotiation strategies: holistic/generic or piecemeal/ad-hoc 31 3.1.3 ISV contractual arrangements: licensing modes & billing 35 3.1.4 MLC: Controlling the billing level 38 3.1.4.1 The IBM billing method 38 3.1.4.2 The problem of smoothing (consolidating) peak loads 41 3.1.4.3 The methods and controls for controlling the software invoice 42 3.1.4.4 Survey feedback and recommendations 43 3.1.4.5 Other Cost Saving Options 48 3.2 Infrastructure cost Reduction 50 3.2.1 Grouping and Sharing Infrastructure 50 3.2.2 Use of specialty engines: zIIP, zAAP, IFL 54 3.3 controlling operational costs 55 3.3.1 Optimization, performance & technical/application component quality 55 3.3.2 Capacity Management, tools & methods 58 4.
    [Show full text]
  • HILLGANG Executive IT Specialist, IBM the University of Warwick
    . An introduction to the z10 – Harv Emery, Professor in the Department of Computer Science at HILLGANG Executive IT Specialist, IBM the University of Warwick. Update on OpenSolaris on System z ABSTRACTS System Cloning – The DC VM & Linux Users’ Group Principles and Practice Changing the way computers compute There is plenty of information available for cloning Linux guests and even z/OS guests but what about Most numeric data in commercial and human-centric cloning entire VM systems? For instance - you have a applications are decimal, and floating-point decimal need for two VM environments (one for virtual increasingly important as these applications become servers and another for z/OS D/R including XRC ever more complex. Benchmarking has indicated that DASD mirroring) in two different data centers, for a some applications spend a considerable amount of total of 4 VM systems. How can you save time and time in decimal processing, and IBM has now effort? Build one and clone it! Come and hear how a implemented decimal floating-point in z9 microcode, customer adopted the philosophy that he has been z10 hardware, Power6 hardware, and in many employing for z/OS for a long time and now has software products. developed for his VM systems. The talk will include how to maintain one VM system and 'roll' the updates In this talk, Mike will cover: out to other VM systems with including large systems • Why decimal arithmetic is increasingly important into their curriculum. • Why IBM has added hardware support • The decimal floating-point formats and IBM System z10 arithmetic, derived from Rexx, which is in the Enterprise Class Announcing the 12th Meeting of the new Hillgang IEEE 754 draft, z/VM, z/OS, DB2, C and other products Overview • How to exploit the new hardware and software in In this session the speaker, will present an .
    [Show full text]
  • The Design of the REXX Language
    The design of the REXX language by M. F. Cowlishaw One way of classifying computer languagesis by two (consciously or otherwise) to be easy to compile or classes: languages needing skilled programmers, and easy to interpret, it is designed (with the help of personal languages usedby an expanding population of general users. REstructured extended executor feedback from hundreds of users) to be easy to use. (REXX) isa flexible personal language designed with particular attention to feedback from its users. It has Three major factors affect the usability of a language. proved to be effective and easyto use, yet it is suffi- First, the basic concepts of a language affect its ciently general and powerfulto fulfil theneeds of many demanding professional applications.REXX is system syntax, grammar, and consistency. Second, the his- and hardware independent,so that it has been possi- tory and development of a language determine its ble to integrate it experimentally into several operating function, usability, and completeness. Third, but systems. Here REXX isused for such purposes as com- quite independently, the implementation of a lan- mand and macro programming, prototyping, educa- guage affects its acceptability, portability, and distri- tion, and personal programming. This paper introduces REXX and describes the basic design principles that bution. This paper introduces REXX and then dis- were followed in developingit. cusses basic concepts and developmental history as applied to the design of the REXX language. There are several experimental implementations of the REXX language within IBM for both large and small machines. One of these, by the author, has omputer languages may be classified in many become a part of the Virtual Machine/System Prod- ways.
    [Show full text]
  • Proceedings of the Rexx Symposium for Developers and Users
    SLAC-R-95-464 CONF-9505198-- PROCEEDINGS OF THE REXX SYMPOSIUM FOR DEVELOPERS AND USERS May 1-3,1995 Stanford, California Convened by STANFORD LINEAR ACCELERATOR CENTER STANFORD UNIVERSITY, STANFORD, CALIFORNIA 94309 Program Committee Cathie Dager of SLAC, Convener Forrest Garnett of IBM Pam Taylor of The Workstation Group James Weissman Prepared for the Department of Energy under Contract number DE-AC03-76SF00515 Printed in the United States of America. Available from the National Technical Information Service, U.S. Department of Commerce, 5285 Port Royal Road, Springfield, Virginia 22161. DISTRIBUTION OF THIS DOCUMENT IS UNLIMITED ;--. i*-„r> ->&• DISCLAIMER This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, make any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof. DISCLAIMER Portions
    [Show full text]
  • Installation for Z/OS
    Natural Installation for z/OS Version 8.2.3 für Großrechner November 2012 Dieses Dokument gilt für Natural ab Version 8.2.3 für Großrechner. Hierin enthaltene Beschreibungen unterliegen Änderungen und Ergänzungen, die in nachfolgenden Release Notes oder Neuausgaben bekanntgegeben werden. Copyright © 1979-2012 Software AG, Darmstadt, Deutschland und/oder Software AG USA, Inc., Reston, VA, Vereinigte Staaten von Amerika, und/oder ihre Lizenzgeber.. Nähere Informationen zu den Patenten und Marken der Software AG und ihrer Tochtergesellschaften befinden sich unter http://documentation.softwareag.com/legal/. Die Nutzung dieser Software unterliegt den Lizenzbedingungen der Software AG. Diese Bedingungen sind Bestandteil der Produkt- dokumentation und befinden sich unter http://documentation.softwareag.com/legal/ und/oder im Wurzelverzeichnis des lizensierten Produkts. Diese Software kann Teile von Drittanbieterprodukten enthalten. Die Hinweise zu den Urheberrechten und Lizenzbedingungen der Drittanbieter entnehmen Sie bitte den "License Texts, Copyright Notices and Disclaimers of Third Party Products". Dieses Dokument ist Bestandteil der Produktdokumentation und befindet sich unter http://documentation.softwareag.com/legal/ und/oder im Wurzelverzeichnis des lizensierten Produkts. Dokument-ID: NATMF-INSTALL-ZOS-823-20121108 Table of Contents Preface ............................................................................................................................... ix I Installation Process and Major Natural Features on z/OS ..............................................
    [Show full text]
  • High-Level Data Link Control
    ELEC3030 (EL336) Computer Networks S Chen High-Level Data Link Control • This class of data link layer protocols includes High-level Data Link Control (HDLC), Link Access Procedure Balanced (LAPB) for X.25, Link Access Procedure for D-channel (LAPD) for ISDN, and Logic Link Control (LLC) for FDDI • The frame format is: Flag Address Control Data FCS Flag Note that address and control bits 8 8 8 variable 16 8 can be extended to 16 bits, so bit position 12 3 4 5 6 7 8 N(S)=send sequence number N(R)=receive sequence number that sequence number is 7-bit Information: 0 N(S) P/F N(R) S=supervisory function bits P/F • Frame flag: 01111110, so bit Supervisory: 1 0 S N(R) M=unumbered function bits stuffing is used Unumbered: 1 1 M P/F M P/F=poll/final bit • Address: For multipoint operation, it is used to identify the terminal that transmits or receives the frame and, in point-to-point link, it is used to distinguish Commands from Responses (2nd bit for C/R: 0/1). The address is now extended to 16 bits (1st bit indicates long/short 16/8 bits) • Checksum: FCS contains the remainder of a 16-bit CRC calculation of the frame. It may be extended to 32 bits, using a 32-bit CRC • Control: Three types of frames, I, S and U frames. The old protocol uses a sliding window with 3-bit sequence number and the maximum window size is N = 7. The control field is now extended to 16 bits with 7-bit sequence number 60 ELEC3030 (EL336) Computer Networks S Chen HDLC (continue) • I-frames: carry user data.
    [Show full text]
  • 25 Years of Rexx ― a Personal View
    25 years of Rexx ― a personal view Böblingen 4 May 2004 Mike Cowlishaw IBM Fellow (Google: cowlishaw) Rexx25 Overview Questions, questions … Copyright © IBM Corporation 2004. All rights reserved. 2 All the … President’s questions … 3 Who was I? My IBM job? • Pre-University student with IBM (1970) – PL/I compiler, etc. • BSc Electronic Engineering – Birmingham • Day job: Test Tools Team – designing and building hardware for testing terminals such as the 3279 … 4 Microlink • Used existing coax terminal link (ANR) to attach bipolar microcomputers (based on the Signetics 8X300) to mainframe 5 Own-time projects? • Mostly PL/I and S/360 Assembler – Archaeological mapping (1974) – Cave surveying programs (1976) • STET, a STructured Editing Tool (1977) – and lots of other VM/CMS tools •Rex (1979) – a biggie: 4,000 hours to 1982 6 How old was I? well, 25 years is 25 years … 7 Why Rex? • CMS had EXEC … a bit like DOS BAT &CONTROL OFF &IF &INDEX EQ 0 &GOTO -GO EXEC DCOPT DROP &IF &RETCODE GE 12 &EXIT -GO &STACK RT … • EXEC 2: clean design, but just as ugly – language committee (Stephenson et al.) – hooks for vanilla CMS by Michel Hack 8 What were the first Rex programs? • ADDR EXEC … searches nickname file for nickname, displays name and address • SEND EXEC … send file to a local user • CONC XEDIT … concatenate and flow • … and lots of testcases 9 Who used it? • First distributable code was in May 1979; until then, only the one user • The first real users (pioneers, guinea pigs, trend-setters, …) were – Ray Mansell (Hursley, UK) – Les Koehler (Raleigh, NC) lots of useful feedback 10 How did it catch on? • Internal IBM network, VNET, rapidly growing • VM Newsletter (Peter Capek) • Word of mouth, Xmas card … • Add-ons (Steve Davies’ functions and others) 11 Was there a Rex motto? • Sort of.
    [Show full text]
  • International Civil Aviation Organization
    Guidance for the Implementation of National IP Networks INTERNATIONAL CIVIL AVIATION ORGANIZATION PROJECT RLA/06/901 GUIDANCE FOR THE IMPLEMENTATION OF NATIONAL DIGITAL NETWORKS THAT USE THE IP PROTOCOL, TO SUPPORT CURRENT AND FUTURE AERONAUTICAL APPLICATIONS Project RLA/06/901 Page 1 Guidance for the Implementation of National IP Networks The designations employed and the presentation of material in this publication do not imply the expression of any opinion whatsoever on the part of ICAO concerning the legal status of any country, territory, city or area or of its authorities, or concerning the delimination of its frontiers or boundaries. Project RLA/06/901 Page 2 Guidance for the Implementation of National IP Networks TABLE OF CONTENTS i. Table of Contents..................................................................................................................... 3 ii. Background.............................................................................................................................. 4 General Decision-Making Considerations ............................................................................... 5 Business ......................................................................................................................... 5 Industrial Support........................................................................................................... 5 Security Policies............................................................................................................. 5 Implementation .............................................................................................................
    [Show full text]
  • ALGORITHMIC INFORMATION THEORY Third Printing
    ALGORITHMIC INFORMATION THEORY Third Printing GJChaitin IBM, P O Box 218 Yorktown Heights, NY 10598 [email protected] April 2, 2003 This book was published in 1987 by Cambridge Uni- versity Press as the first volume in the series Cam- bridge Tracts in Theoretical Computer Science. In 1988 and 1990 it was reprinted with revisions. This is the text of the third printing. However the APL character set is no longer used, since it is not gen- erally available. Acknowledgments The author is pleased to acknowledge permission to make free use of previous publications: Chapter 6 is based on his 1975 paper “A theory of program size formally identical to information theory” published in volume 22 of the Journal of the ACM, copyright c 1975, Association for Computing Machinery, Inc., reprinted by permission. Chapters 7, 8, and 9 are based on his 1987 paper “Incompleteness theorems for random reals” published in volume 8 of Advances in Ap- plied Mathematics, copyright c 1987 by Academic Press, Inc. The author wishes to thank Ralph Gomory, Gordon Lasher, and the Physics Department of the Watson Research Center. 1 2 Foreword Turing’s deep 1937 paper made it clear that G¨odel’s astonishing earlier results on arithmetic undecidability related in a very natural way to a class of computing automata, nonexistent at the time of Turing’s paper, but destined to appear only a few years later, subsequently to proliferate as the ubiquitous stored-program computer of today. The appearance of computers, and the involvement of a large scientific community in elucidation of their properties and limitations, greatly enriched the line of thought opened by Turing.
    [Show full text]