DOCSLIB.ORG

3270 Emulation: Security Considerations

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
3270 Emulation: Security Considerations 3270 Emulation: Security Considerations IBM 3270 Emulation Security Considerations February 2015 Table of Contents Chapter 1. Introduction and background ........................................................................................................ 5 IT Security at a glance ................................................................................................................................ 6 3270 data stream overview ......................................................................................................................... 7 Fundamentals .......................................................................................................................................... 8 TN3270 ..................................................................................................................................................10 Chapter 2. Administrative and network-based controls .................................................................................12 Software asset management .......................................................................................................................12 Separation of environments .......................................................................................................................12 Role-based access controls ........................................................................................................................13 Firewalls ....................................................................................................................................................13 IDS/IPS devices .........................................................................................................................................13 Chapter 4. z/OS controls ................................................................................................................................14 SAF-based access controls ........................................................................................................................14 NETACCESS resources ........................................................................................................................14 PORTACCESS resources ......................................................................................................................15 TN3270-specific resources ....................................................................................................................15 IP filter rules ..............................................................................................................................................15 Cryptographic network security protocols .................................................................................................16 TLS/SSL ................................................................................................................................................16 IPsec ......................................................................................................................................................18 Integrated Intrusion Detection Services (IDS) ...........................................................................................20 Scan detection ........................................................................................................................................20 Attack detection .....................................................................................................................................20 Traffic Regulation (TR) .........................................................................................................................21 TN3270E server controls ...........................................................................................................................21 Controlling client access ........................................................................................................................21 TN3270 client authentication ................................................................................................................23 Express Logon Feature (ELF) ...............................................................................................................24 Data overrun controls ............................................................................................................................24 Auditing .................................................................................................................................................25 Chapter 5. z/VM controls ..............................................................................................................................27 TCP/IP on z/VM ........................................................................................................................................27 The Telnet Server for z/VM ......................................................................................................................27 The Internal Client .................................................................................................................................27 Requiring encryption for TN3270 traffic...............................................................................................28 Encryption support for z/VM (TLS/SSL) ..................................................................................................28 Description of the SSL-TLS virtual machines .......................................................................................28 Protocol selection and compliance modes (z/VM 6.3 only) ..................................................................29 1 IBM 3270 Emulation Security Considerations February 2015 User authentication on z/VM .....................................................................................................................29 Chapter 6. z/VSE controls .............................................................................................................................31 TCP/IP for VSE/ESA ................................................................................................................................31 Associating VTAM terminal names with IP addresses .........................................................................32 Security layers .......................................................................................................................................33 IPv6/VSE ...................................................................................................................................................35 IP filtering ..............................................................................................................................................36 TLS/SSL support ...................................................................................................................................36 Security exits .........................................................................................................................................36 Chapter 7. What about Linux on z Systems and z/TPF? ...............................................................................38 Chapter 8. Distributed TN3270 .....................................................................................................................39 Direct SNA 3270 .......................................................................................................................................39 TN3270 Servers .........................................................................................................................................39 Port configuration ......................................................................................................................................39 Managing LUs on distributed platforms ....................................................................................................39 Filtering clients ..........................................................................................................................................40 Conclusion .....................................................................................................................................................41 Acknowledgments and Contributions............................................................................................................42 2 IBM 3270 Emulation Security Considerations February 2015 Abstract 3270 data streams have been around since the early days of what has become IBM’s z Systems™ family of mainframes. 3270 data streams were originally exchanged between z Systems software and hard wired devices such as display terminals and printers over private connections or closed SNA networks. With the advent of personal computers and workstations, the “dumb terminal” was replaced by software emulators that ran as applications on these “smart” devices. Over time, the traffic between the emulators and the 3270 applications moved from private connections or closed SNA networks to TCP/IP networks, including the Internet. The switch from hardware devices to software emulators introduced the risk of 3270 malware, while the migration to TCP/IP networks greatly increased the risk of unauthorized users attempting to access 3270 applications. The purpose of this paper is to describe techniques, mechanisms and strategies for minimizing z Systems exposure to the above risks. The paper is organized into
Load more

Recommended publications
  • Operator's Guide for IBM 3270 Information Display Systems
    GA27-2742-1 Operator's Guide for IBM 3270 Information Systems Display Systems i i Second Edition (July, 1972) This is a major revision of GA27-2742-0 and incorporates Technical Newsletter GN31-3001. Operating instructions for the printer and operator identification card reader have been added. Comments and corrections have been incorporated throughout the manual. Any system changes affecting this publication will be reported in subsequent revisions or Technical Newsletters. Additional copies of this manual can be obtained through IBM branch offices. Text for this publication has been prepared with the IBM SE LECTR IC ® Composer. A form is provided at the back of this publication for reader's comments. If the form has been removed, comments may be addressed to: IBM Systems Development Division, Product Publications, Dept. 520, Neighborhood Road, Kingston, N.V., 12401 © Copyright International Business Machines Corporation, 1971, 1972 Contents iii Table of Contents First Words to the Operator Qu ick Reference . 3 Operating the 3270* . 4 Introduction to Display Station Operation 5 Operator Controls 7,8 The Display Image 8 Indicators . 15-19 Keyboards 20 Typewriter Keyboard* ............... 24 I Data Entry Keyboard* ............... 44 I Operator Console Keyboard* . 62 I ·" Printer Operation * . 76 I,.~' , Operator Identification Card Reader . 88 I A Typical Job . · 90 Correcting Operator Errors . 90 Trouble with Your Machine · 92 Operator Trouble Report 92 Extras for the 3270* . .100 Selector Pen . · 101 Secu rity Key Lock .105 Audible Alarm . .106 Numeric Lock Feature .109 Understanding the 3270* .. 110 Data Processing · 111 Display Stations .. · 114 The IBM 3270 Information Display System · 115 ) Index · 119 *The complete table of contents for each section is on the first page of that section.
    [Show full text]
  • Introduction to Mainframe Networking TCP/IP Problem Determination
    z/OS Basic Skills Information Center Networking on z/OS z/OS Basic Skills Information Center Networking on z/OS Note Before using this information and the product it supports, read the information in “Notices” on page 251. This edition applies to z/OS (product number 5694-A01). We appreciate your comments about this publication. Comment on specific errors or omissions, accuracy, organization, subject matter, or completeness of this book. The comments you send should pertain to only the information in this manual or product and the way in which the information is presented. For technical questions and information about products and prices, please contact your IBM branch office, your IBM business partner, or your authorized remarketer. When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute your comments in any way it believes appropriate without incurring any obligation to you. IBM or any other organizations will only use the personal information that you supply to contact you about the issues that you state on this form. Send your comments through this web site: http://publib.boulder.ibm.com/infocenter/zoslnctr/v1r7/index.jsp?topic=/com.ibm.zcontact.doc/webqs.html © Copyright IBM Corporation 2006, 2010. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Before you begin the topic about Coupling channels ...........40 networking on z/OS .........vii Open Systems Adapter (OSA) .......40 HiperSockets ..............46 The I/O cage ..............48 Part 1. Introduction to networking on the mainframe...........1 Chapter 4. Sample network configuration ............49 Chapter 1.
    [Show full text]
  • User's Guide and Reference for IBM Z/OS® Remote Access Programs August 2, 2021
    User's Guide and Reference for IBM z/OS® Remote Access Programs August 2, 2021 International Business Machines Corporation IBM Z Dallas ISV Center Dallas, TX USA This document is intended for the sole use of participants in an IBM Z Dallas ISV Center Remote Development or Early Test Program and is not to be distributed to non-participants or used for purposes other than intended. © Copyright International Business Machines Corporation 2019. All rights reserved. 1 Table of Contents 1 Preface .................................................................................................................................................... 4 1.1 Links ................................................................................................................................................. 4 2 Overview – Remote Access Environment ........................................................................................... 5 2.1 Hardware / Software Platform .......................................................................................................... 5 2.2 Introduction to the Virtual Machine Concept ................................................................................... 5 2.3 z/OS Remote Access Environment ................................................................................................... 5 2.4 Printers .............................................................................................................................................. 7 2.5 System Availability..........................................................................................................................
    [Show full text]
  • Configuring TN3270 C H a P T E R
    CHAPTER 13 Configuring TN3270 IBM 3270 display terminals are among the computing community’s most widely implemented and emulated for host-based computing. Information in this chapter will help you understand the TN3270 terminal emulation environment, and how to use and create files that will allow terminals connected to the communication servers to be used for TN3270 operation. For a complete description of the commands in this chapter, see the Communication Server Command Reference publication. Cisco’s Implementation of TN3270 The TN3270 terminal emulation software is based on software developed at the University of California, Berkeley. This software allows any terminal to be used as an IBM 3270-type terminal. Users with non-3270 terminals can take advantage of the emulation capabilities to perform the functions of an IBM 3270-type terminal. Specifically, Cisco’s implementation supports emulation of an IBM 3278-2 terminal providing an 80 by 24 display. True IBM 3270-type terminals use a character format referred to as extended binary-coded decimal interchange code (EBCDIC). EBCDIC consists of 8-bit coded characters and was originally developed by IBM. Emulation is made possible by termcap and curses functions developed by Berkeley UNIX system developers. These functions translate the keyboard and terminal characteristics for ASCII-type terminals into those expected by an IBM host. ASCII characters are listed in the “ASCII Character Set” appendix in the Communication Server Command Reference publication. Formally, a termcap is a two-part terminal-handling mechanism. It consists of a database and a subroutine library. The database describes the capabilities of each terminal to be supported; the subroutine library allows programs to query the database and to make use of the values it contains.
    [Show full text]
  • Data Stream Programmer's Reference ------,------3270 Information ------ .-- Display System
    ----- - --- 3270 Information ---- - - --- --------- Display System Data Stream Programmer's Reference -------,----- - --- 3270 Information - - - --- -------_.-- Display System Data Stream Programmer's Reference GA23-0059-4 File Number 8360/8370/53/4300/8100-30 Fifth Edition (December 1988) This publication introduces and explains the functions of the 3270 Information Display System data stream. Changes are continually made to the information herein; before using this publication in connection with the operation of IBM systems, refer to the latest IBM System/360 or System 1370 SRL Newsletter for the editions that are applicable and current. It is possible that this material may contain reference to, or information about, IBM products (machines and programs), programming, or services that are not announced in your country. Such references or information must not be construed to mean that IBM intends to announce such IBM products, programming, or services in your country. The names and addresses used in the examples that appear in this manual are fictitious, and any similarity to the names and addresses of actual persons is entirely coincidental. Publications are not stocked at the address given below; requests for IBM publications should be made to your IBM representative or to the IBM branch office serving your locality. A form for readers' comments is provided at the back of this publication. Address additional comments to IBM Corporation, Communication Products Information Development, Department E02, PO Box 12195, Research Triangle Park, North Carolina, U.S.A. 27709. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation whatever. You may, of course, continue to use the information you supply.
    [Show full text]
  • IRIS 3270 Emulator User's Guide
    IRIS® 3270 Emulator User’s Guide Document Number 007-0805-040 CONTRIBUTORS Written by Kameran Kashani, Sheri Chinen Biesen, Susan Thomas Edited by Nancy Schweiger Production by Julia LIn Engineering contributions by Bob Horen, Rich Livingston, Ed Evans, Sam Sengupta © Copyright 1992-1994, Silicon Graphics, Inc.— All Rights Reserved This document contains proprietary and confidential information of Silicon Graphics, Inc. The contents of this document may not be disclosed to third parties, copied, or duplicated in any form, in whole or in part, without the prior written permission of Silicon Graphics, Inc. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure of the technical data contained in this document by the Government is subject to restrictions as set forth in subdivision (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 52.227-7013 and/ or in similar or successor clauses in the FAR, or in the DOD or NASA FAR Supplement. Unpublished rights reserved under the Copyright Laws of the United States. Contractor/manufacturer is Silicon Graphics, Inc., 2011 N. Shoreline Blvd., Mountain View, CA 94039-7311. Silicon Graphics and IRIS are registered trademarks and IRIX is a trademark of Silicon Graphics, Inc. Apollo is a registered trademark of Apollo Computer, Inc. FrameMaker is a registered trademark of Frame technology, Inc. Hewlett-Packard is a registered trademark of Hewlett-Packard Company. IBM is a registered trademark of International Business Machines Corporation. Macintosh is a registered trademark of Apple Computer, Inc. IRIS® 3270 Emulator User’s Guide Document Number 007-0805-040 Contents List of Examples vii List of Figures ix List of Tables xi Introduction xiii Features xiv Typographical Conventions xv Software and Hardware xv Software xvi Hardware xvi Network Configuration xvii Product Support xxi 1.
    [Show full text]
  • Systems Network Architecture Concepts and Pioducts
    ---- -------- ---- Systems --------- - ------- -~- .. - Network Architecture Concepts and Pioducts GC30-3072-1 File No. 370/4300-30 Second Edition (February 1984) This is a reprint of GC30-3072-0 incorporating changes released in Technical Newsletter: GN30-3205 (dated 22 September 1981) Changes are continually made to the information in IBM systems publications. Before using this publication in connection with the operation of IBM systems, refer to the latest IBM System/370 and 4300 Processors Bibliography, GC20-o001, for the editions that are applicable and current. References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Publications are not stocked at the address given below. Requests for copies of IBM publications should be made to your IBM representative or to the IBM branch office serving your locality. A form for readers' comments has been provided at the back of this publication. If the form has been removed address comments to IBM Corporation, Publications Development, Department E02, P.O. Box 12195, Research Triangle Park, North Carolina, U.S.A. 27709. IBM may use or distribute whatever information you supply in any way it believes appropriate without incurring any obligation to you. © Copyright International Business Machines Corporation 1981 Preface This publication introduces the IBM Systems Network Architecture to individuals who need to acquaint themselves with its benefits, its concepts, and the IBM products that are designed for use in SNA networks. This is the basic publication about Systems Network Architecture (SNA) for managers, system designers, and others involved in making decisions about planning or implementing distributed data processing within an organization.
    [Show full text]
  • Reflection for the Web Reference Guide
    Reflection for the Web Reference Guide November 2017 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/ Copyright © 2017 Micro Focus. All rights reserved. Contents Reflection for the Web - Reference Guide 5 1 Configuring Reflection for the Web Sessions 7 Configuring a Reflection for the Web Session . 7 Load Order of Configuration Information . 7 Using Configuration Files . 8 Configuring User Preferences . 8 Recording macros . 9 2 API and Scripting 11 Using ECL. 11 What you need to use the API . 12 How to use the API. 12 Using the API from JavaScript and VBScript . 13 Accessing the ECL API from JavaScript . .15 Timing issues when scripting Reflection . 18 Browser dependencies when using the API. 18 API Reference . 19 API Examples. 41 3 Applet Attributes and Parameters 81 About Applets in Reflection for the Web . 81 Applet Attributes and Parameters . 82 Applet Attributes . 82 Applet Parameters . 82 Index of Attributes and Parameters. 82 A-B-C . 82 D-E-F . 87 G-H-I . 93 J-K-L. 102 M-N-O . 105 P-Q-R . 111 S-T-U . 114 V-W-X-Y-Z . 122 Numbers. 123 4 HTML Samples 127 HTML Code Samples . 127 About HTML code samples . 127 Available HTML code samples. 128 5 Host-initiated RCL Support 135 RCL Commands . 135 Supported RCL $ Variables . 135 Supported RCL Commands . 135 Supported RCL SET Parameters . .136 Contents 3 4 Reflection for the Web - Reference Guide This Reference Guide includes introductory and advanced topics for use with Reflection for the Web.
    [Show full text]
  • OSA-Express Integrated Console Controller Implementation Guide October 2005
    Front cover OSA-Express Integrated Console Controller Implementation Guide Product planning and implementation information Realistic examples and considerations Step-by-step configuration procedures Bill White Jeff Nesbitt ibm.com/redbooks International Technical Support Organization OSA-Express Integrated Console Controller Implementation Guide October 2005 SG24-6364-01 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. Second Edition (October 2005) This edition applies to IBM System z9 and eServer zSeries (z990 and z890) servers, which support the OSA-Express Integrated Console Controller (OSA-ICC) function. © Copyright International Business Machines Corporation 2004, 2005. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team that wrote this redbook. ix Become a published author . .x Comments welcome. .x Chapter 1. Introduction. 1 1.1 OSA-ICC description. 2 1.2 Hardware support . 3 1.3 Software support . 4 1.4 Comparison. 5 1.5 Migration considerations . 6 1.5.1 Migrating OSA-ICC configurations from z990 to z9-109 servers . 6 1.5.2 Migrating from IBM 2074 to OSA-ICC. 7 1.5.3 Migrating from IBM 3174 to OSA-ICC. 8 Chapter 2. Pre-install . 11 2.1 Planning overview . 12 2.2 Configuration steps . 15 2.2.1 HCD and IOCP planning. 17 2.2.2 OSA-ICC planning . 21 2.2.3 Network considerations. 33 2.2.4 TN3270E emulator planning . 35 Chapter 3. Configuration tasks . 39 3.1 Configuration tasks overview .
    [Show full text]
  • Emulator User's Reference
    Personal Communications for Windows, Ver sion 5.8 Emulator User’s Reference SC31-8960-00 Personal Communications for Windows, Ver sion 5.8 Emulator User’s Reference SC31-8960-00 Note Before using this information and the product it supports, read the information in “Notices,” on page 217. First Edition (September 2004) This edition applies to Version 5.8 of Personal Communications (program number: 5639–I70) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 1989, 2004. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures . vii Using PDT Files . .24 Double-Byte Character Support. .25 Tables . .ix Printing to Disk . .26 Workstation Profile Parameter for Code Page . .27 About This Book. .xi Chapter 5. Key Functions and Who Should Read This Book. .xi How to Use This Book . .xi Keyboard Setup . .29 Command Syntax Symbols . .xi Default Key Function Assignments . .29 Where to Find More Information . xii Setting the 3270 Keyboard Layout Default . .29 InfoCenter. xii Default Key Functions for a 3270 Layout . .29 Online Help . xii Setting the 5250 Keyboard Layout Default . .32 Personal Communications Library. xii Default Key Functions for a 5250 Layout . .32 Related Publications . xiii Default Key Functions for the Combined Package 34 Contacting IBM. xiii Setting the VT Keyboard Layout Default . .34 Support Options . xiv Default Key Functions for the VT Emulator Layout . .35 Keyboard Setup (3270 and 5250) . .36 Part 1. General Information . .1 Keyboard File . .36 Win32 Cut, Copy, and Paste Hotkeys .
    [Show full text]
  • Guía Para El Administrador De PC Y Multiusuarios Tun Plus 2014 - Version 15.0.0 Issued December 2013 Copyright © 1989-2014 Esker S.A
    Guía para el administrador de PC y Multiusuarios Tun Plus 2014 - Version 15.0.0 Issued December 2013 Copyright © 1989-2014 Esker S.A. All rights reserved. Copyright © 1998-2008 The OpenSSL Project. All rights reserved. Copyright © 1995-1998 Eric Young ([email protected]). All rights reserved. Copyright © 1995-2005 The Cryptix Foundation Limited. All rights reserved. Copyright © 1995 Tatu Ylonen <[email protected]>, Espoo, Finland. All rights reserved Copyright © 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved Copyright © 1995, 1996 by David Mazieres <[email protected]> Copyright © 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. Copyright © 1998-2003 by Neil Hodgson [email protected]. All Rights Reserved. For additional information, conditions of use, and disclaimers, see copyright.pdf file. Use and duplicate only in accordance with the Software License Agreement: Tun Products. Esker, the Esker logo, Esker Pro, Extending the Reach of Information, Tun, and Tun Emul are trademarks, registered trademarks or service marks of Esker S.A. in the U.S., France and other countries. The following are trademarks of their respective owners in the United States and other countries: Microsoft, Windows, BackOffice, MS-DOS, XENIX are registered trademarks of Microsoft Corp. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. IBM, AS/400, and AIX are registered trademarks of IBM Corp. SCO is a registered trademark of Caldera International, Inc. NetWare is a registered trademark of Novell, Inc. Sun, Sun Microsystems and Java are trademarks of Sun Microsystems, Inc. Oracle is a registered trademark of Oracle Corp.
    [Show full text]
  • Vp Terminal Emulation of Ibm 3270
    VP TERMINAL EMULATION OF IBM 3270 XEROX VP Series Reference Library Version 1.0 This publication could contain technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of this publication. ThiS publication was printed in September 1985 and is based on the VP Series 1.0 software. Address comments to: Xerox Corporation Attn: Product Education (N2-15) 701 S. Aviation Blvd. EI Segundo, California 90245 WARNING: This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions manual, may cause interference to radio communications. It has been tested and found to comply with the limits for a Class A computing device pursuant to subpart} of part 15 of the FCC rules, which are designed to provide reasonable protection against such interference when operated in a commercial environment. Operation of this equipment in a residential area is likely to cause interference, in which case the user at his own expense will be required to take whatever measures may be required to correct the interference. Printed in U.S.A. Publication number: 610E01190 XEROX~, 6085,8000,8010,860,820-11,8040,5700,8700,9700, 495-1, ViewPoint, and VP are trademarks of Xerox Corporation. IBM is a registered trademark of International Business Machines. DEC and VAX are trademarks of Digital Equipment Corporation. Wang Professional Computer is a trademark of Wang Laboratories, Inc. Lotus 1-2-3 is a trademark of Lotus Development Corporation. MS-DOS is a trademark of Microsoft Corporation.
    [Show full text]