Front cover Reduce Risk and Improve Security on IBM Mainframes: Volume 2 Mainframe Communication and Networking Security Axel Buecker Thomas Cosenza Uma Kumaraguru Christopher Meyer Vinicius Oliveira Vinodkumar Ramalingam Jan Thielmann Joe Welsh Redbooks International Technical Support Organization Reduce Risk and Improve Security on IBM Mainframes: Volume 2 Mainframe Communication and Networking Security September 2015 SG24-8195-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (September 2015) This edition applies to the IBM System z12 Enterprise Class server, the IBM System z12 Business Class server, and Version 2, Release 1 (2.1), of IBM z/OS operating system (product number 5694-A01). This edition also applies to the IBM z Systems platform. © Copyright International Business Machines Corporation 2015. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii IBM Redbooks promotions . ix Preface . xi Authors. xi Now you can become a published author, too . xiii Comments welcome. xiii Stay connected to IBM Redbooks . xiii Chapter 1. Mainframe network concepts and functions . 1 1.1 Introduction to mainframe networks . 2 1.1.1 Technical overview . 2 1.1.2 Communications Server features and benefits . 6 1.1.3 Who supports the network . 7 1.2 History of mainframe networks . 8 1.3 Mainframe network architecture . 10 1.4 Networking hardware . 13 1.4.1 Network connections. 14 1.5 Network protocols . 15 1.5.1 TCP/IP . 15 1.5.2 SMC-R . 16 1.5.3 SNA. 17 1.6 Additional network components . 21 1.6.1 VTAM . 21 1.6.2 TCP/IP stack and functions. 23 1.6.3 Enterprise Extender . 25 1.6.4 TN3270/E . 27 1.6.5 Special features . 27 1.7 Network tools and products. 30 1.7.1 NetView Performance Monitor . 30 1.7.2 OMEGAMON XE for Mainframe Networks . 31 1.7.3 Session Manager for z/OS . 31 1.7.4 Solve: Access Session Management . 32 1.8 Operations and administration . 32 1.8.1 Operational tasks . 32 1.8.2 z/OS network administrator tasks . 33 1.9 Securing mainframe networks. 34 Chapter 2. Cryptography for network security. 37 2.1 Security concepts and architecture for network cryptography on System z . 38 2.1.1 Basics of cryptography for network security . 38 2.1.2 Definition of a secure communication model for networks . 39 2.1.3 Applications of cryptosystems for network security. 40 2.1.4 Overview of the z/OS TCP/IP cryptographic infrastructure. 44 2.1.5 Transport Layer Security on z/OS. 46 2.1.6 AT-TLS . 51 2.1.7 IPSec . 54 © Copyright IBM Corp. 2015. All rights reserved. iii 2.1.8 OpenSSH on z/OS . 60 2.1.9 PKI services . 65 2.2 Guiding principles for cryptography for network security. 68 2.2.1 Choosing appropriate cryptographic algorithms for network security . 69 2.2.2 Defining a cryptography strategy within your organization . 73 2.2.3 Choosing Transport Layer Security implementations . 76 2.2.4 Things to keep in mind when defining certificates. 79 2.2.5 Guiding principles for IPSec . 84 2.2.6 OpenSSH on z/OS UNIX, z/OS dependant features implementation. 86 Chapter 3. TCP/IP security . 89 3.1 Introduction . 90 3.1.1 IP network design . 90 3.1.2 System z in a DMZ . 90 3.1.3 Mixing environments . 90 3.1.4 HiperSockets. 91 3.2 Sockets and APIs . 91 3.3 Telnet Server. 93 3.3.1 Security concepts and architecture. 94 3.4 FTP . 98 3.4.1 Security concepts and architecture. 99 3.5 InetD, the Internet daemon . 102 3.5.1 Security concepts and architecture. 103 3.6 Virtual IP addressing . 105 3.6.1 Security concepts and architecture. 105 3.7 z/OS IP filtering . 107 3.7.1 Security concepts and architecture. 110 3.8 IPSec. ..