3270 Emulation: Security Considerations IBM 3270 Emulation Security Considerations February 2015 Table of Contents Chapter 1. Introduction and background ........................................................................................................ 5 IT Security at a glance ................................................................................................................................ 6 3270 data stream overview ......................................................................................................................... 7 Fundamentals .......................................................................................................................................... 8 TN3270 ..................................................................................................................................................10 Chapter 2. Administrative and network-based controls .................................................................................12 Software asset management .......................................................................................................................12 Separation of environments .......................................................................................................................12 Role-based access controls ........................................................................................................................13 Firewalls ....................................................................................................................................................13 IDS/IPS devices .........................................................................................................................................13 Chapter 4. z/OS controls ................................................................................................................................14 SAF-based access controls ........................................................................................................................14 NETACCESS resources ........................................................................................................................14 PORTACCESS resources ......................................................................................................................15 TN3270-specific resources ....................................................................................................................15 IP filter rules ..............................................................................................................................................15 Cryptographic network security protocols .................................................................................................16 TLS/SSL ................................................................................................................................................16 IPsec ......................................................................................................................................................18 Integrated Intrusion Detection Services (IDS) ...........................................................................................20 Scan detection ........................................................................................................................................20 Attack detection .....................................................................................................................................20 Traffic Regulation (TR) .........................................................................................................................21 TN3270E server controls ...........................................................................................................................21 Controlling client access ........................................................................................................................21 TN3270 client authentication ................................................................................................................23 Express Logon Feature (ELF) ...............................................................................................................24 Data overrun controls ............................................................................................................................24 Auditing .................................................................................................................................................25 Chapter 5. z/VM controls ..............................................................................................................................27 TCP/IP on z/VM ........................................................................................................................................27 The Telnet Server for z/VM ......................................................................................................................27 The Internal Client .................................................................................................................................27 Requiring encryption for TN3270 traffic...............................................................................................28 Encryption support for z/VM (TLS/SSL) ..................................................................................................28 Description of the SSL-TLS virtual machines .......................................................................................28 Protocol selection and compliance modes (z/VM 6.3 only) ..................................................................29 1 IBM 3270 Emulation Security Considerations February 2015 User authentication on z/VM .....................................................................................................................29 Chapter 6. z/VSE controls .............................................................................................................................31 TCP/IP for VSE/ESA ................................................................................................................................31 Associating VTAM terminal names with IP addresses .........................................................................32 Security layers .......................................................................................................................................33 IPv6/VSE ...................................................................................................................................................35 IP filtering ..............................................................................................................................................36 TLS/SSL support ...................................................................................................................................36 Security exits .........................................................................................................................................36 Chapter 7. What about Linux on z Systems and z/TPF? ...............................................................................38 Chapter 8. Distributed TN3270 .....................................................................................................................39 Direct SNA 3270 .......................................................................................................................................39 TN3270 Servers .........................................................................................................................................39 Port configuration ......................................................................................................................................39 Managing LUs on distributed platforms ....................................................................................................39 Filtering clients ..........................................................................................................................................40 Conclusion .....................................................................................................................................................41 Acknowledgments and Contributions............................................................................................................42 2 IBM 3270 Emulation Security Considerations February 2015 Abstract 3270 data streams have been around since the early days of what has become IBM’s z Systems™ family of mainframes. 3270 data streams were originally exchanged between z Systems software and hard wired devices such as display terminals and printers over private connections or closed SNA networks. With the advent of personal computers and workstations, the “dumb terminal” was replaced by software emulators that ran as applications on these “smart” devices. Over time, the traffic between the emulators and the 3270 applications moved from private connections or closed SNA networks to TCP/IP networks, including the Internet. The switch from hardware devices to software emulators introduced the risk of 3270 malware, while the migration to TCP/IP networks greatly increased the risk of unauthorized users attempting to access 3270 applications. The purpose of this paper is to describe techniques, mechanisms and strategies for minimizing z Systems exposure to the above risks. The paper is organized into