TCP/IP 101: The Ins, The Outs of PORTS
Project and Program:
Enterprise Data Center,
Security and Compliance
Tags:
Proceedings,
2019,
SHARE Pittsburgh 2019
Today the z/OS Mainframe is generally viewed as just another server in an interconnected network of servers designed to satisfy the specific organizational needs of management, customers, partners, regulators and employees. But how do these various servers satisfy such diverse needs - reliability, availability, serviceability - efficiently and securely over an open public internet? The answer to this question lies buried deep in the configuration of the z/OS TCP/IP STACK(s) (a series of articulated physical and virtual communication layers) – specifically the PORTS that control the ins and outs of transaction flow.
In this, the first of two presentations on this topic, the focus will be a “Deep Dive” into the TCP/IP STACK and PORT construction, their integrity and security, beginning with bedrock STACK construction definitions such as those found in BPXPRM (INET Vs. CINET), TCP/IP Profile, TELNET and FTP Data. Inherent in these configurations are keyword control structures, i.e. NETACCESS, IPSECURITY, RESTRICTLOWPORT, UNRSV that may (or not) be used to call on and/or trigger ever stronger layers of integrity and security over the access to and use of a named PORT. Of these options, none is more important than those supplemental calls to the System Access Facility (SAF) and one or more related SERVAUTH Profiles, i.e., EZB.NETACCESS/PORTACCESS/TN3270/FTP calls that validate a discreet or generic External Security Manager (ESM) permission to use a named PORT by a named user and/or job.
Throughout this presentation “Basic” TCP/IP syntax diagrams will be used to explain the layering of PORT controls available for enforcement by the STACK. From this understanding you will be able to “Read” and “Evaluate” PORT construction definitions. Such native definitions, which are easily revealed as “PORT LIST” by executing NETSTAT Display Commands against any active TCP/IP STACK(s), can form the basis for “Recommendations”, as necessary, for enhancing the integrity and security of UDP and TCP or FTP and TELNET PORTS and their related SOCKETS (a PORT plus an IpAddress equals a socket) that are used to control all information requests in and out of a z/OS Mainframe.
In a follow-on presentation, “TCP/IP 201: The Beauty of PAGENT”, the additional layer of security controls afforded to a specific STACK and PORTS by Policy Based Networking - Intrusion Detection, IP Security, Application Transparent-TLS and Policy Based Routing – and other SERVAUTH Profiles and Permit controls – EZB.INITSTACK/STACKACCESS/SOCKOPT will be studied as they apply to one and/or more TCP/IP STACK(s) supporting a given z/OS Logical Partition (LPAR).
Complete the survey for this session towards earning the Security Warrior digital badge: http://bit.ly/SHARE24903-Paul Robichaux-NewEra Software, Inc.
Back to Proceedings File Library