Technical detail
Security for today's businesses
In today's world of open access, protecting your systems and data is more important than ever. Because the sources of many transactions are from untrusted networks such as the Internet, and sometimes unknown users, enterprises are paying increased attention to host and user authentication, data integrity and privacy in the network, as well as denial of service attacks. The z/OS Communications Server, building on the mainframe's 40+ year record of helping secure transactions, provides a suite of security controls to address these security concerns.
What's new in z/OS V1.10?
For z/OS V1.10 the z/OS Communications Server provides improvements to its policy-based networking components, NSS, IPSec, and AT-TLS. Building on its history of Intrusion Detection Services (IDS), the z/OS Communications Server also introduces new defensive filtering capability. Defensive filters are evaluated ahead of configured IP filters, and can be created dynamically, designed for added protection and minimal disruption of services in the event of an attack. You can read more about the new security features in the z/OS V1.10 announcement (PDF, 245KB) , and in the z/OS V1.10 Communications Server New Function Summary (PDF, 3.34MB) .
Protecting your data in the network
Providing remote access to mission critical applications and sensitive business data is no longer just a nice thing to have, it is a business requirement. Today's business model requires end-to-end protection of data and authentication of end users.
In many cases, the applications being accessed were written at a time when data was flowing across secure networks. The new Application Transparent Transport Layer Security (AT-TLS) support in z/OS can allow enterprises to enable network security on behalf of TCP applications without requiring application modification. The z/OS IPSec support provides additional options which include the ability to encrypt data end-to-end, or across just a portion of the network. Being policy-based, AT-TLS and IPSec security definitions are more easily monitored for compliance to corporate security policy.
Our new paper Securing an SNA Environment for the 21st Century discusses the issues facing modern SNA transports and the strategies you need to ensure they are secure.
Find out how the new zIIP Assisted IPSec function can help reduce your CPU utilization.
Protecting your systems from the network
Attacks against a system can come from within an enterprise's network as well as externally. The z/OS Communications Server can safeguard the availability of the system by protecting against denial of service attacks. There are built-in defenses and optional services, such as Intrusion Detection Services (IDS), which can defend against attacks from the network.
The z/OS Communications Server also can protect system resources and data from unauthorized access using RACF or other comparable products. RACF is used to protect Communications Server applications, as well as critical TCP/IP resources.
Simplifying security
The IBM Configuration Assistant for z/OS Communications Server provides centralized configuration of AT-TLS, IP Security, NSS, PBR, QoS, and IDS policies. For z/OS V1.10 (PDF, 245KB) the IBM Configuration Assistant for z/OS Communications Server adds file import capabilities and support for IP address group definition to make the IBM Configuration Assistant more responsive to networking needs. You can read more about the Configuration Assistant in the August 2007 issue of z/OS Hot Topics (PDF, 4.13MB) and you can see a demo of it in use in our Securing Enterprise Extender with IPSec demo.