Security considerations

Multilevel security is an enhanced security environment that can be configured on a z/OS® system. In this environment, the security server and trusted resource managers enforce mandatory access control policies in addition to the usual discretionary access control policies. To participate in a multilevel secure environment, the user IDs associated with z/OS CS tasks and the resource profiles in the SERVAUTH class need to have security labels defined. For more information on the multilevel secure environment and configuring z/OS CS in that environment, see Preparing for IP networking in a multilevel secure environment.

z/OS Communications Server relies on a System Authorization Facility (SAF) to protect several resources:

Started tasks require access to a STARTED resource. This is documented in the server information in the z/OS Communications Server: IP Configuration Reference. Also, see SEZAINST(EZARACF) for SAF authorizations required for the TCP/IP stack and servers started tasks.
Restricting access to a network, subnetwork or particular IP address in the network is provided by resources in the SERVAUTH class. Using NETACCESS statements, z/OS CS can map networks, subnetworks and IP addresses to SAF resource names. Users that are not permitted access to a particular SAF resource are not allowed to communicate with the corresponding network, subnetwork, or IP address. See the NETACCESS statement in z/OS Communications Server: IP Configuration Reference or Setting up the System Authorization Facility server access authorization class (optional) for more information.
You can also use SAF resources in the SERVAUTH class to control which users can create dynamic VIPAs that are specified by VIPARANGE statements, and to restrict access to a specific dynamic VIPA or a specific range of dynamic VIPAs in a VIPARANGE statement. For more information about the VIPARANGE statement, see z/OS Communications Server: IP Configuration Reference. For information about VIPARANGE access control, see Defining a security profile for SIOCSVIPA, SIOCSVIPA6, and MODDVIPA and Defining a security profile for binding to DVIPAs in the VIPARANGE statement.

Restricting the ability of the users to run applications that access specific TCP and UDP ports is also provided by resources in the SERVAUTH class. z/OS Communications Server provides a one-to-one mapping between port numbers and SAF resource names. See the PORTACCESS statement in the z/OS Communications Server: IP Configuration Reference or Setting up the System Authorization Facility server access authorization class (optional) for more information.

Similar to the function provided by the PORTACCESS statement, z/OS Communications Server ensures that a user attempting to connect to a TN3270E Telnet server secure port is allowed access to the port. This support is used in conjunction with Telnet client authentication support. See the CLIENTAUTH statement in the z/OS Communications Server: IP Configuration Reference or Setting up the System Authorization Facility server access authorization class (optional) for more information.

Restricting access to the TCPIP stack is also controlled under z/OS CS by defining a resource in the SERVAUTH class. See Setting up the System Authorization Facility server access authorization class (optional) for more information.
Restricting access to operator commands is provided through the OPERCMDS resource. z/OS Communications Server verifies that users have access to specific OPERCMDS resources before executing the operator command. See the operator commands information in z/OS Communications Server: IP System Administrator's Commands or Setting up the System Authorization Facility server access authorization class (optional) for more information about limiting access to z/OS Communications Server commands.
Restricting access to the TSO and UNIX shell Netstat command is provided by SERVAUTH resources. z/OS Communications Server verifies that users have access to specific SERVAUTH resources before executing the Netstat command. See the Netstat command information in the z/OS Communications Server: IP System Administrator's Commands for more information about limiting access to Netstat command. The security product resource names in the SERVAUTH class do not apply to DISPLAY TCPIP,,NETSTAT command. If you want to restrict access to DISPLAY TCPIP,,NETSTAT command, you can do so using standard operator command restriction facility, OPERCMDS class profiles. See z/OS MVS Planning: Operations for more information.

For more information about protecting these resources and other TCP/IP resources from unauthorized access, see TCP/IP resource protection.