ClearPath MCP Security Update and Overview. Mike Kain, Consulting Engineer and Security Architect MCP Session 3024 Monday, April 14 th, :30pm

ClearPath MCP Security Update and

Overview

• Provide an overview of current MCP security products and features, concentrating on the MCP 14.0 and 13.1 features:

• SFTP (SSH Infrastructure)

• RBAC in SecurityCenter and Workload Manager • Locum Evaluation Keys

• Locum RealTime Monitor – syslog feed capability • File Transfer enhancements

• FTP Client Certificates • SAN Datamover SFTP • Secure File Transfer • And MORE!

Abstract

• Break down complex problem of MCP security into many

different areas

– Show current state (important points)

– Highlight recent features / functionality (MCP 14.0/MCP 13.1) • Discuss “possible futures”

– Give some view into what we’ve been discussing – More brainstorming about what could be done – not

necessarily in active development.

Areas of Discussion

ClearPath Security

Second to None

•

ClearPath MCP is a secure environment

by default

•

Allows you to authorize, identify and

control who can access applications, data,

and system resources

•

Ensures that the data in transit to your

ClearPath MCP is always secured

•

Helps you comply with audit and

regulatory requirements and monitor the

security in real-time

MCP Security

Major areas

•

Data Privacy

– Data in the network

– Application Security – Cryptography

•

Authentication / Authorization

•

Audit / Assessment /

Compliance

•

Management / Configuration

•

Documentation / White Papers

•

Futures

Data Privacy Capabilities

Overview

•

Encryption of data across networks

– File transfer via FTP/SFTP/NFT/DMV (new features/products)

– Terminal emulator sessions

– Web pages and services

– Transport Layer Security/Secure Sockets

– IPsec – packet layer encryption

•

Encryption of data by applications

•

Encryption of data at rest

Network Security

File Transfer Protocols/Products

•

Many different methods to transfer and protect files

between MCP and other systems.

– FTP/FTPS – enhancements in MCP 13.1

– SFTP (SSH) – new feature in MCP 14.0

– Secure File Transfer (NFT) – new feature in MCP 13.1

– SAN DataMover

•

File transfer capabilities on remote systems determine most

suitable product.

•

Security is configurable on all but SFTP (no unsecure

version).

Network Security

File Transfer Protocol (FTP)

•

File Transfer Protocol (RFC 959) supported by most systems

•

Transfers can be secured via SSL/TLS

– IMPLICIT model – two sets of ports (one secure, one insecure)

– EXPLICIT model – one set of ports (usually 21/20) and there are commands to turn SSL/TLS on/off

•

AUTHMODE controls where SSL/TLS is used

– IMPLICIT, EXPLICIT, EXPLICITLOGON, EXPLICITCOMMAND

•

New features

(MCP 13.1)

– Client Certificates – ability to specify an X.509 certificate for additional validation

File Transfer Protocol (FTP)

Command Syntax

• New keyword - SSL_CLIENT_SERVICENAME

– Specifies the X.509 certificate to use when connecting to remote FTP servers requiring client authentication during the SSL/TLS handshake

– Certificates are stored in the WebTS Trusted Keys folder of the MCP Cryptographic Services Manager module of SecurityCenter

– Public certificates are identified in the Interactive and Batch client sections of the SYSTEM/FTP/SUPPORT/CONFIGURATION file

– Private certificates can also be used; a usercode can override them by specifying in the Interactive and Batch client sections of the

FTP/STARTUP file for the user

– For example,

File Transfer Protocol (FTP)

New Options

• SELF_SIGNED

– Use the SELF_SIGNED option to allow the Interactive and Batch client to use certificates that have not been signed by a Certificate Authority

• NOTE: “self-signed” certificates are not considered as strong as an issued X.509 certificate. But many FTP servers have the

ability to create one for testing purposes.

• SECURE_DATA_PORT

– Use the SECURE_DATA_PORT option to secure the data connection when SSLMODE is set to EXPLICITLOGON or EXPLICITCOMMAND

Network Security

Secure File Transfer Protocol (SFTP)

•

New Feature – MCP 14.0

•

Secure File Transfer Protocol (SFTP) is part of the SSH

protocol suite

– Defined by <draft-ietf-secsh-filexfer-02.txt>

•

MCP implementation supports version 3 (but does NOT

support all of the commands yet)

•

Interoperable with implementations which use openssh()

toolkit (most flavors of Linux) and psftp (part of PuTTY).

•

Full list at:

– http://www.support.unisys.com/common/matrices/ViewMatrix.aspx?pla=MCP&n av=MCP&PageID=649

SFTP

Configuration

•

Support for SFTP has been integrated into the

FTPSUPPORT product and can be accessed from:

– Batch FTP Client (COPY)

– Interactive FTP Client (U FTP)

•

SFTP configuration is through FTPSUPPORT

configuration file

(*SYSTEM/FTP/SUPPORT/CONFIGURATION)

•

Keys and trust are configured through SecurityCenter

– Server public keys (management and trust)

SFTP

Copy – Example #1

Batch Client

•

COPY FILENAME (FTPTYPE=IMAGE) TO

DISK(PACK, IPADDRESS=“xxx.xxx.xxx.xxx”,

AUTHMODE=SSH, USERCODE=“GUEST”/”GUEST”)

Interactive Client

1.

U FTP

2.

AUTHMODE SSH

3.

OPEN xxx.xxx.xxx.xxx

(with GUEST/GUEST credentials)

4.

TYPE IMAGE

SFTP

Batch Client

•

COPY [SFTP] FILENAME

(FTPSITE=“SSH_CLIENT_SERVICENAME=‘SSH_USER’”)

TO DISK(IPADDRESS=“xxx.xxx.xxx.xxx”)

Interactive Client

1.

U FTP

2.

AUTHMODE SSH

3.

SSH_CLIENT_SERVICENAME “SSH_USER”

4.

OPEN xxx.xxx.xxx.xxx

Remote username defaults to calling usercode, but can be

overridden

Remote username defaults to calling usercode, but can be

overridden

FTP will prompt for the remote Username during the OPEN FTP will prompt for the remote

SFTP

Server configuration

•

To configure the MCP software as an SSH Server:

– Create a public key for server’s identity (default name is SSH_SSHKEY)

– Modify *SYSTEM/FTP/SUPPORT/CONFIGURATION

[LIBRARY SECTION]

INITIATE_SSH_SERVER = SSHSUPPORT

•

Detailed information can be found in FAQ 5847 on the

Product Support Website and in standard MCP 14.0

documentation.

– FAQ 5847 also contains the list of software (Interim Corrections) which must be downloaded.

SFTP

Performance

•

Performance of SFTP is dependent on many variables

– ClearPath MCP environment

• Workload, memory, overlay, number and size of files, etc.

– Remote environment

• Type of system (RHEL5, RHEL6, etc.) and workload

–

Direction

• SFTP windowing is handled differently on different systems

• MCP as client or server

–

Network bandwidth

SSHCLIENT

•

Can execute one command at a remote system

– R *SYSTEM/SSHCLIENT(“ssh –l ops –P password –p 22 10.0.0.1 uname –a”)

– R *SYSTEM/SSHCLIENT(“ssh –i SSH_CLIENT –l ops –p 22 10.0.0.1 uname –a”)

•

Can use either password or public key for authentication at

the remote system (must be configured)

•

LAISSEZFILE must be set to 6 in order to see responses in

CANDE

SFTP/SSHCLIENT

Server Authentication

•

If using the MCP as the initiating system with either

SFTP or SSHCLIENT, the remote server’s public key

must be trusted.

–

GUI based clients typically present this as a pop-up

window or question

•

Must import the server’s public key into SecurityCenter

and associate it with the IP address of the server

– IPv4 and IPv6 are supported

•

More details are available in FAQ 5847 on the Product

Support website.

SFTP/SSHCLIENT

Client Authentication

•

Client authentication methods and preference are

controlled by two new security options (SECOPTs):

– AUTHBYPUBLICKEY

– AUTHBYPASSWORD

•

Each SECOPT can be set to REQUIRED, DESIRED,

ALLOWED, or DISABLED.

– If one set to REQUIRED, other is automatically set to DISABLED.

•

Default setting:

– AUTHBYPUBLICKEY = DESIRED

Network Security

Secure File Transfer (NFT)

•

Secure File Transfer for ClearPath MCP allows data

transfer between two MCP hosts

•

New Feature

(MCP 13.1)

– MCP file attributes of source file are retained across the transfer

– Does NOT require BNA network connectivity

– Can also be secured with SSL/TLS (cryptography support required)

– Hazardous files controlled with the RESTRICTUNWRAP system security option

– Transfers initiated with COPY [FTP] command or FTP Interactive and Batch clients

Secure File Transfer (NFT)

Securing Hazardous Files

Hazardous files (codefiles for example) are marked restricted unless:

– The RESTRICTUNWRAP system security option at the destination host is reset

– or –

− The Library RESTRICTED option is reset by the FTP Administrator at the destination host

and

-The RESTRICTED option is reset in the COPY command and the usercode at the destination host is a security administrator

Secure File Transfer (NFT)

New MCPDATA transfer type

•

Transfers use data transfer type “MCPDATA”

− COPY [FTP] TEST/CASE_1/= (FTPTYPE = MCPDATA) FROM DISK (PACK, IPADDRESS = “124.39.225.14”, USERCODE = SYSTEST/105639)

• Copies all files under the TEST/CASE_1 directory on the remote MCP host to the local host

• All attributes, including FILEKIND, are retained at the destination host.

Secure File Transfer (NFT)

Copying of codefiles

COPY [FTP] (SYSTEST)OBJECT/TESTFILE

(FTPTYPE=MCPDATA, FTPSITE=“OPT - RESTRICTED”) FROM TESTPACK(PACK) TO USERPACK (PACK,

HOSTNAME=MCPEAST,USERCODE=ABC/ABC)

• The codefile (SYSTEST)OBJECT/TESTFILE on TESTPACK is copied to

USERPACK at the remote MCP host, MCPEAST

• Resetting the RESTRICTED option prevents the codefile from being marked restricted, but only if user ABC is a security administrator at MCPEAST

Secure File Transfer (NFT)

Network Security

• Data transmission can be secured by Secure Sockets Layer (SSL/TLS)

• Specify the level of security required for the file transfer (using the SSLMODE attribute)

– EXPLICIT

– IMPLICIT

Command and data path are secured, different control ports are used.

– EXPLICITLOGON

– EXPLICITCOMMAND

After logon command path can be optionally unsecured Data path security is independently selected

COPY [FTP] DATADB (FTPTYPE = MCPDATA) FROM DISK (PACK, IPADDRESS = “124.39.225.14”, SSLMODE = IMPLICIT, USERCODE = SYSTEST/105639)

Secure File Transfer (NFT)

Other Issues

– MCPDATA transfers are incompatible with older levels of FTPSUPPORT

– Non encrypted transfer speeds are similar with NFT

– Encrypted transfers are slower than non-encrypted transfers

– Non-MCP hosts running FTP can be used as store and forward hosts for MCPDATA transfers

– Documented in the TCP/IP Distributed System Services Operations Guide

Network Security

SAN DataMover (DMV)

•

SAN DataMover provides an efficient way to move large

amounts of disk data (local Windows environment required).

–

Between MCP and local Windows environment,

–

Between MCP and remote Windows, Linux or UNIX

environment (by way of a local Windows environment)

•

Offloads data transfer to Windows environment (freeing

ClearPath MCP MIPS)

•

Security Features (introduced in MCP 13.0)

–

SSL Support – Secure Communication between Windows

and MCP SAN DataMover Components (requires MCP

Cryptographic Services)

–

FTPS & SFTP Support – Secure Remote File Transfer

Network Security

Securing Terminal Emulator Sessions

•

Protect data terminal emulator sessions

to MCP servers

•

Many options available:

– WebEnabler for ClearPath MCP – supports a 2-tier model – direct SSL connections from WebEnabler to ClearPath MCP

– Secure TELNET – MCP Telnet can offer

secure and/or unsecure sessions. Controlled via system security option (SECURECOMM)

– Attachmate INFOConnect and MCP Telnet can also use a custom encryption protocol

Network Security

Securing Print Data

•

Secure data between MCP and Print Server

•

Use the Secure Sockets Layer (SSL) or

Transport Layer Security (TLS) protocols to

protect data

•

MCPPRT Server

(new in MCP 13.1)

– Just Specify SSL in IOHandler Parameter

– See PrintS Guide (8600 1039–514)

•

EOM (Depcon) Server

(new in MCP 13.1)

– Specify SSL in PC and MCP Configuration Files

Network Security

Securing Web Pages and Web Services

•

Secure data between Web browsers and

Web servers

– ClearPath ePortal

– Web Transaction Server (WebTS)

•

Secure Web services between service

requestors and providers

– ClearPath ePortal

•

Use the Secure Sockets Layer (SSL) or

Transport Layer Security (TLS) protocols

to protect data

IP Security (IPsec)

Security for the IPv6 network

• Can authenticate and/or encrypt each IP packet in a data stream

• Uses policies to define security at the MCP-to-network boundary. IP packets can be:

– Forbidden from being transmitted unencrypted (DISCARD)

– Allowed to be transmitted unencrypted (BYPASS)

– Authenticated or encrypted prior to transmission (PROTECT)

• Subject to US Government export control

– Packaged in the operating environment encryption option

• Supports 3DES and AES algorithms for packet encryption

Client Access Services

Access control by IP address

•

New feature in MCP 14.0

•

Can also permit/limit access to shares via IP address as

well as usercode and/or groupname.

•

Shares of type = DISK or CDROM or PRINTER or PIPE are

supported.

•

ACCESS syntax enhanced to also specify IP address

•

Examples:

ACCESS = ALL [email protected]@192.63.24.13 ACCESS = NONE [email protected]@192.63.24.13 ACCESS = [email protected]@192.63.24.13

ACCESS = ALL – GROUP [email protected]@192.63.24.13 ACCESS = NONE + GROUP [email protected]@192.63.24.13 ACCESS = ALL –JOE –[email protected]

• Applications running in the MCP environment can secure data

through many mechanisms:

– SSL/TLS

• TCPIPNATIVESERVICE port files • BSD Socket API

– GSS-API (RFC 1964)

– Application Role-Based Access Control (RBAC) – McpCryptoAPI for User Applications –

• Encryption

• Message Digests (Hashes) • Digital Signatures

• some PKI functionality

Application Security

Kerberos

New AES Encryption types

•

New in MCP 13.1

•

New encryption types:

– AES256_CTS_HMAC_SHA1_96 (or AES256)

– AES128_CTS_HMAC_SHA1_96 (or AES128)

•

Requires

– Operating Environment Encryption Option

– Windows KDC at Domain Functional Level >= 3 (Windows Server 2008 or later)

•

MARC ADJOIN simplifies upgrade

•

Supported in IC SECURE-TRANSPORT-013.0A.9 &

SECURITY-054.1A.25

Kerberos

Configuration Changes

•

Service Definition File

– AES = TRUE

• Create AES keys for service principals

• Add AES encryption types

• Recommend DES = FALSE

•

Kerberos Configuration File

– DEFAULTS

• WAITFORMCAPI (to ensure AES session key)

• ENCRYPTIONPLATFORM = MCP ignored for AES

– REALMS

• Authentication = validating credentials presented to system

• Current options for ClearPath MCP:

– Usercode / password – Accesscode / password

– Kerberos Principal ID / password

• Remote protocols accepted:

– NTLMv1, Kerberos, NTLMv2

• SHA-256 algorithm used for password crunch

• Password Aging / PWCHANGESUPPORT

Authentication

Role-Based Access Control

Summary of current state

•

MCP 13.0 introduced RBAC for Applications

– configured through SecurityCenter or RBACSUPPORT library.

•

Role Based Access Control (recap)

– Allows the application to define “permissions” which correlate to operations or functions

– Allows the security administrator to group these permissions into “roles” and assign usercodes to these roles

– Application then checks to see if caller has the correct permission to perform operation

– Allows administrator to define different roles for access rather than each usercode.

Role-Based Access Control

Additional MCP 14.0 Features

•

New in MCP 14.0

•

Several system software products have implemented

support for Role Based Access Control (RBAC)

– SecurityCenter

– Locum products (released with SecurityCenter)

• Locum SafeSurvey

• Locum SecureAudit,

• Locum RealTime Monitor

Role-Based Access Control

SecurityCenter

•

SecurityCenter has defined all of its internal permissions into two

sample realms

– All Permissions

– Standard Roles

– Will be kept up to date with current permissions (when new ones are added)

– Will be able to be re-imported or merged into realms.

•

These samples can be saved locally and then edited to create

the roles and administrators required

– Realms are kept as XML

•

To activate RBAC for SecurityCenter, import back into

SecurityCenter as the realm SECURITYCENTER

Role-Based Access Control

Role-Based Access Control

Locum Software

•

Locum Software has added RBAC functionality to their

three products.

•

Permissions are defined via an XML file that is installed

when SecurityCenter is installed

Role Based Access Control

Workload Management

• New in MCP 14.0

• Support for Role Based Access Control (RBAC) is provided in WLM.

• Workload Management RBAC is optional and customizable via Security Center allowing assignment of whatever functionality is desired for a role.

• The supplied default Workload Management RBAC realm provides two user roles, WLMADMINISTRATOR and WLMOBSERVER.

– WLMADMINISTRATOR has total access to all functionality

– WLMOBSERVER can view all of the configuration, real-time monitors and statistical data but cannot make changes

• For more details, refer to the Workload Management for ClearPath MCP User’s Guide and the Workload Center help text.

• Authorization = what privileges and access that the identity

has once authenticated (Access Control as well)

• Current UserDataFile attributes:

– PU

– SECADMIN (effective only if SECAD option enabled)

– Granulated privileges (e.g. READ, CHANGE, COPY) – Can be given to a usercode, program, or library.

• POSIX (user/group/world), SUPPLEMENTALGROUPS

• Role-based Access Control for Java

• Application Role-based Access Control

Authorization

• System logs all information into system “sumlog” when any

action occurs

– Companion SECURITYLOG which logs security-worthy events (currently only network security sensitive diagnostic data)

– Must be security administrator to see sensitive data

• Native to MCP and system software – not added on later (like

other commodity operating systems)

• Other products can also have audit logs which contain

auditable events:

– e.g. WebTS TRANSLOG, DMSII Audit log, etc.

Audit

•

LOGANALYZER

– Analyzes the system sumlog and securitylog (if privileged)

•

Locum SecureAudit

– Analyzes system events by categories (e.g. System Security Violations)

– Data can be gathered via client or batch mode

– Trends can be graphed

– Correlation reports allow query of system sumlog data for detailed analysis

– Summary version packaged with SecurityCenter; full version available through Unisys.

Analysis

• Security assessment and reporting tool

• Keep management informed about system security status • Analyze (24 total reports)

– UserDataFile

– Password penetration tests

– COMS Cfile (programs, stations, defaults) – System Configuration

– Disk files (last access, privileged, control) – Guardfiles

– System Policy Compliance

– Usercode Usage Report (NEW in MCP 13.1)

– Last logon dates (if kept)

System Assessment

•

Allows the monitoring in real-time, the security and system

events on one or more ClearPath MCP systems

– Separately priced and licensed

•

Alerts can be specified by:

– Functional security event description, such as all Security Violations or Privileged Commands

– Major/minor log record, with additional filtering via the result field

•

Activity codes allow grouping of alerts by severity (High,

Medium, Low for example).

Real-Time Security Monitoring

•

Activity codes define notification method:

– Display

– Email notification

– Forward to syslog (new feature in MCP 13.1)

•

Easy grouping of all events of one system or many and

color-coding for ease of viewing.

•

Demonstrations and consulting available from Locum

Software, Ltd. (on show floor).

Real-Time Security Monitoring

Locum Software

Try-and-Buy keys

•

New in MCP 13.1 and 14.0

•

All software is released with SecurityCenter (both host and

client pieces) of all three Locum products

•

Trial keys are available for evaluation of the three Locum

products packaged with SecurityCenter

– SafeSurvey

– SecureAudit

– RealTime Monitor

– Allow enablement of full package for a timed period (60 / 90 days)

• New in MCP 14.0

• Three new usercode attributes to improve auditability:

• CREATETIME • USERMODIFYTIME • SYSTEMMODIFYTIME

• Enabled by security option UDTIMESTAMPS

Audit

Security Administration

SecurityCenter

•

Security Center

– Preferred security administration tool

– PC-based GUI and wizards

– Enables security administrators to define, manage, and test/assess MCP security.

– Replaces command line/batch tools such as

MAKEUSER and SYSTEM/GUARDFILE.

•

Microsoft Management Console “snap-ins”

– Security Policy Management

– File Access Management

– Cryptographic Services Management

– Kerberos Configuration Management

– User Account Management

SecurityCenter

Security Policy Management

• System policy

– Security option settings

– Can be applied to one or more systems

• Usercode policy

– Which attributes are visible

– Default values to be used when creating new usercodes

• Transaction Server (COMS) user policy – Default attributes for each user

• Network firewall policy (aka TCP/IP filtering) – What network traffic should be allowed or denied

• IPsec policy

SecurityCenter

Account Management

•

Allows security administrators to manage credentials of the

ClearPath MCP

– UserDataFile

– Application (RBAC) and Java Realms

•

Uses user policies established in System Policy

Management

– Defines what attributes are seen through SecurityCenter

– Default attributes for newly created usercodes

•

Query Browser

– Allows security administrator to query how many usercodes have an attribute or collection of attributes

SecurityCenter

Cryptographic Services Manager

•

Used by security administrators to perform key

management (create / import / export / renew)

– SSL keys and certificates (used by WebTS, FTP, Sockets programs, User Programs)

– Tape encryption keys (new feature in MCP 13.1)

– IPsec keys (symmetric)

– SSH Keys (new in MCP 14.0)

•

Also used for Certificate Management (SSL clients)

– Certificate Stores

SecurityCenter

Tape Encryption - Compromised Key Sets

•

New in MCP 13.1

•

MCP-based software tape encryption can now mark a set

of tape encryption keys as invalid for writing, and generate

a replacement keyset

•

This may be done because:

– A key of the set is thought to be compromised

– The keyset’s lifetime (according to corporate policy) has been reached

•

Compromised keysets can still be used for decryption

(retained indefinitely)

SecurityCenter

Tape Encryption - Managing Key Sets

To manage sets:

Under MCP Cryptographic

Services, Trusted Keys,

select node:

Tape Encryption Keys

Sets uniquely identified by

• Host name

• Release level

SecurityCenter

Tape Encryption - Managing Key Sets

Icon shows state of set:

•

Green=Active

•

Red=Inactive/Compromised

Only the Active set for the

local host is used to encrypt

All sets are used for

decryption. If a tape was

encrypted with a key of that

set, it will be automatically

decrypted

SecurityCenter

Tape Encryption - Managing Key Sets

Create a set:

• Right-click Tape Encryption Keys node, select “Create New Keyset” • Current (Highest-numbered) set is

disabled, new set is created

Mark set compromised:

• Right-click local host’s Active set, click “Mark as Compromised”

• Selected set is disabled, new set is created

SecurityCenter

Logging Key Set Operations

•

Key Set operations are logged in the SUMLOG and are

marked Security Relevant:

– Create; Compromise; Import; Export; Delete; Use

•

New LogAnalyzer selection: SECURITY(KEYMGMT)

– Major type 20, minor type 1

•

Log report format:

• 19:04:22 8631 Tape Encryption Key Set #3 CREATED for host TRSEC1 release 541

• 19:04:22 8631 Tape Encryption Key Set #2 marked COMPROMISED for host TRSEC1 release 541

• 19:10:30 8651 Tape Encryption Key Set #3 USED for host TRSEC1 release 541

• 12:11:26 8669 Tape Encryption Key Set #1 IMPORTED for host ECCSG release 531

SecurityCenter

Tape Encryption - Best Practices

•

When a new keyset is generated, you must back up the

keyset (via Export) and transport it to any systems that will

need to decrypt tapes created on this host

•

Ensure that keys are stored securely

•

Ensure that keys are transported between systems

securely

MCP Cryptography Architecture

Hardware

• MCP Cryptography runs on Intel processors and offloaded from the MCP

• CMOS-based systems (Libra 580/590 and newer)

– Cryptographic Co-processor: 1U appliance connected via FC-IOP to ClearPath MCP I/O complex

– 1-8 CCPs per system (for redundancy)

– Can be configured to be DISTRIBUTED, ACTIVE/STANDBY, and

other configurations

• Intel-based systems (Libra 4000, Libra 400 and older)

Operating Environment Encryption Option

Packaging

• Includes all MCP software encryption technology

– Cryptographic services

– Key management user interface via Security Center *

– Application programming interface to crypto services (McpCryptoApi)

– Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 protocols

– Kerberos data encryption

– IPv6 *

– IP Security (IPsec)

– MCPvm remote Web Enabler ODT via SSL

– SSH/SFTP (new in MCP 14.0)

– Exception: does not include encryption for the Java Virtual Machine

• Symmetric encryption algorithms supported:

– RC2, RC4, DES, 3DES, AES (128, 192 and 256 bits). – Modes: CBC and ECB

• Hash/Message Digest algorithms supported:

– MD4, MD5, SHA-1, HMAC, SHA-256.

• X.509 Certificate operations supported:

– Open Store, Read X.509 Certificate, Store & Verify Certificate, Retrieve Public Key from Certificate

• Key exchange algorithms supported:

– RSA (up to 2048 bits)

Cryptography

Tape Encryption

Software-based Solutions

•

Used in conjunction with other products

•

Library Maintenance

– Tapes and CDs

•

MCP TapeStack

– Make an encrypted/decrypted copy of an existing tape

– Encrypt data while stacking several tapes onto a single stacked tape

– Decrypt data while unstacking a stacked tape onto several tapes

•

DMSII

– Audit and dump tapes

– Disk dumps

Data Privacy

Secure Ports

•

Potential added functionality for Secure Ports:

– X.509 certificate support (can retrieve details of X.509 certificates via file API)

– Request client certificates

– EXPLICIT mode support (can toggle SSL/TLS when connection is open)

•

Additional system software using this feature (those

who use TCPIPNATIVESERVICE)

• Ability to define more granular privileges

• Role-based access control

• Extensions to framework

• Use by more System Software products

• System-Level RBAC

Authorization

• Extensions to RealTime Monitor framework – More events “into the pipe”

– Other events – Network

– Policy changes – Other sources

– Integration to other destinations – 3rd _{party systems (e.g ArcSight)}

– Other dashboard systems

– Any new logging standards (CEE, etc.)

Audit

– Security option to control minimum level of security

(AUTHENTICATE, ENCRYPTION, and new SECURECOMM)

– Keep networking protocols up to date (TLS 1.2) which support

different modes of cryptography

– SSH terminals

– Support for more SFTP clients

Network & Application Security

• Tighter integration of policy with active data

– System policy

– Usercode policy (could span multiple usercodes)

• Future policy would be tied to usercode – updates in policy would be reflected in usercode(s)

– Other possible areas?

– Unsure about this – is manual better for change control?

• Easier to deploy pieces of SecurityCenter throughout

organization (only allow users to do certain functions)

• Secure key storage and replication enhancements (using

standards (PKCS#8, PKCS#12) where applicable)

Management & Configuration

• Keep pace with new standard (de facto) cryptography

algorithms.

• New modes for AES algorithm (AES-GCM, etc.)

• Implementation of NIST replacement for SHA-1 scheduled for 2013

• Possible other algorithms (Diffie-Hellman, Suite B, etc.)

Cryptography

• Tape Encryption

– Interface to external key management stations / architectures – Keep up with industry standard (P1619) practices and protocols – DMSII – Data encryption – Increased auditing – Disk encryption

Encryption

• Security Administration Guide

• MCP Security Overview

• Security Operations Guide

• SecurityCenter Help

• Kerberos Configuration Guide

• TCPIP Distributed System Services Guide

• TCPIP Implementation Guide

• Security SDK

Documentation

Documentation

Internet Resources

•

Unisys.com

– Repository for demonstrations, whitepapers, presentations, software release announcements, migration guides, catalogs, downloads, etc.

– Registration required

•

Support.Unisys.com

– Technical Documentation Libraries

ClearPath Connection Newsletter

(Quarterly Newsletter)

• The latest ClearPath news

• Delivered via e-mail

• Optional PDF download • Languages – English – French – Portuguese – Spanish • Subscribe today

FAQ 10029414 -- Tape Encryption setup FAQ 10029970 -- Secure FTP

FAQ 10029953 -- DMSII Encryption

FAQ 10029937 -- PWCHANGESUPPORT sample FAQ 10030374 – FTPS client authentication setup FAQ 10031494 – Locum SafeSurvey

FAQ 10031508 – Locum SecureAudit

FAQ 10031524 – FTPS setup (client & server) FAQ 5847 - SSH

Documentation

• Do we have it right?

• Need feedback to make sure that we have the right things in

mind and have the right priorities