• No results found

OS/390 Firewall Technology Overview

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "OS/390 Firewall Technology Overview"

Copied!
23
0
0

Loading.... (view fulltext now)

Download now ( 23 Page )

Full text

(1)

Washington System Center

OS/390 Firewall Technology

Overview

Mary Sweat

(2)

Advanced Technical Support

Agenda

Basic Firewall strategies and design

Hardware requirements

Software requirements

Components of OS/390 Firewall

(3)

Advanced Technical Support

What is a Firewall

A solution that provides controlled access between a private

(trusted) network, and an untrusted network such as the Internet

A tool for enforcing your network security policy

Trusted Network Untrusted

Network

(4)

Advanced Technical Support

Limit access by persons within the secure network

to selected resources in the non-secure network

Reduce network traffic outside the secure network

Improve performance within the secure network

Why Use a Firewall?

??????????????????????????????????

??????????????????????????????????

?

?

?

?

?

?

?

?

(5)

Advanced Technical Support

Firewall Strategies

Filtering Information Hiding Authentication allowed Encryption Security/Audit

(6)

Advanced Technical Support

Ensure physical security

Configure the firewall by disallowing everything and then proceed by enabling those services defined in the security policy

Support only required applications and remove or disable others

Security policy that defines how a firewall should function in cooperation with the security group/advisors

what type of traffic is allowed through the firewall and under what conditions

Audibility

Basic Design Decisions in a Firewall

PASS

FW Rules

(7)

Advanced Technical Support

Firewall Technologies Tools

Included with the OS/390 Security Server

Configuration Commands

Configuration Client (GUI)

Proxy FTP server

Socks Server

Logging Server

Real Audio Support

Included with the eNetwork Communications Server for OS/390

Network Address Translation (NAT) with Crypto HW

IP Filters

(8)

Advanced Technical Support

Any communication hardware interface supported by the TCP/IP protocol stack to make the network connections

OSA, 3172, CTC, XCF, etc.

At least two network interfaces;

one network interface connects the secure,

internal network that the firewall protects

the other network interface connects to the

nonsecure, outside network or internet

ICSF/MVS V2 R1.0 and Prog. Cryptographic Option

this is optional requirement as firewall can use software

encryption

Hardware

(9)

Advanced Technical Support

OS/390 Security Server (RACF)

OS/390 eNetwork Communications Server OS/390 Unix services (OpenEdition)

OS/390 C/C++ Collection Cl. Lib.

(10)

Advanced Technical Support

Software for Configuration Client

AIX

Java.rte 1.1.4 or 1.1.6

AIX 4.2 or higher (as long as Java.rte level is supported) Netscape nav.rte 3.0.0.1

Windows 95 or Windows NT

Web browser with Java and frames support Zip tool that handles long file names

(11)

Advanced Technical Support

IP Filters

Packet filtering looks at every packet coming into the IP stack, and

determines whether the filter rules allow the packet to be sent to its

destination.

Filtering checks;

-- source and destination IP address & mask -- source and destination port

-- direction of the data flow -- IP protocol

-- type of interface (secure or nonsecure) -- fragmentation

-- tunnel ID

Non-secure Net Secure Net

Interfaces TCP/IP

(12)

Advanced Technical Support 0 15 16 31 4-bit version 4-bit hdr. length TOS Type of

Service 16-bit total length in bytes

16-bit identification 3-bit frag-ment flags 13-bit fragment offset 8-bit TTL Time

to Live

8-bit Protocol

number 16-bit header checksum

32-bit Source IP Address

32-bit Destination IP Address

IP Datagram options (If any present)

DATA (If protocol is TCP, this is a TCP segment, if protocol is UDP, this is a UDP Datagram)

20 bytes

(13)

Advanced Technical Support

FTP Proxy Support

OS/390 Firewall Technologies supply an FTP proxy server (pftpd)

access controlled on a user-by-user basis

to go out of the secure network

to come in from the non-secure world

local ftp commands disabled on the firewall

Users ftp to the firewall and with valid authorizations, pftpd contacts FTP server outside the secure network

ftp client Secure Network Non-Secure Network destination ftp server pftpd ftp

(14)

Advanced Technical Support

Socks

A socks dæmon sits between the client and destination server

socks dæmon is generic

can handle traffic for multiple, different applications Socks replaces the IP address of the user with the

address of the firewall

client

socks

server

dæmon

ftp

telnet

...

(Socksified Clients) Any application protocol

(15)

Advanced Technical Support

Virtual Private Networks

Virtual Private Networking (VPN) allows secure communications between remote sites over a public network like the internet

Firewall ALPHA Firewall BETA Secure Network #2 Secure Network #1 Tunnel INTERNET

(16)

Advanced Technical Support

Network Address Translation (NAT)

Network Address Translation provides a translation from an internal (secure) IP address to an temporary external registered address

Secure Network Non-Secure Network 9.82.92.8 NAT Pool t.h.f.1 TCP/IP TCP/IP NAT t.h.5.0 RESERVE t.h.5.0 255.255.255.0 TRANSLATE 9.82.0.0. src=t.h.f.1 dest=t.h.5.9 src=t.h.f.1 dest=9.82.92.8

(17)

Advanced Technical Support

Logging/Configuration/Administration

Logging

Critical to the security of any system

Ability to reliably detect potential intrusions

implies the ability to collect and save information about transactions

GUI/Commands are used to configure and administer the firewall

technologies

define secure and non-secure adapters set logging parameters

define rules for packet filtering and socks define VPN

(18)

Advanced Technical Support

Firewall enhancements in latest release (R7)

Support multiple TCP/IP stacks Firewall daemon enhancements

GUI user interface & configuration server IPSec enhancements for VPNs

(19)

Advanced Technical Support

Multi-Stack

8 Firewalls can now run simultaneously

in prior releases, system was restricted to one utilizes TCP/IP stack (OS/390 supports 8)

Firewall configuration commands made "stack-aware"

new commands associate firewall functions with particular stack each firewall could have a potentially different configuration

(20)

Advanced Technical Support

FTP & SOCKS

Enhancements

Number of connections allowed is vastly increased

Administrator can determine number of connections

allowed

ftp client Secure Network Non-Secure Network destination ftp server pftpd ftp

client

socks

server

dæmon

(21)

Advanced Technical Support

Graphical User Interface

Graphical User Interface (GUI)

written in JAVA

installs / runs on Windows 95/NT & AIX

Configuration Server runs on OS/390

GUI Security uses Secure Sockets Layer (SSL)

SSL GUI Client

Configuration Server

(22)

Advanced Technical Support

IPSec Enhancements for VPNs

Uses upgraded IPSec that supports new standards

triple DES

replay prevention

new authentication processes

encryption standard contains ability to also authenticate

Firewall Tunnel IPSec Packet Encrypted Packet Partner's Firewall INTERNET

(23)

References

Download now ( PDF - 23 Page - 218.96 KB )

Related documents

Business Application & Policy Notice

Credit will be posted to the account when invoice copy is received and Global Organic accepts product.. For product returns after driver

Information Fusion Methodology for Enhancing Situation Awareness in Connected Cars Environment

• Situation and Threat Assessment (SA/TA): high-level information fusion using a novel fuzzy extension to multi-entity Bayesian networks that model some imper- fect aspects of data

IIPRC-08-LB-I-CB ADDITIONAL STANDARDS FOR RIDERS, ENDORSEMENTS OR AMENDMENTS USED TO EFFECT INDIVIDUAL LIFE INSURANCE POLICY CHANGES

Purpose and Scope: These standards apply to forms filed with the Interstate Insurance Product Regulation Commission (“IIPRC”) that are used to effect policy changes that have

Tuesday, June 5, 12. Mobile Device Usage

• Otherwise, personal devices not allowed on the secure network at all, only a guest

EXTENDED FILE SYSTEM FOR F-SERIES PLC

Automatic FTP upload from the PLC to an external web-server: You can program the F-series PLC to make an FTP client connection to any web server on the local network or on

The prognostic and predictive value of excision repair cross-complementation group 1 (ERCC1) protein in 1288 patients with head and neck squamous cell carcinoma treated with platinum-based therapy: a meta-analysis

Excision repair cross-complementation group 1 (ERCC1) protein has been extensively investigated as a prognostic and predictive factor for platinum-based treatment in head and

Measuring Marine Plastic Debris from Space: Initial Assessment of Observation Requirements

Keywords: remote sensing; marine plastic debris; mission requirements; hyperspectral sensors; multispectral imagers; high spatial resolution; sensors synergy; submesoscale

Modeling life stage dynamics of Pseudocalanus spp. (Copepoda: Calanoida) from Prince William Sound, Alaska

Figure 3.4.C shows the SAGE output for total Pseudocalanus abundance when the initial abundance of females was set equal to that of the first sampling day in the data set, and