Securing Enterprise Extender Sam Reynolds Tony Amies Ray Romney IBM z/OS Communications William Data Systems Cisco Systems Server Design Product Architect romney@cisco.com samr@us.ibm.com tony.amies@willdata.com Session 3608 SHARE 2004 Summer Technical Conference 1
Agenda The Evolution of SNA: SNI To EE Security Objectives/Issues Security Mechanisms Proxy Implementation: Apias Summary References 2
The Evolution of SNA: SNI to EE 3
Traditional SNA Networking Infrastructure Corporation A Business partner 3745/46 NCP SNI 3745/46 SNA Applications: Over a trillion lines of NCP customer written application code based on CICS, IMS, and DB2 70% of all business data still accessed via SNA SNA Network applications Numerous market factors including the SNA application SNA continued convergence of enterprise networks gateway Device such as onto IP technologies, and the withdrawal of the ATM IP or SNA venerable 3745 from marketing, have led to a Network very rapid adoption of Enterprise Extender as a key component of SNA application access strategy amongst the IBM customer set. SNA application gateway clients 4
What is Enterprise Extender? zSeries and S/390 Allows use of IP Enterprise Servers network for SNA sessions EE allows IP enablement of IP Backbone IBM applications and HPR convergence on a IBM IBM single network SNA Network transport while IBM preserving SNA TN3270, or Web application and client Cisco SNASw, endpoint investment. Communications Server for NT, or other Typically isolates SNA SNA footprints to the TCP sessions/routes Clients "outside" of the SNA routes for SNA sessions network. EE routes for SNA sessions 5
Advantages of Enterprise Extender SNA transport over native IP network Native IP routing within network maximizes router efficiency Enables SNA applications to take advantage of advances in IP routing SNA traffic can exploit OSA Gigabit Ethernet & HiperSockets EE can use any zSeries or S/390 IP network connection -- channel attached router, OSA, etc. Allows convergence of voice and data on single network No changes to SNA applications End-to-End failure protection and data prioritization SNA priority mapped to IP Type of Service (TOS) 6
EE/EBN As An SNI Alternative NETA NETB NETB NETA S/390 S/390 or or SNA z900 z900 EBN EBN IBM IBM IP DLSw Backbone IBM IBM intranet IP or Backbone Internet Enterprise Extender with Traditional SNI Extended Border Node (EBN) Requires 37xx for Configure border node in z/OS interconnectivity CS only Complex to define and Single hop SNA connection reconfigure SNA apps unchanged HPR (e.g. non-disruptive session switch) not available Eliminates DLSw 7
Security Objectives Protect data and other resources on the system System availability Protect system against unwanted access and denial of service attacks from network Identification and authentication Verify identity of users Access control Protect data and other system resources from unauthorized access Protect data in the network using cryptographic security protocols Data Origin Authentication Verify that data was originated by claimed sender Message Integrity Verify contents were unchanged in transit Data Privacy Conceals cleartext using encryption 8
Security Issues/Requirements when Implementing EE EE is a UDP-based protocol Your firewalls must allow UDP packets over ports 12000-12004, at least for specific partner EE IP addresses Going from private lines to public Internet use may bring new requirements for: Encryption Partner authentication Corporate policies may further restrict your options: Some companies refuse to allow UDP UDP F I R E through their firewalls W A L L Some companies mandate that they will have no unsecured network segments 9
Security Mechanisms 10
Firewall/NAT A firewall is an entry/exit point to your network used to control access You can filter packets based on source IP address, destination port, or protocol Private IP addresses can be translated to public IP addresses using Network Address Translation (NAT) You probably already have a firewall in place You must allow UDP ports 12000-12004 through the firewall for Enterprise Extender At SNA network boundaries, may want to define filter rules to limit UDP traffic to the IP addresses of the EBN partners F I UDP Port 12000 R E W A L L 11
VPN/IPSec Trusted Trusted Trusted Trusted Encrypted Encrypted Network Network Network Network Tunnel Tunnel Unsecured Unsecured Network Network Firewalls aren’t a total solution--addresses can be spoofed, no control beyond firewall, etc. VPN- a private network (tunnel) over a public network (the Internet/intranet) IPSec with Internet Key Exchange (IKE) secures the VPN tunnel Very similar to how you probably connect remotely to your corporate network Data Encrypted/Decrypted at Tunnel Endpoints Firewalls can limit access to tunnel Split tunneling can be done to allow traffic outside tunnel 12
Dedicated IPSec VPN Firewall Advantages Offloads processing Combines firewall and IPSec in one box PIX Firewall May already exist w/ IPSec Firewalls can be load balanced Disadvantages PIX w/IPSec Unsecured network segments in data center New firewall adds to cost, possible failure point 13
IPSec on SNASw Router Advantages Cost effective for a small branch One less failure point Disadvantages Router CPU intensive PIX Firewall All traffic through SNASw/VPN router Not a good fit for large branches or data centers SNASw router w/IPSec 14
PIX Firewall to SNASw Branch IPSec in branch on separate router Advantages Offloads processing May already exist PIX Firewall Disadvantages w/ IPSec Cost of another device Another point of failure VPN/IPSec Router SNASw router 15
IPSec on z/OS Advantages z/OS with z/OS Security Server Secure encryption even inside data center One less point of failure Disadvantages Cost of MIPS to perform encryption Complexity of VPN configuration prior to V1R7 z/OS V1R7 CS will offer numerous IPSec improvements, including a new configuration GUI that should greatly z/OS with z/OS simplify z/OS IPSec configuration Security Server 16
SNA Session Level Encryption Unsecured Trusted Trusted Network Network Network Data Encrypted/Decrypted at each z/OS host Works in Subarea and APPN networks Can be done in addition to other security measures (VPN, IPSec, etc.) There may be advantages to combining them to satisfy certain configurations and requirements Does have performance impact 17
IPSec and SNA SLE Combined Solutions for EE Case 1: Protection over Untrusted Network Case 2: End-to-End Security with Added Segment Gateway Authentication (NAT) EE endpoints NAT NAT Internet/ Internet/ Internet/ H1 H1 G1 G1 G2 G2 H2 H2 H1 G1 G2 H2 intranet intranet intranet intranet SNA SNA intranet intranet intranet intranet intranet Segment IPSec SA for SNA authentication and session encryption (AH & ESP) SNA Session Level SNA Session Level IPSec SA IPSec SA SNA SNA Encryption for Encryption for Session Session for gateway for gateway end-to-end end-to-end authentication (AH) authentication (AH) Case 3: End-to-End Security with Added Case 4: End-to-End Security with Cascaded SAs Gateway Authentication (NAT traversal (NAT/network IDS) solution at H1 and H2 / no NAT) EE endpoints NAT / NAT / netw IDS netw IDS Internet/ H1 G1 G2 H2 intranet intranet intranet Internet H1 G1 G2 H2 intranet intranet SNA Session Level IPSec SA SNA Encryption or IPSec Session for gateway Cascaded (ESP) for end-to-end authentication (AH) IPSec SAs 18 SNA Session
What about SSL? IPSec and SSL/TLS Compared IPSec Provides authentication, integrity, and data privacy at IPSec protects all IP IP layer traffic that goes AH protocol provides authentication and integrity between two IP ESP protocol provides data privacy (auth/integrity nodes, and passes Applications Applications optional). through insecure IKE protocol includes key exchange using public network segments. Sockets API Sockets API Sockets API key cryptography and negotiation of security TCP/UDP TCP/UDP parameters Mgmt of crypto keys and SAs can also be manual IP/ICMP IP/ICMP IP node authentication, not user authentication Data Link Data Link Use of IPSec is transparent to upper layers including application Blanket level protection for upper layer protocols SSL/TLS Protects IP traffic for a specific TCP connection between Provides authentication, integrity, and data privacy two above TCP layer. SSL/TLS-enabled SSL handshake protocol includes key exchange applications on two using public key cryptography and negotiation of IP nodes. security parameters Applications Applications User authentication if client certificates used SSL SSL Applications must be changed to use SSL APIs Sockets API Sockets API UDP applications cannot be SSL-enabled TCP/UDP TCP Only, not UDP! TCP/UDP IP/ICMP IP/ICMP Data Link Data Link 19
EE is a UDP Protocol SSL/TLS has not been applicable to EE traffic since EE is UDP-based, and SSL is a TCP-based protocol. In addition to authentication and encryption requirements, a remaining inhibitor for many enterprises considering EE is the necessity of opening up firewall ports to UDP traffic. Are there any alternatives? 20
Recommend
More recommend