This article describes a common mainframe network security exposure and how you can address it in your data center. We start by describing how VTAM works in a single computer, across different computers in your data center, and across different networks. We’ll consider how this architecture can introduce a security exposure and the tools available to close the exposure. We’ll also describe how to investigate all this in your data center, whether you’re the data security officer, the CIO, or the VTAM systems programmer.
VTAM is the system software on z/OS computers that controls all the terminals and connections to applications. Even TCP/IP runs under VTAM’s control. VTAM works by making logical connections between Logical Units (LUs). An LU is an entry point to the network, usually either a terminal, or a program such as CICS. Programs that talk to terminals through VTAM are called applids or application identifiers.
When you first sit down at a terminal, VTAM controls it. You type in a request for a connection to an applid such as CICS or Time Sharing Option (TSO). If VTAM recognizes your terminal, and knows the applid with that name, it can create a logical connection between your terminal and the applid by sending a “bind” command.
The result of the bind is that everything you type on your terminal is sent directly to the applid. Likely the first thing you’ll type will be your userid and password (see Figure 1).
Now imagine two computers in your data center, one for test and another for production. A VTAM-controlled terminal on the test computer wants to connect to an applid (let’s say a CICS region named CICSP1) on the production computer.
VTAM on the test computer receives the request for a bind from the terminal, recognizes that it’s for an applid on a different computer, and sends the request to VTAM on the production computer. (If you’re a parent, think of the two VTAMs as parents setting up a play date for their children. Neither wants to allow the connection to happen unless it knows the other parent and the other child.)
Such a logical connection across different computers is called a “crossdomain” connection. It’s permitted only if VTAM on each computer knows about the other VTAM and its resources (see Figure 2).
Now let’s complicate the picture by imagining that a terminal in your data center wants to talk to an applid (again, let’s imagine a CICS region named CICSP2) in another computer, in a different network named NET1, belonging to one of your company’s trading partners. Perhaps you’re a financial institution whose network is connected to another financial institution’s network, or you’re a manufacturer whose network is linked to your suppliers’ networks (see Figure 3).