One reason IBM mainframes are considered more secure than other platforms is that their network security has a reliable architecture. Unfortunately, this security can be easily compromised if available tools aren’t effectively implemented. This is often the result of lack of understanding of how the security works and of what tools are available.
While many people understand IBM’s System Network Architecture (SNA) and many more understand TCP/IP, few understand both. Many mainframe network security exposures originate in the gray area between the two. If you haven’t conducted a systematic network security review, you’re likely to be unnecessarily exposed to some security risks in your mainframe network. These risks can be controlled with available tools, but only if you first identify the risks.
Whether you know SNA, TCP/IP, neither or both, this article will help you conduct your own systematic risk assessment of your entire mainframe network. We’ll show you a structured approach to systematically investigate your mainframe network, its associated security risks, and the tools (both available and implemented) you can use to manage the risks. To flesh out the details of this approach, you will likely need help from your VTAM systems programmer, your mainframe TCP/IP administrator, and your security software administrator.
The security risks to be addressed with either type of network are:
• Unauthorized reading of sensitive data (including possibly userids and passwords)
• Unauthorized connecting to a computer
• Falsely assuming the identity of a computer, program, or user when connecting to another computer.
On IBM mainframes, the VTAM software controls all telecommunications. When VTAM was first created, all communications were completely based on SNA, whether it was a terminal talking to a program such as CICS or Time Sharing Option (TSO), or two programs on different computers exchanging information.
Several years ago, IBM added TCP/IP support to VTAM. This was a smart move since UNIX, Windows, Novell, the Internet, and several other platforms all use TCP/IP to talk to each other. As IBM expanded its use of TCP/IP on the mainframe, many people believed incorrectly that SNA was on its way to extinction.