Here we’ll discuss how to get the network information needed to do your job well. This includes first, knowing what your networks consist of and then, how your network staff is configuring and maintaining them. You will likely find several opportunities for improvement by integrating the work of your TCP/IP, SNA, and security software staff.
You need only enough network details to know your technicians have the information they need to manage the networks well. If you aren’t sure of that already, ask them for a one-page map of 1) physical networks, 2) logical networks, 3) SNA, and 4) TCP/IP. Be sure they include dial-up modems and intranet and Internet connections.
Ask how changes to these items are controlled: How do the technicians know their maps are always complete and current? If you aren’t satisfied with any part of their answers, have them dig deeper until they satisfy your concerns.
Once you know your staff has complete, organized information to manage the network, you can ask them to pursue these objectives:
- Cost minimization
- Security (protection against eavesdropping and spoofing)
- Simplification and ease of administration
You can’t look for cost minimization without a good map of your network components and their costs. Periodically, have your network managers review the entire network and provide a breakdown of what each component costs. They can consider the standard costreduction measures we’ve discussed in previous columns, such as substitution, reallocation, rescheduling, elimination, etc. Ask network suppliers how they can help reduce costs.
For security, understand the risks before deciding how to manage them. Your application risk assessments describe what data is sensitive and why. Periodically, have your network and security managers work together to ensure sensitive data (including passwords) is encrypted along every relevant path in your network.
Note that Local Area Networks (LANs) are subject to sniffing of mainframe user IDs and passwords if you don’t use protection such as Kerberos. This may lead to cost savings as well, as you consider both hardware and software encryption, use of a hardware co-processor on your mainframe for encryption, and enhanced use of Secure Sockets Layer (SSL).
Save more by using your security software (RACF, ACF2, or TopSecret) as your certificate authority. Moving all digital certificates to your security software will improve security in any case.
Ask how TCP ports and IP addresses are being controlled on the mainframe. Your security software can help (using the SERVAUTH SAF call). In the same way that you restrict who can create new data set high-level qualifiers, you want to control who can use a given TCP port.
Preventing spoofing of IP addresses or VTAM Control Points will be necessary if your security relies on this information. This is especially valid for SNA Network Interconnect (SNI) or APPN networks.
For simplification and ease of administration, your managers should review the network maps to identify each boundary; i.e., each instance of conversion (say, from one code, protocol, platform, encryption, or supplier to another). Evaluate ways to eliminate or simplify any conversions. One example: You may have several different platforms linked together, encrypting and decrypting payment information on each platform. Replacing this with a single, end-to-end encryption can simplify administration, reduce costs, and improve security.
For recoverability, ask your managers to evaluate their ability to recover from total data center destruction or any single failing component or link. Which components and links are critical? Is there any single point of failure? Have they evaluated all the things that could go wrong and ensured they could recover in a timely fashion, coordinated with other elements of the disaster recovery plan?
Once your network managers maintain network information and manage it well for these purposes, you’ll know you have the best network possible. You’ll also be able to demonstrate this to anyone who asks. ME
- “An Often Overlooked Security Hole in SNA Networks,” Peter Hager and Stu Henderson, z/Journal, April/May 2008
- “Securing Mainframe FTP,” Stu Henderson and Scott Myers, z/Journal, December/January 2008
- “Mainframe Network Security: A Strategy for Evaluating Your Risks,” Stu Henderson, z/Journal, August/September 2009.