Save time, reduce risk and secure your network
Vertali’s unique zTrust for Networks dramatically reduces the time, effort and costs involved in detecting, monitoring and optionally enforcing network access and provides a valuable tool for adhering to compliance standards and regulations.
While mainframe sites may have a reasonable view on who is using applications at the userid level, many don’t have an accurate picture of the network activity on their systems. Rarely is up-to-date and accurate information available on which network devices or segments are connecting to specific applications and whether they are they correctly encrypted. Most security mechanisms focus on incoming TCP/IP connections, but few look at controlling outbound connections. Often any user can initiate an outbound connection to a remote, possibly insecure system, and hackers use outbound connections as a backdoor to mainframe services.
Differentiating between clear and encrypted network connections is the key. zTrust software identifies:
- Applications that are permanently or temporarily accepting inbound non-encrypted and/or inbound encrypted connections
- Applications that are making outbound non encrypted and/or outbound encrypted connections
- Network segments that are accessing specific applications without encryption and/or with encryption
Micro-segmentation is a key mechanism to control network access and can often be a requirement for regulatory compliance such as PCI/DSS. Isolating card payment processing applications to specific network segments can significantly reduce the scope, time and of course the cost of compliance reviews.
zTrust is unique by using the Enterprise Security Manager (ESM) such as RACF, ACF2 or TSS to manage network segmentation, moving the responsibility for compliance and standards moves to the security team – where it should be.
The software uses ESM resource definitions for applications and standard access control commands (such as PERMIT) to isolate access to an application to specific network segments, focusing your security policies and other compliance activity on only the segments required.
zTrust for Networks replaces the complexities required to manually create and maintain policy agent access control lists, by generating these automatically from the access controls defined in the ESM. Further management of micro-segmentation can be performed using standard RACF|ACF2|TSS or fully managed from the Vertali browser-based user interface.
Micro-segmentation can be quickly achieved with zTrust in five stages:
- Stage 1 — Network Discovery: a unique tool to build your Network Knowledge Base
- Stage 2 — ESM Resource Generation: automatically generate ESM resource definitions and access lists
- Stage 3 — Build Security Profiles: build policy agent profiles from the ESM resources
- Stage 4 — Monitor & Manage Complexity: monitor network activity and alert on policy violations
- Stage 5 — Report for Compliance Audits: provide proof positive, including periodic reports
For more details on how zTrust for Networks can help your business, please contact us
zTrust provides an additional layer of security in front of applications. Co-existing with controls managed by the z/OS ESM such as user access, multifactor authentication (MFA) and encryption. zTrust does not replace them.
- Discover and fully understand network resources, connections, and traffic patterns
- Enforce encryption using ESM rules – block unencrypted traffic
- Create and maintain IBM Policy Agent access control rules
- Manage and monitor your implementation and ensure high performance
- Enable periodic reporting for compliance audits
Micro-segmentation is the ability to limit application access to a specific network segment or specific network device, providing you with an additional layer of security above and beyond user authentication.
- An innovative way to manage segmentation using ESM (RACF|ACF2|TSS)
- Unique Network Discovery: build a complete map of network activity
- Isolate specific aspects of your environment at network not userid level
- Better understand your network and traffic patterns
- Block unwanted or unnecessary network traffic
- Periodic reporting for compliance
- Dramatically reduce the time and costs of compliance assessments
Using zTrust for Networks, you control access by permitting network segments to access specific applications using standard SAF controls and commands, all managed by the software, rather than either blocking or enabling access to the mainframe in its entirety.
zTrust augments standard IBM components, applying additional management, implementation and monitoring controls to separate systems with different security needs, so reducing the number of systems in scope. While it may be possible to do this manually, the time and costs can make it prohibitive for large and complex organizations.
Stage 1 – Network Discovery
With various applications requiring compliance with specific regulations or industry standards, zTrust’s unique Network Discovery feature detects all network traffic on the LPAR and builds a Network Knowledge Base of all connections. The software learns the current picture of who is connecting to what.
Stage 2 – ESM Resource Generation
zTrust uses the Network Knowledge Base to build a complete set of ESM resources and access list based on current network traffic. Prior to execution, the access lists can be reviewed to ensure only permitted network segments and devices are accessing key applications. Access controls can be extended to only allow access from specific network segments if the connections are encrypted.
Stage 3 – Build Security Profiles
zTrust analyses the ESM security profiles in RACF|ACF2 |TSS and builds the IBM Policy Agent profiles required to block or permit specific network traffic based on the ESM access controls. Although Policy Agent filters are typically defined at the IP address and port level, zTrust managed resources in the ESM are managed by their names, further simplifying the network segmentation process. You are continuing to work with the gold standard in mainframe security but with an added layer of application security.
Stage 4 – Monitor & Manage Complexity
While monitoring proves your segmentation is working, businesses and networks can experience change: new applications added, and new traffic patterns emerging. zTrust means you can manage this hugely complex requirement, via standard commands, or the Vertali browser interface enabling easy viewing of status and simplifying operational processes. New Policy Agent filters can be regenerated by zTrust as new network resources are detected or additional access controls are required.
Stage 5 – Report for Compliance Audits
Network micro-segmentation is a more efficient and cost-effective way to control regular audit commitments for mandatory compliance, and address recommendations that can soon be mandatory. Audit logs are maintained, documenting all activity, and reporting is easy. Periodic reports for compliance can be generated confirming not only the network segmentation policies implemented, but also exception reports highlighting where additional segmentation policies may be required.
Segmentation can apply to both inbound and outbound connections on z/OS. You receive a full and accurate analysis of network activity on the mainframe without relying on high volume SMF processing. You can detect new or unexpected network activity to/from the mainframe, and confirm or otherwise that firewall settings are correct and working.
Inbound IP Activity Alerts
- Permanently open TCP ports (open for incoming connections)
- Permanently open UDP ports (open for incoming datagrams)
- Temporarily open TCP ports to which a connection has been made
- Open unreserved ports to which connections have been successful
- When an IP address first attempts mainframe access
- When an IP address first establishes a clear connection to a mainframe application
- When an IP address first establishes an encrypted connection to a mainframe application
- When an IP address first establishes a connection to a VTAM application via TN3270
- When an IP address first sends a UDP packet to mainframe
- When an IP address first sends a UDP packet to a mainframe application
- All inbound connection failures/rejects
Outbound IP Activity Alerts
- First time mainframe attempts to connect to a remote IP address not accessed before
- First time mainframe successfully connects to a remote IP address in clear
- First time mainframe successfully connects to a remote IP address with encryption
- First time mainframe successfully connects to a remote IP//Port combination not accessed before
- All outbound connection failures
- First time mainframe sends a UDP packet to a remote IP
- First time mainframe sends a UDP packet to a remote IP/Port combination
Get in touch
Get in touch to find out more about these and our other fully supported bespoke mainframe software solutions. Vertali is an IBM PartnerWorld member.