with Tags: system_z X
Here it is, my z/Journal article on the web.
At 17:00 UK time yesterday I jouned over 1500 people across the globe to hear the long-awaited announcement of the next generation System z server, formerly known as z11 or zNext and now revealed as zEnterprise. Its full name is the IBM zEnterprise System, and it was launched with the strapline "A New Dimension in Computing" and a degree of excitement that felt more like the recent iPad launch than a mainframe press conference. The session is still online here if you missed it but here are the highlights...
Tom Rosamilia, General Manager System z introduced Karl Freund, VP z marketing who revealed the zEnterprises key features:-
The stats are impressive, 50 BIPS, 3TB of memory, internal bandwidth of 288GB/sec (that's Gigabytes per second folks!) giving an ideal server for heterogeneous workloads, therefore perfect for data center consolidation or a private cloud.
That's the news, and you can read more all over the web, here, here and here for example, and here you can find the IBM announcement page here, for more information. But today I'm just going to look at a couple of things. Firstly the Security implications (as this is the zSecurity blog). And then I'll ask: "does this change everything"?
zEnterprise "Reduces risk by extending the reach of System z qualities of service". With a new Blade Center controlled by the System-Director-derived Unified Resource Manager and managed by the zEnterprise hardware console, your distributed systems should get a level of Resilience, Availability and Security approaching that enjoyed by System z for decades. The Unified Resource Manager will discover new components in the zBX and perform auto disaster recovery. And z/VM guests and blades will monitor themselves and log errors or call out an SSR.
Because your zBX is linked to the z196 by a short, enclosed, dedicated 10Gb/s network, there are no network cables to tap or sniff. And with capacity for 112 blades (which can be virtualised to many thousands of servers of course, plus you can have tens of thousands of Linux on z inside your z196, remember) you won't need servers all around your facility which need to be clustered, mirrored and locked down. Everything's in two boxes in your secure room being managed by the URM.
Data integrity is improved, with RAIM memory, yes RAID-style RAM with auto-correction of errors, and you can have CryptoExpress3 with up to 8 PCIe cards (like the z10EC) and some new SSL acceleration features, but of course URM makes all of this available to your AIX or Linux on System z blades too. So If your organisation runs highly available, highly secure applications on mixed architecture at the moment, then nothing else comes close to delivering zEnterprises levels of service.
Does this change everything?
It should. The old Mainframe versus Distributed war of words looks a lot like Microsoft versus Apple from a distance. Both camps have supporters with strong, entrenched, almost religious devotion to the platform and resistance to the alternative viewpoint. Some highly-paid analysts' ignorance of the recent development of System z borders on negligence, as I have blogged before. But this time feels different. Partly because this is no ordinary product upgrade. zEnterprise was developed over 3 years, costing USD5bn, and performed in concert with several large clients in Insurance, Retail, Finance and Healthcare, and Citigroup are an early adopter
And mostly because the obligation to choose between System z and Distributed architecture - between z* and Unix-like operating systems, between a monolithic mainframe and a collection of distinct, disparate systems each designed for a specific purpose and fulfilling a business need - has been eliminated at a stroke. Get zEnterprise and you get the lot, whatever you need. Traditional objections fall away, including the cost of porting apps to z from native *nix systems and the cost of z skills.
Joe Clabby was the 3rd speaker yesterday, an analyst and mainframe supporter (zPhile?) from Clabby Analytics and he suggested that the zEnterprise can jump you in front of your competitors by "at least five years". That's quite a statement, but clearly zEnterprise is not your father's mainframe. I've been suggesting for a while that we should perhaps stop using the term mainframe, and I tweeted a question a few weeks back asking for alternative terms for the latest System z machines. "Super Server" was suggested. But I think in time the generic term will become "Enterprise Server".
The announcement of the next generation mainframe, the "system of systems" is tomorrow. In IBM's recent 2nd Quarter results press release, under prepared remarks there were some more clues.
"This week IBM will announce the next generation of System z, the fastest and most scalable enterprise server in the industry. This server provides 40 percent more performance on a mix of workloads than the equivalent z10. Some workloads can achieve greater performance improvements such as Linux which has 60 percent better performance and 35 percent lower cost. This announcement is the foundation for IBM’s first System of Systems, which provides the capability to manage 10 times the virtual machines of VMWare by extending mainframe governance to our other industry leading technologies." - Mark Loughridge, Chief Financial Officer.
This is the first evidence yet that IBM are specifically going up against VMWare with zNext, positioning it as virtualisation technology but with the resilience of mainframe hardware. If it's half as good as the hype, the Wintel/VMWare model is in trouble.
alan.harrison 270002QUNN Tags:  threats vulnerabilities wiki system_z racf 1 Comment 2,719 Visits
Should we share mainframe vulnerabilities? I've been involved in an interesting discussion on LinkedIn recently and I've come to the conclusion that we should. But first let's discuss where we are and how I came to this decision. Security features built into the mainframe are second to none, leading many to claim that it is "unhackable" or at least has "never been hacked". This may be true if we take the term hack to mean externally-originating attacks which exploit code integrity issues in the operating system or infrastructure software. This is traditional hacking, seen very commonly on Windows and requiring strong perimeter defences, regular code patches and malware protection software unknown in the mainframe environment.
However this virtual immunity of the mainframe to external attacks on the code base might have led us into a false sense of security. There is more to security than malware attacks. Increasingly I find on my travels, when auditing mainframes with zSecure, that organisations don't know how to securely configure mainframe security and infrastructure software.
A typical System z security audit reveals a large number of vulnerabilities caused by poor configuration, management or maintenance practices. Excessive privileges, unprotected sensitive libraries or unmanaged "New Workloads" are par for the course. What's most surprising is that these errors could and should have been avoided, as mostly they are against common wisdom; in most cases best practice guidelines, or straightforward configuration instructions in the software have been ignored.
Often these issues could be exploited only by "staff" but we must remember that term is increasingly likely to include contractors, temps and workers for outsourced service providers. Factor in the high likelihood of being able to escalate your own privileges through Social Engineering in most organisations and it's clear that any complacency towards attacks on the mainframe is misplaced.
So what to do? If we limit ourselves to configuration errors - and by that I mean technical weaknesses such as RACF SETROPTS NOPROTECTALL, APF libraries with UACC(UPDATE) or privileged users who execute TSOPROCs from libraries with weak protection - and then we have a straightforward option open to us. Publically document correct configuration for optimum security, of operating system and common infrastructure software. One could reasonably object to this action on the grounds that putting such information in the public domain would be dangerous; that it would assist hackers at least as much as security professionals. However, this would be to assume that the hackers don't already know this stuff or that it is currently hard to find out. In fact as I noted before, I'm talking about common wisdom here, stuff that has already been revealed in IBM's and ISV's documentation, discussed on IBM-MAIN and RACF-L or published in white papers, best practice websites and IBM redbooks. A person with enough skill to mount an attack on one of these vulnerabilities would already know enough or be able to do the research now. Nobody need fear a public collection of vulnerabilities except those who trust deeply in Security through Obscurity, trust which is generally misplaced.
The benefits of enabling System z Security professionals to document, share and discuss common vulnerabilities can only lead to more secure software, while enabling Administrators and Auditors to self-audit and fix their own systems against an authoritative list of common configuration weaknesses can only lead to more secure systems. In turn this will help protect the reputation of System z, cement its position as the most securable platform, and bring us up to speed with other platforms with which System z is increasingly competitive.
And talking of other platforms, shouldn't we take a look at them? What happens in the Windows world, by far the most fertile ground for hackers any time in the last 20 years. Well Microsoft has a huge Security TechCenter which includes a link to "Threats and Countermeasures Guide" for Server 2008 and Vista - a 280-page doorstop that is both a Security Admin's Bible and a Hacker's 101. A new document is published for each new version of Windows, plus software tools to automatically analyse and fix insecure settings. Discussion is welcomed and continues on many forums including some hosted by Microsoft, and new vulnerabilities are published and discussed in places such as the SANS Internet Storm Center.
So we're not breaking new ground here. I feel that a culture of open discussion of mainframe vulnerabilities and countermeasures will be beneficial and is absolutely necessary as the platform becomes more interconnected, the perimeter of System z becomes more blurred and the threats once confined to remote distributed systems creep ever closer.
I propose a Wiki, which unsurprisingly forms the basis of Wikipedia, which could be edited by multiple persons. My favoured location is here on developerWorks, which is an IBM-hosted collaboration platform running on Lotus Connections. It is a rich-content fully-featured platform that gives us all we need to make this a success. To that end I have set up a "zSecurity" wiki here, as a placeholder for now. I welcome your comments.
While I prepare a longer post on documenting vulnerabilities on System z, here are some links I find useful in my day job.
I'm also working on PCIDSS compliance, for which I've read cover to cover this piece from @sec which has been causing a bit of a stir on LinkedIn
Keep watching for a post on this also, and lots more besides.
From Practically Secure, July 1st.
The hype is building for zNext, the next generation of IBM System z servers. z10 brought unprecedented power, resilience and versatility to the large server market. But the next generation - first dubbed z11 and more recently zNext - is rumoured to be a step change in architecture that some are suggesting will change the datacenter game completely.
We know some stuff already, that the processers will be down from 65nm to 45nm junctions and run around 5GHz giving up to 43000 MIPS [PDF] which represents about a 25% improvement on the z10. So far so impressive, but not earth-shattering.
But more recent rumours from Poughkeepsie have suggested something bigger is happening. The word "Hybrid" has been used in connection with POWER systems, suggesting that the new architecture will cross traditional platform boundaries. And one source told me that Teradata will be in the frame. A System z that also runs native AIX and Teradata right out of the box? Wouldn't that be groundbreaking?
IBM have now announced the reveal will be in a July 22 webcast to partners. If you can't make it, come back soon, I'll be blogging about it here shortly after. Follow me on Twitter, LinkedIn or by RSS feed to get the news first. Might this be the game-changer, the killer blow to IBM's high-end server opposition, and then some?
alan.harrison 270002QUNN Tags:  z11 blog zfuture znext racf zsecure zenterprise system_z 1 Comment 1,642 Visits
Greetings and welcome to zSecurity, my blog about all things System z with a focus on Enterprise Security. Here you will find out what I'm up to in the field including things like the zSecure beta program, Tivoli Security software for z/OS and for Linux on z, and of course all things RACF. You may know me from my Blogger output, notably my Practically Secure blog on the wider security landscape. Or you may have come here from LinkedIn, where I participate in Security and System z groups.
I'll be contributing my System z and IBM-related work to this blog on developerWorks, while continuing to write about InfoSec matters on Practically Secure. You can subscribe to either blog by RSS or you can follow me, @alanjharrison on Twitter to receive a tweet when my blogs are updated, and also to keep in touch. I try to follow the System z and InfoSec worlds and regularly tweet about what I'm reading and my own thoughts on the matter.
Thanks for coming and I hope you stay!
Alan Harrison, CISSP, System z Technical Specialist, System z Software "Top Gun".
Pirean Ltd, IBM Premier Business Partners.