Networking on z/OS
Previous topic | Next topic | Contents | Glossary | Contact z/OS | PDF

Data protection in a mainframe network

Networking on z/OS

Data protection not only includes privacy, but also integrity. For example, a financial transaction should be kept confidential no matter where it exists on a network. But, just as importantly, there must be controls in place to ensure that the data has not been altered.

A side issue of data protection is non-repudiation: there must be a mechanism in place to ensure that a sender cannot deny having sent a packet. Conversely, non-repudiation requires a mechanism such that a receiver cannot deny having received a packet (a packet is a string of data characters). Again, it is paramount for a financial institution to be able to confirm that a transaction has genuinely been sent by who we believe sent it, and that it has been received by who we expect to receive it.

The networking protocols such as TCP have built-in services which guarantee that data sent from an application arrives at its destination in the same sequence as it was transmitted and is error-free. By error-free, we mean that the same bit sequence that was transmitted is delivered to the destination node. The lower two layers in the networking architecture have the responsibility for the bit sequence and the transport layer has the responsibility for the correct sequence.

To implement these network design goals, z/OS® and affiliated products provide these services:

  • z/OS system and resource security is provided by both the IBM® Security Server and the z/OS Communications Server components. IBM Security Server includes Resource Access Control Facility (RACF®) for authentication, authorization, and restriction.
  • The z/OS Communications Server components (VTAM® and TCP/IP) each include parameters to encrypt network traffic. For example, TCP/IP includes firewall filtering, Virtual Private Network (VPN), and Transport Layer Security (TLS) capabilities as part of the protocol stack itself.
  • Each of the major IBM subsystems used for deploying business applications, such as Customer Information Control System (CICS®), DB2® for z/OS, Information Management System (IMS™), WebSphere® Application Server, HTTP Server, Message Queuing Series (MQSeries®), and so forth, in conjunction with RACF and other mainframe components, have security mechanisms available that provide additional levels of security.

Each of the available tools for securing resources and data can be used independently or together to accomplish security objectives.

Copyright IBM Corporation 1990, 2010