Networking on z/OS
Previous topic | Next topic | Contents | Glossary | Contact z/OS | PDF


Network security

Networking on z/OS

See the latest information on:

Security is never far from the mind of any administrator of a network. Although security is covered extensively in a z/OS context in the section on network security, it is useful to clarify some security terminology here.

Firewalls and gateways

Firewalls are so common that a definition is hardly needed; however, in a large organization the term should be formally defined.

A firewall is an implementation (or extension) of an organization's security policies. Any large organization has (or should have) a formal document explaining the classification of company data, as well as the classification of company networks.

A firewall controls and limits access between networks of different security classifications, and sometimes even within a network that is already protected by a firewall. Firewalls can filter based upon port numbers and IP addresses (or networks).

Firewalls also often function as endpoints for secure communications across a non-secure network. Data travelling from the secure network outward will be secured as it crosses the non-secure network (a requirement of the organization's security policy, no doubt). Data travelling into this firewall would likewise be secured.

Generally, a firewall acting in this fashion is running an IPsec protocol (RFC 2401 through RFC 2409) in the form of a virtual private network (VPN). We discuss this topic in more detail in the section on network security.

A firewall that acts as a VPN endpoint and allows data to continue on through the secure network to destination hosts is often called a security gateway. The term gateway is traditionally used to describe a host that connects networks using different protocols.

Security protocols

The IPSec protocol is implemented at the network layer. An alternative form of security for data on the network is the Secure Sockets Layer (SSL). SSL is implemented at the transport layer. The new standard for SSL is called Transport Layer Security, and is also discussed further in the section on network security.

Intrusion detection

A host such as z/OS includes intrusion detection services (IDS) that allow the host to detect and react to malicious activities coming from the network. Some IDS is built into TCP/IP on z/OS itself, while other aspects of IDS are configurable. IDS can be an integral part of host availability.

Parent topic: Network layers and protocols review
Related information

Go to the previous page   |   Go to the next page

Notices | Terms of use | Support | Contact z/OS



Copyright IBM Corporation 1990, 2010