Networking on z/OS
Previous topic | Next topic | Contents | Glossary | Contact z/OS | PDF


SNA security

Networking on z/OS

SNA can be roughly divided into two types of implementation: subarea and APPN. The security considerations are slightly different between them.

Subarea security

The networks that contain genuine SNA traffic are generally not public–or at least are considered to be secure networks, again reducing the security requirements of SNA traffic.

In the event that security measures are considered appropriate for SNA traffic, the following features can be used:
LU authentication
When using an encrypted session, LU authentication can be performed to certify that the key used by each endpoint is the same. However, if authentication is not requested, the mismatch of the session keys prevents any data from being unencrypted at either end.
Note: SNA uses symmetric encryption for LU to LU sessions. This means that the key at each endpoint is the same. The keys must be shared prior to establishing the LU-LU session.
Message authentication
An additional code can be sent with all SNA data messages. This code can be used to verify that the message has not been altered in transit.
Data encryption
Data between LUs can be encrypted to ensure confidentiality between sessions.

APPN security

It is reasonable to state that the majority of APPN traffic is now encapsulated when it is on the network using UDP/IP (that is, using Enterprise Extender). In other words, SNA has evolved from being a network architecture. Instead, it is being transformed into a set of protocols that define the architecture for interapplication communications. From an IP standpoint, APPN is an application architecture, not a networking architecture.

When APPN traffic is carried over UDP/IP, standard IP-based security methods can be used, such as VPN tunnels.

For APPN traffic that is not traveling over an IP network, or if IP-based security measures are not considered appropriate or adequate, APPN has the following features available:
Authentication
The identity of a session partner can be confirmed by VTAM session level services or at the application program level (user identification).
Encryption
An APPN session can be defined to require that data be encrypted between LUs.
Parent topic: Network security
Related information

Go to the previous page   |   Go to the next page

Notices | Terms of use | Support | Contact z/OS



Copyright IBM Corporation 1990, 2010