TCP/IP security

The security features relating to TCP/IP on z/OS are extensive. When combined with all the security capabilities of the System Authorization Facility (SAF) interface, the amount of control that can be exercised is phenomenal.

Reminder: The SAF interface is a standardized function call available to all applications running on z/OS. The interface call is used to provide quick and controlled authorization, authentication, and logging services. The SAF call is forwarded to an external security manager such as the Resource Access Control Facility (RACF).

Note that the term "external" refers to the fact that the security management is an independent entity outside of the currently executing application's environment. The external security manager manages a secure database that is used to verify the security information as it relates the user ID active when the SAF request is made.

It would not be hard to configure a system that was a paragon of security. However, such a system could also become unmanageable. There is a cost in terms of usability and manageability with every security feature activated. So, the fact that a security feature exists is great, but it certainly does not mean it needs to be put into effect. Remember, "it all depends."

Keep in mind that the security options discussed here do not represent a complete list. Some features that are seemingly unrelated to security may inadvertently enhance it. For example, z/OS clustering represents an availability improvement.

Availability improvements are very much a form of improved security. If a successful attack is made against an individual host in a cluster of computers, the presumption is that one of the other hosts in the cluster can make up for the missing host.

Some security features have somewhat overlapping effects. IP filtering and network access can both be used to prevent certain packets from reaching their destination. SSL and IPSec both result in improved confidentiality and integrity of data.