Todd Havekost - 11 February 2020

With all the focus on securing customer data in today’s enterprises, one of the most challenging jobs is that of the network administrator who is responsible for ensuring that all data being transmitted (especially outside the data center) is encrypted as prescribed by corporate security standards.

With the tools previously available, I imagine that this could be an overwhelming responsibility – like trying to plug a never-ending series of plumbing leaks while working without almost any light.

However, beginning with z/OS 2.3, IBM provides data that makes possible an entirely new level of visibility into the encryption status of all network traffic in your environment. This is enabled through z/OS Encryption Readiness Technology (zERT), which makes this data available through SMF 119.12 records.

zERT leverages the fact that the TCP/IP stack serves as a central collection point and repository for cryptographic protection attributes. Think of it as giving parents the capability of being plugged in to all their child’s smartphone and social media feeds 24×7, and thus always being aware of any detrimental influences in their lives.

As you can imagine, the information provided by zERT is very helpful to network administrators responsible for managing the encryption levels and protocols in place for network data sent to various IP addresses inside and outside the enterprise.

Perhaps most importantly, zERT identifies what network traffic is not being protected (either at all, or with a recognized protocol). It also captures how the traffic is being protected, who the traffic belongs to, and if follow up is needed. Thus, zERT data can enable network administrators to both evaluate ongoing adherence to security policies and programmatically provide data for required reporting to auditors and compliance officers.

zERT Data Logistics

The initial zERT capability was delivered with z/OS 2.3 and generated “Detail” data – one SMF 119.11 record for every session. But this resulted in extremely high data volumes, so the new function APAR PI83362 delivered the capability to generate zERT “Summary” data – one SMF 119.12 record per SMF interval for each unique session type between client/server pairs. These Summary records are well-designed and more than sufficient for typical analysis. They are activated by the TCP/IP profile statements GLOBALCONFIG ZERT AGGREGATION and SMFCONFIG ZERTSUM.

When activated, the TCP/IP stack will create a zERT entry for each unique session type between client/server pairs during each SMF interval. It may know in detail about the session protocol through an interface with the cryptographical protocol provider (such as System SSL, OpenSSH or IPsec), or it may obtain information by observing the stream for TLS, SSH or SSL, in which case fewer details tend to be available.

Based on this information, the zERT software will classify the protection of a session as either:

  • None (which means no protection was recognized)
  • TLS
  • SSH
  • IPsec

zERT also identifies a few ‘special’ cases, such as Enterprise Extender sessions, as well as output [IPv4] sessions from an FTP server.

The zERT Summary data contains a wealth of information. Along with the protocol, zERT records other protection attributes including:

  • protocol version
  • cryptographic algorithm being used
  • key lengths

zERT also collects identifying attributes to track connections between each pair of Client and Server IP addresses, including:

  • port number
  • job
  • user ID

Here is an example of the data provided from a zERT Summary record for data encrypted with the TLS protocol (with data from a single record broken into 2 lines for readability).

TLS Specific Protocol Information from a zERT Summary record

TLS Specific Protocol Information from a zERT Summary record

 

The zERT Summary records also contain connection and throughput counters. These include:

  • the total number of connections
  • the number of partially protected connections (where encryption was not applied during the entire session)
  • the number of short (<10 second) connections

Short connections are especially interesting for TLS, where establishing the session is expensive in terms of CPU.

It is very important to note that zERT does not collect or record the values of keys, initialization vectors, or any other secret values that are exchanged or negotiated during the session.

Interpreting and Gaining Value from zERT Data

As with most SMF data sources, the zERT records are a rich source of great data, but a significant analysis effort is required to derive value from that data. IntelliMagic Vision helps facilitate this analysis through several important capabilities.

Intuitive GUI with Context-sensitive Drilldowns

Analysis of zERT data is facilitated through an intuitive GUI combined with context-sensitive drilldown functionality. This enables the analyst to focus quickly and easily on the subset of data that is of interest.

In the following example, the dialog box in the middle lists many options for further investigation of any of the server IP (previously selected via product navigation and reflected in the report heading) and client IP (listed across the X-axis at the bottom) pairs.

Connections for public traffic class zERT

Connections for public traffic class

 

Network Traffic Categorized

Another capability provided by IntelliMagic Vision that greatly enhances the analysis of zERT data allows network traffic to be classified based on IP address ranges. Traffic can be categorized into these groupings:

  1. Sysplex – network traffic between mainframes
  2. Local – traffic to other platforms within the data center
  3. Partner – external traffic with special “partners”
  4. Public – all other external traffic

For each connection (consisting of a Server and Client IP), the most public value of the traffic class will be assigned to the pair. For example, a connection between “Sysplex” and “Public” IP addresses would be classified as “Public”. (Note that a free-form “IP Label” can also be assigned to further describe and differentiate between IP ranges throughout this reporting.)

These classifications can be very helpful because different classes of network traffic are likely to have differing security requirements.

Understanding Captured Traffic Data

When you start to investigate the zERT data, you may quickly learn that most of the captured traffic occurs inside your organization, not even leaving your mainframes in many cases. This traffic within z/OS sysplexes occurs because today TCP/IP is more frequently used as the protocol of choice for applications to talk to each other (over more native z/OS protocols like XCF).

In some cases, this traffic may never even cross a network interface, as when it is handled by HiperSockets, which leverages processor memory to handle TCP/IP traffic between LPARs residing on the same processor. If the traffic never leaves the mainframe, encrypting it may not be your top priority.

You are likely to also find a high volume of traffic for applications that interact between the mainframe and other platforms within your data center, such as Linux & Windows servers. This traffic will never cross corporate firewalls, and hence may also be subject to lower security requirements than traffic to the public internet.

Traffic that does leave the corporate intranet can be considered one big pool, but your organization may have some special partners that handle important high-volume traffic, e.g., connections to credit card companies.

And finally, you are likely to have a large pool of public IP addresses to manage. Having easy visibility to differentiate between these different classes of network traffic can be very helpful as you administer the potentially varying security requirements.

The following chart shows throughput by traffic class (Intra-Sysplex, Local, Public), for each protocol type (as they appear in the legend on the right). In this example, most of the data is Local (between mainframe and other platforms within the data center). And most of that Local throughput is either not encrypted (blue bar) or encrypted with TLS v1.2 (yellow bar).

Throughput for all TCP zERT Summary Data by Traffic Class zERT

Throughput for all TCP zERT Summary Data by Traffic Class

 

SMF Record Fields Decoded

A third capability provided by IntelliMagic Vision that enhances analysis is that all 600+ binary and EBCDIC codes that appear in the SMF 119.12 records are translated into readable text. This is illustrated in the “TLS Specific Protocol Information” example that appeared earlier in this blog, where coded fields including cipher suite, encryption algorithms, and message authentication types have all been translated into readable text.

Ensuring Encryption Deployment in Your Environment

IBM’s introduction of z/OS Encryption Readiness Technology is a game-changing advance for network administrators responsible for ensuring the deployment of encryption in their environments.

But zERT alone won’t ensure your data is encrypted properly. Taking full advantage of zERT’s great potential requires both vigilance on the part of administrators and tooling like IntelliMagic Vision that facilitates effective analysis of zERT data.

I am aware of one such team that has scheduled regular time on their calendars to leverage zERT data and IntelliMagic Vision to investigate and drilldown into unencrypted traffic in their environment, generating action items to resolve any gaps that are found.

If you are interested in learning more about zERT and how IntelliMagic Vision can enable you to unleash the great potential available from this data, please reference this whitepaper on “How to get the most out of IBM’s zERT for tracking mainframe network traffic.

This article's author

Todd Havekost
Senior z/OS Performance Consultant
See more from Todd

Share this blog

How to get the most out of IBM’s zERT for tracking mainframe network traffic

Related Resources

Video

Intelligent Analysis of TCP/IP zERT Summary Data

TCP/IP’s z/OS Encryption Readiness Technology (zERT) feature provides a single source of data to determine which traffic to and from your site is cryptographically protected by protocols like TLS, SSH, and IPSec, and which is not protected.

Watch video
Video

How to Use IBM’s zERT to Identify Unencrypted Connections

The primary use of the zERT data is likely to be the identification and remediation of unencrypted connections.

Watch video
Blog

Smart Data Spelunking

Splunk has proven extremely useful in many areas of business analytics and has opened up a wide variety of data views and analysis options, but processing vast amounts of mainframe data with Splunk may not be the best approach.

Read more

Go to Resources

Subscribe to our Newsletter

Subscribe to our newsletter and receive monthly updates about the latest industry news and high quality content, like webinars, blogs, white papers, and more.