How to track your mainframe network traffic with IBM’s zERT
As the mainframe assumes its role as the data hub in your network, it is important to make sure that the mainframe asset, security, is well protected. Enter IBM zERT.
With the z14, IBM invested significantly in making pervasive encryption a more realistic goal. Pervasive encryption is an IBM technical marketing concept to promote that all data should always be encrypted: at rest (on disk), in flight (on the network links), and in the cloud.
Implementing this is expensive and complex, and not all sites will want or need to go all the way. However, everybody will agree that network traffic between the outside world and the mainframe needs to be encrypted, so it cannot be listened into.
z Encryption Readiness Technology (zERT)
As part of IBM’s pervasive encryption program, they provide the z Encryption Readiness Technology (zERT). This is a new feature in the IBM TCP/IP product designed to provide you full visibility into all the network traffic from the mainframe TCP/IP stack, whether it leaves the mainframe or not. The zERT feature captures the encryption settings used for each and every session managed by the TCP/IP address space.
SMF 119 Records
IBM provides two flavors of SMF records: the extremely voluminous 119 subtype 11 that has a record for each session, and the more practical subtype 12 that captures all unique session types between client/server pairs per interval.
Both the subtype 11 and 12 records are very detailed and they provide all the settings negotiated for the key exchange and traffic for the 4 ways to protect data by z/OS: direct TLS/SSL usage, Application Transparent TLS (AT-TLS), Virtual Private Networks using IPSec and IKE, and Secure Shell using z/OS OpenSSH. The level of detail available from the auditing depends on the session, e.g. for a VPN the information is about the tunnel. In the zERT records (and in this paper) all the different flavors of TLS and SSL including AT-TLS are grouped under “TLS/SSL”.
The zERT records will allow you to find out what traffic is protected, and if so, what security protocol and version is used. Unprotected traffic to the public internet is likely undesirable, but so is the use of a deprecated protocol version of TLS. So the details are important in these records.
We expect that zERT will be used widely within the enterprise: by the security staff to track the implementation of encryption across the company, and by the auditors to verify that the IT department meets the regulatory and company security requirements.
How to get the Most Out of IBM’s zERT for Tracking Mainframe Network Traffic
Like with most SMF data sources, out of the box all the good data is there, but to get useful information a significant analysis effort is required.
Our white paper, How to get the most out of IBM’s zERT for tracking mainframe network traffic, details how you can effectively process the SMF 119 subtype 12 records and provide reporting tailored to your environment and reporting needs. Doing so will not only give you greater visibility and access to your encryption data, but will allow you to more effectively monitor and track this data crucial to your network security.
How to get the most out of IBM’s zERT for tracking mainframe network traffic
IBM zERT provides very detailed statistics on the use of encryption protocols for all IP and TCP traffic to and from z/OS mainframes. Like with most SMF data sources, there is good data out of the box, but a significant analysis effort is required to get useful information.
Benefits of Analysis Across SMF Data Types
No matter which z/OS subsystem you are primarily responsible for, this article will help you blur the boundaries between the SMF ‘silos’ for each product.
A Performance Analyst’s Guide to Mainframe zERT Analysis | IntelliMagic zAcademy
This webinar recording will show real use-cases to introduce you to some of the ways to identify security risks and issues within network traffic.
Real World Experiences with z16 Upgrades
In this reprint from Cheryl Watson’s Tuning Letter, Todd Havekost provides detailed information and insights from his analysis of seven upgrades from both z14 and z15 CPCs to z16s.