TCP/IP 201: The Beauty of PAGENT
Project and Program: Enterprise Data Center
, Security and Compliance
, SHARE Pittsburgh 2019
In the presentation preceding this one, “TCP/P 101: The Ins, The Outs of PORTS”, the integrity and security controls applied were tightly bound to a named specific TCP/IP Control Point, i.e., a PORT and/or a PORT user and/or JOB. While such configuration constructs, when applied correctly, are a valuable security control they are inherently viewed as too “Rigid” to fully satisfy the integrity and security requirements of today’s fast paced z/OS environment on their own. Today, as new DevOps created applications (mobile), services (wireless), and resources (cloud) are added or removed new network requirements follow, placing incremental demands on existing TCP/IP infrastructures. As a result, Network Managers are drowning in a confusing often excessive set of control detail. Policy-Based Management (PBM) of TCP/IP offers an additional layer of control that leverages existing network specific configurations and, at the same time, adds control abstractions that can be used to enhance network flexibility, adaptability, integrity and security.
Best known as “PAGENT”, the Policy Management Agent, a “Free” component of the IBM z/OS Communication Server, is sufficiently flexible to support single or multiple TCP/IP STACKS acting as either a Policy-Server and/or Policy-Agent. Alternatively, an agent may receive certain policy types from a Lightweight Directory Access Protocol (LDAP) Server. These policies control network security (IpSecurity), identify anomalous behavior (Intrusion Detection), prioritize and route traffic (Policy Based Routing), balance bandwidth and resources (Quality of Service) and provide Application Transparent-TLS (AT-TLS) to qualified z/OS applications. The policy agent reads “Flat Files” containing these configurations, parses out their policy definitions, and stores them in the TCP/IP stack where they are enforced.
All policies are typically supported and maintained as either UNIX files and/or MVS datasets via various application functions available via the Communication Assistant (a workstation-based tool) or more directly/manually using TSO/ISPF edit functions. Access to these files, their backups (if any) and any audit/change log or any related PAGENT command (pasearch) must be controlled/secured in order to maintain network integrity and security.
Following this presentation, you will be able to identify and explain the different types of PAGENT installations, each installation’s major configuration elements, the services each such element offers to the TCP/IP STACK for enforcement, differentiate between the methods used to maintain and update the configuration, and common configuration problems. Finally, you will understand the need for active SERVAUTH profiles and the authorization of individual PAGENT users.
Complete the survey for this session towards earning the Security Warrior digital badge: http://bit.ly/SHARE24904-Paul Robichaux-NewEra Software, Inc.
Back to Proceedings File Library