 |
Vanguard Enforcer™: Intrusion Management for the z/OS Mainframe
A proven state-of-the-art
intrusion management solution that is the only intrusion detection
solution for the Mainframe to be awarded Common Criteria
certification (EAL 3+). The 2009 and 2010 winner of Government
Security News Magazine’s Homeland Security Award for the Best
Intrusion Detection/Intrusion Protection systems, Vanguard Enforcer
protects critical data and other resources by ensuring that the
standards, policies, rules and settings defined by an organization's
security and compliance experts are in force and stay that way.
With Enforcer, organizations can be confident that its security
management implementation is effectively protecting its critical
resources and continuously adhering to "Best Practices" standards.
With TCP/IP the Mainframe sits on your network like any other
computing device. The critical differences? The
Mainframe system typically processes about 90% of the mission
critical data and applications of an organization, and it has a
unique attribute: when your Mainframe system is under attack, it
doesn’t respond like other platforms and slow down and stop
production, it just keeps on going with no overt sign of attack.
Your network requires intrusion management on other, less critical
systems that may inherently alert you to attacks: shouldn’t you
have intrusion management on the critical Mainframe system as well?
Like all intrusion detection solutions, Enforcer continuously
monitors and analyzes security-relevant events and activities
looking for potential intrusion scenarios. Enforcer, however,
goes beyond event monitoring. Enforcer also finds
vulnerabilities and actually prevents intrusions by and continuously
inspecting the underlying security implementation itself with
emphasis on the protection of critical information assets and system
resources.
Enforcer compares the security measures currently in place to
authorized security configuration baselines that are themselves
based on the security policies of the organization. Enforcer
also analyzes current security against "best practice" security
rules. When a violation of any of these rules or the security
configuration baseline is detected, Enforcer issues an alert via
email to key security personnel. For more critical violations,
Enforcer gives the option of automatically restoring the active
security settings to the protection defined in the baseline.
This automated surveillance of the security implementation separates
Enforcer entirely from other intrusion detection solutions and
establishes Enforcer as an intrusion management solution as well.
Space Age Technology
Vanguard Enforcer is the ideal solution for security management on
today's zSeries server. Enforcer technology has been actively
protecting systems and data critical to maintaining life in manned
space programs for over a decade. The technology was
originally developed in response to system intrusions related to the
National Aeronautics and Space Administration (NASA) space program,
to protect systems and data critical to human life in the
unforgiving and inhospitable environment of space.
Today, Enforcer is instrumental in maintaining NASA's highest level
of security. Vanguard is very excited to have transformed this
well-proven software system into a breakthrough security management
product available to corporate users.
The Importance of EAL3+ Certification
Enforcer earned Common Criteria certification. Common Criteria
certification is already a procurement standard for many government
and military organizations, but is just becoming familiar to
corporate IT security organizations. The Common Criteria (CC)
for IT Security Evaluations, also known as ISO standard 15408, was
developed by the national security organizations of the United
States, Canada, the United Kingdom, France, Germany and The
Netherlands. It defines evaluation criteria and methods for a
wide range of commercial and nationally sensitive government-use IT
security products.
An international team of software security experts closely examined
and tested Enforcer to make sure it performs the security functions
claimed and can be fully secured against attacks by hackers--and
much, much more. The evaluation was validated by Bundesamt für
Sicherheit in der Informationstechnik (BSI), the German CC
certifying body that also certified z/OS 1.6.
The certification of Enforcer has strong significance to all
organizations using Mainframes in their critical computing
infrastructure. It establishes Enforcer as a validated
security and integrity assurance measure that defines a new best
practice standard for Mainframe security. CC certifying bodies
will not undertake an evaluation until it is convinced the target of
evaluation provides significant security functionality.
Because Enforcer is the first of a new breed of security products,
this validation is extremely important both to Vanguard and to
organizations that are intent on providing the strongest security
possible for their Mainframes-where the lions' share of critical and
sensitive data resides today just as it has for the past three
decades.
Of course, the
Common Criteria & EAL3+
certification also means that Enforcer actually performs all of the
security functions it claims
Quickly Identifying Risk
A critical part of risk management on Mainframe systems and the IBM
Security Server (RACF) is monitoring and analyzing events.
Failure to identify an attempted break-in, misuse of a resource or
unauthorized change in protection, can cause catastrophic results,
costing an organization millions of dollars. The ability to
identify existing or new security exposures is only the beginning.
To avoid catastrophe, you must also have the ability to clarify and
eliminate the true cause of a problem.
Vanguard Enforcer guides an organization in creating a security
policy baseline that details access rules for critical data, user,
and change administration policies. It then continuously and
automatically monitors the system, instantly comparing current
system settings against policy baselines and Best Practices security
standards, identifying critical security-related exceptions, and
managing program changes to the security database. Enforcer
detects and identifies policy variances and violations in real time,
logs them, issues Email notices to designated personnel and, where
appropriate, takes corrective action. These proactive
facilities are supported by analytic tools that gather all required
information, identify problems and issues, recognize their
importance, explain their significance, and guide the user to
eliminate identified exposures.
Best Practices
To achieve Best Practices compliance, IT professionals must find
ways to improve security and manage increased risk without
increasing workload. Ideally, this is done with the automation
of previously labour-intensive tasks. It is no longer enough
to manage access and security functions the way they have been done
in the past. Environments have grown too complex and are
changing too rapidly. The number of transactions and users has grown
to levels too high for traditional periodic point in-time assessment
and control measures to work effectively. Dynamic, proactive
automated solutions are required.
A corporation's IT security expertise is best employed developing
and improving security policies and seeking ways to reduce
vulnerabilities. Therefore, any task that can be done via
automation, such as system integrity and security monitoring, frees
scarce technical resources and budget dollars for other purposes.
Vanguard Enforcer is designed to solve the problems associated with
monitoring and ensuring the integrity of your enterprise's security.
Enforcer continuously meets the challenge of Best Practices that
measure your organization's security and vulnerability.
The Nature of Intrusion Detection
According to the Purdue University Computer Science Laboratory, an
intrusion can be defined simply as someone attempting to break into
or misuse a system. An intrusion detection system (IDS)
attempts to detect an intruder breaking into a system, or a
legitimate user misusing system resources. The IDS will run
constantly on a system, working in the background, and only issuing
notification when it detects something it considers suspicious or
illegal. IDS consistently identifies any set of actions or
changes that generally speaking, can compromise the integrity of a
system, erode its confidentiality, and/or interfere with the
availability of resources.
Intrusion Detection systems are classified in one of two ways:
|
1. |
Host-Based - Detecting
intrusions through audit data from a single or multiple host
computers (I.E. Mainframes). |
|
2. |
Network-Based - Detecting
intrusions through network traffic data and audit data from
other host(s). |
The detection methodology used by
the IDS is characterized as:
|
1. |
Anomaly Based - Identification
of intrusion through activity that differs from a users or
systems normal behaviour. |
|
2. |
Misuse Based - Identification
of intrusion through activity that corresponds to known
intrusion techniques, signatures or vulnerabilities. |
Almost all of the intrusion
detection programs available today are anomaly or limited
misuse-based. Only one solution is host-based and fully
utilizes misuse detection, Vanguard Enforcer.
Understanding the Difference
Vanguard Enforcer as an Intrusion Management Solution
Vanguard Enforcer represents the next level of protection
against system intruders. It is a true and unique
Intrusion Management solution. Only Vanguard Enforcer can
do all of the following:
|
■ |
Continuously monitor and
manage security on a Mainframe system. |
|
■ |
Automatically protect critical
data and other resources on a Mainframe on a 24x7x365 basis. |
|
■ |
Guide client companies in
creating a security policy baseline that details access
rules for critical data, user and change administration
policies. |
|
■ |
Compare current system
settings against policy baselines and Best Practices
security. |
|
■ |
Identify critical
security-related exceptions. |
|
■ |
Issue notice on variances and
violations. |
|
■ |
Take corrective action,
automatically returning the system to its original baseline
settings within moments of detecting and recording an
intrusion. |
Vanguard Enforcer provides the
ability to:
|
■ |
Automatically and continuously
protect the most valuable data resources as defined by
management. |
|
■ |
Allow security administration
to better focus resources on supporting individual users,
groups, and departments to achieve better levels of response
and customer support. |
|
■ |
Respond effectively to the
reality of diminished security awareness in a distributed
and open environment. |
|
■ |
Manage and control the change
process inherent with complex security access
administration. |
|
■ |
Detect potential unauthorized
system libraries, preventing unsanctioned code execution or
bypass methods. |
Meeting Objective Tests of Intrusion Management
Independent research, conducted at Purdue University into the
nature, purpose and requirements for intrusion detection and
management, has determined that an intrusion system should
address eight specific issues:
|
1. |
The program must run
continually without human supervision. The system must be
reliable enough to allow the program to run in the
background of the system being observed. However, it
must not be a "black box" and its internal working should be
examinable from the outside. |
|
2. |
It should be fault tolerant in
the sense that it must be able to survive a system crash and
not require rebuilding of its knowledge base or baseline at
restart. |
|
3. |
It must resist subversion and
be able to monitor itself to ensure that it has not been
subverted. |
|
4. |
Its software should impose
only minimal overhead on the system, and not slow the
operation of the computer. |
|
5. |
It must observe deviations
from normal behaviour. |
|
6. |
It must be able to be easily
tailored to the system in question. Every Mainframe system
has a different usage pattern, and the defense mechanisms
should adapt easily to these patterns. |
|
7. |
The solution must cope with
changing system behaviour over time, as new applications are
added. The system profile will change over time,
and the intrusion solution must be able to adapt. |
|
8. |
The intrusion system must be
difficult to circumvent. |
An analysis of each of these eight
characteristics as applied to Vanguard Enforcer reveals that
Vanguard's Intrusion Management solution is the most
comprehensive product offering in the marketplace.
Intrusion Management - Or a Firewall?
If a company has a strong firewall in place on its network,
should it also implement the Vanguard Enforcer Intrusion
Management solution? Without doubt, the answer is "yes".
A firewall is the security equivalent of a chain-link fence
around a piece of property and a guard post at the front gate.
While it can effectively keep outsiders on the outside for the
most part, it cannot detect or report on what is going on
inside.
Unfortunately, it is estimated that over half (and almost as
high as 70 percent) of unauthorized accesses now come from
inside the firewall. Therefore, the firewall is
ineffective as a defense mechanism in the second most common
security breach, unauthorized internal intrusions. The
Vanguard Enforcer Intrusion Management solution effectively
protects against both internal and external security issues. As
such, it is an indispensable partner to firewall technology.
Enforcer & The Concept of Inheritance
In the world of information technology, "compatibility" is
sometimes an issue. New software releases often do not work with
earlier versions or with similar product offerings.
Evidence of Vanguard's commitment to customer care can be seen
in the Vanguard Concept of Inheritance. Most Vanguard
security solutions work together. Because many of the
solutions are fully integrated, each product automatically
inherits the benefits of its "lineage".
Though powerful in its own right, Vanguard Enforcer also serves
as a critical part of the complete Vanguard Security Solution.
This software solution fully integrates the formerly independent
functions of security administration, reporting, assessment and
monitoring into a single solution; a concept unprecedented in
Mainframe security.
back to top
Intrusion Management for the z/OS Mainframe. |
|
