IBM Systems Magazine, Mainframe Edition - November/December 2010 - 39

Figure 2
zEnterprise Network Access Control
cases, an external firewall can still be inserted into the end-to-end solution. The virtual servers must route the firewalled traffic out of the IDEN. In such cases, the administrator creates a static default role, where the next hop is the address of the firewall router.

Capabilities Abound
We’ve introduced basic network firewall considerations and possible requirements for deploying a firewall on a zEnterprise System internal network. The vision and capabilities of this new internal network have also been explored at a high level, describing the enhanced physical and logical security that’s now available. In many cases, this may eliminate the need for a network firewall when a solution with multiple security zones is deployed in the new zEnterprise environment. However, if a regulatory or security policy requires a firewall, it’s possible to configure the zEnterprise networking environment to satisfy these needs. For a more detailed look into this topic, see the downloadable whitepaper “IBM zEnterprise System—Network Security” (http:// bit.ly/zenterprisesecure).

switch. In the case where servers aren’t part of the ensemble, the administrator must enable the Media Access Control (MAC) addresses for access to zBX system resources. hÁ zManager assigns a MAC address prefix to all hypervisors and virtual switches, thus controlling all of the dynamic MAC address generation. This central-configuration approach eliminates MAC address conflicts and unauthorized generation of virtual MAC addresses.

Integrating a Software Firewall
If regulatory compliance, for example the Payment Card Industry Data Security Standard (PCI-DSS), is the driving reason for a firewall requirement, there are options. A stateful packetfiltering firewall is required as part of this kind of end-to-end solution. In this case, a basic firewall that meets these requirements can be deployed using built-in Linux functionality. It could be a purpose-built firewall image

that’s tightly secured and controlled and provides no other service to the ensemble. Linux distributions available for the blade offerings in the zBX or for System z servers can be used to insert an IP tables-based firewall into the IEDN flows. This option can be used to create one or more virtual firewall appliances that can be used throughout the ensemble. The firewall server has two legs or network connections to handle traffic: one leg reaching into one security zone and the other leg in the second security zone. The only way for traffic to get from one security zone to the other is to be routed through the Linux firewall.

Jerry Stevens is a senior technical staff member with IBM Software Group and works in AIM Enterprise Networking Solutions Architecture Strategy and Design with a focus on communications hardware architecture. He has more than 25 years of experience with z/OS network communications. Peter Spera is a senior software engineer with IBM. He’s focused on security for Linux on System z, but is also involved with other areas such as system integrity and vulnerability reporting.

Exploiting External Firewalls
In some environments regulatory, audit, policy requirements, etc. mandate a physical firewall or a certain brand of firewall above and beyond a software firewall option or the expanded security the IEDN provides. In these

ibmsystemsmag.com/mainframe

NOVEMBER/DECEMBER 2010

39


http://www.bit.ly/zenterprisesecure http://www.bit.ly/zenterprisesecure http://www.ibmsystemsmag.com/mainframe

IBM Systems Magazine, Mainframe Edition - November/December 2010

Table of Contents for the Digital Edition of IBM Systems Magazine, Mainframe Edition - November/December 2010

IBM Systems Magazine, Mainframe Edition - November/December 2010
Contents
On the Web
Editor's Desk: Tradition Takes Planning
Dashboard: Walk While You Work
Data Display: All About Spam
Think Smarter: IBM Offers Smarter Systems for Performance and Scalability
Trends: Rosamilia Oversees Both System z and Power Systems Lines as New GM
Break Through Economics: Dr. Howard Rubin Discusses Mainframe Efficiencies and the zEnterprise System
Streamlining Development: IBM Rational on zEnterprise System Utilizes Multiplatform Development Capabilities
Administrator: The zEnterprise System Changes Firewall Requirements
Technical Corner: z/OS Predictive Failure Analysis Make It Easy to Spot and Fix Soft System Failures
Developer: Native XML Support Strengthens DB2 and COBOL Development
Solutions
Advertisers' Index
Stop Run: Former IBMer Jim Bell Finds Inspiration in Music
IBM Systems Magazine, Mainframe Edition - November/December 2010 - IBM Systems Magazine, Mainframe Edition - November/December 2010
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Cover2
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 1
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Contents
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 3
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 4
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 5
IBM Systems Magazine, Mainframe Edition - November/December 2010 - On the Web
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 7
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 8
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 9
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Editor's Desk: Tradition Takes Planning
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 11
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Dashboard: Walk While You Work
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 13
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Data Display: All About Spam
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 15
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Think Smarter: IBM Offers Smarter Systems for Performance and Scalability
IBM Systems Magazine, Mainframe Edition - November/December 2010 - BMC1
IBM Systems Magazine, Mainframe Edition - November/December 2010 - BMC2
IBM Systems Magazine, Mainframe Edition - November/December 2010 - BMC3
IBM Systems Magazine, Mainframe Edition - November/December 2010 - BMC4
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 17
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 18
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Trends: Rosamilia Oversees Both System z and Power Systems Lines as New GM
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 20
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 21
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 22
IBM Systems Magazine, Mainframe Edition - November/December 2010 - zE1
IBM Systems Magazine, Mainframe Edition - November/December 2010 - zE2
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 23
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 24
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 25
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Break Through Economics: Dr. Howard Rubin Discusses Mainframe Efficiencies and the zEnterprise System
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 27
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 28
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 29
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 30
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 31
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Streamlining Development: IBM Rational on zEnterprise System Utilizes Multiplatform Development Capabilities
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 33
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 34
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 35
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 36
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Administrator: The zEnterprise System Changes Firewall Requirements
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 38
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 39
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Technical Corner: z/OS Predictive Failure Analysis Make It Easy to Spot and Fix Soft System Failures
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 41
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 42
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 43
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Developer: Native XML Support Strengthens DB2 and COBOL Development
IBM Systems Magazine, Mainframe Edition - November/December 2010 - 45
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Solutions
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Advertisers' Index
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Stop Run: Former IBMer Jim Bell Finds Inspiration in Music
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Cover3
IBM Systems Magazine, Mainframe Edition - November/December 2010 - Cover4
IBM Systems Magazine, Mainframe Edition - November/December 2010 - RF1
http://www.ibmsystemsmagmainframedigital.com/mspcomm/ibmsystemsmag/ibmsystems_mainframe_20201112
http://www.ibmsystemsmagmainframedigital.com/mspcomm/ibmsystemsmag/ibmsystems_mainframe_20200910
http://www.ibmsystemsmagmainframedigital.com/mspcomm/ibmsystemsmag/ibmsystems_mainframe_20200708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20200506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20200304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20200102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/2020mfse
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20191112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/relevantz_20190102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/2019mfse
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20181112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/2018mfse
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20171112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_sesupp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_linuxsupp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20161112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/MainframeSecurity
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20151112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150910_se
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150910
http://www.ibmsystemsmagmainframedigital.com/MFSkills
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150506_supp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20141112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_gt_201405
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/BigData
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20131112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20121112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/buyersguide2013
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/ibmsystems_mainframe_2012bg
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20111112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20101112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100910_bg
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20091112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090506
https://www.nxtbook.com/nxtbooks/ibmsystemsmag/mainframe_20090304
https://www.nxtbookmedia.com