2012-mcp3025 enterprise security policy · how the clearpath mcp integrates into your enterprise...

How the ClearPath MCP Integrates into your Enterprise Security Policy

Mike Kain, Consulting Engineer & Security ArchitectMCP Session 3025 – Tuesday, April 14th, 2012 9:15am

© 2012 Unisys Corporation. All rights reserved. 2

AbstractGoal of presentation

• To show how the ClearPath MCP integrates into the security frameworks that already exist in most datacenters– Interoperability– Security– Management

• How ClearPath MCP security can help datacenters become more secure

• To look at security as the whole datacenter and how ClearPath MCP fits into and helps define security policy.

• Also will be a survey throughout the talk about how you define security policy on ClearPath MCP.


ClearPath SecurityInteroperable and Secure

• The ClearPath MCP environment cooperates in the security of your datacenter by interoperating in many areas:– Network Security

• File Transfer• Client access (terminals)• Firewall configuration

– Security policy management– User policy management– Identity management– Data security

• Access control

• ClearPath MCP provides a secure environment for your mission-critical data


Network SecurityFile Transfer

• ClearPath MCP can transfer files securely over many file transfer protocols:– FTP (using SSL/TLS for security)

• Implicit and Explicit Mode supported• Client X.509 Certificates supported• All deprecated SSL/TLS cipher suites have been removed (all are 128-

bit or higher)– SFTP (using SSH)

• Always secure (no unsecure version)• ssh-rsa keys supported (de-facto standard)• Can restrict to only public key authentication (through SECOPT)

– SAN Datamover• Allows offloaded file transfers over FTPS and SFTP protocols.


Network SecuritySecure Terminals

• ClearPath MCP can provide secure access with standard secure protocols:– Secure TELNET (port 992)

• Can be controlled to offer only secure terminals (no insecure)– Web-based secure terminals (WebEnabler)

• Use browser-based security


Network SecuritySecure Administration

• ClearPath MCP provides secure access to administrative tools:– SecurityCenter– WebTS for ClearPath MCP (ATLASADMIN)

• All over SSL/TLS


Network SecurityTCP/IP Firewall (TCPIPSECURITY Rules)

• Allows restriction of network access to the ClearPath MCP on the following criteria:• Source and destination IP address• Source and destination port ranges• Usercodes• Codefile names• Time of day and day of week• TCPIP authorized applications (ports below 1024 must be marked)• Transport protocol (TCP or UDP)

• SecurityCenter has wizards to help with testing before deployment.

• Client Access Services (MCP 14.0) also has more access control on what usercodes can access ClearPath MCP.


Network SecurityMCP features

• MCP Networking has other features which help network access / Denial of Service from the rest of the network:

• Dynamic Port Filtering (DPF)– Connection requests only accepted for listening services – all others

dropped– On by default in MCP 53.1 (MCP 12.0 networking)– Presents a lower attack surface.

• Broadcast Filtering– Defines the low and high water mark for broadcast levels – Reduces impact of broadcasts on ClearPath MCP cycles– Introduced in MCP 52.1 (MCP 11.1 networking)


Network SecurityIPsec (IPv6)

• Can protect all network traffic according to defined IPsec policy.

• IPsec (IPv6 only)– Supports AH (RFC 4302) and ESP (RFC 4303)– Transport model only– 3DES and AES encryption supported– Can protect any IPv6 traffic (TCP/UDP/BIP)– ICMP not recommended to be protected with IPsec


Policy ManagementSecurityCenter

• Security Policy Management module of SecurityCenter allows security administrators to define policy for the system in the areas of– System Policy – User Policy– COMS User Policy– Network Policy (already covered)

• TCP/IP Firewall • IPsec


Security CenterSystem Policy Management

• System Policy Management allows security administrators to define system policy. Includes:– Security Options (SECOPT)– Logging Options

• Ability to apply system policy across multiple MCP systems from security administrator’s workstation

• Can create system policy from working system• Can use defined system policy as input to SafeSurvey’s

System Policy report to see if any changes have occurred.– System Policy report can be scheduled to be run periodically and

imported into SafeSurvey client for analysis.


Security CenterSystem Policy Management

• Sample system policies are released with SecurityCenter adhering to the 4 classes of security:– S2– S1– S0– U

• No sample for MINIMAL (not recommended) • Does anyone use this?

• Can start from one of these and modify or start from your current running settings and make changes


Security CenterUser Account Management

• System Policy Management allows security administrators to define user account policy. Includes:– All user attributes, including password / accesscode aging

• Can define templates for different classes of users (multiple user policies are allowed)

• Template defines:– What attributes are shown in User Account Management– Default values if usercodes are created with this template– Some values can be hidden and not shown in window.

• Allows security administrator to adhere site policy to user access by defining privileges.


Security CenterUser Policy Management

• 14 sample user policies are released with SecurityCenter – High security usercodes (PU / SECADMIN)– Medium security usercodes– JBOSSADMIN sample

• Can start from one of these or create your own from scratch.


Security CenterUser Account Management

• User attributes are divided into categories

– Account Validity– Accesscode / Password Policy– CANDE Use Policy– Logon History– Job Attributes– Password Policy– POSIX Policy– Resource Control (system resources)– Transaction Server & Transaction

Server Policy– User Rights– User History Profile– Other Attributes

• Allow to break down user management problem in several areas

• Also can move attributes from any category to another category


Site PolicyPCI Data Security Standard

• White paper available on what user attributes / system settings on the ClearPath MCP system will best help with PCI DSS compliance– http://www.unisys.com/unisys/common/download.jsp?d_id=112000

0970004710127


Identity ManagementKerberos

• For shared identity management, ClearPath MCP can participate in Kerberos domain– Windows 2003 or 2008 controller

• Credentials are mapped to MCP usercodes • Can do “single sign-on” when passwords are synchronized• ClearPath MCP is a client and “joins” Kerberos domain• Can use SecurityCenter’s Kerberos Management module

or MARC to manage Kerberos on ClearPath MCP.


Access ControlGuardfiles

• MCP term for Access Control Lists (ACLs)• Can restrict access to any file on a usercode or group.• Can be reused for multiple objects (for a set of files)• Can be applied to permanent directories• Special verbs available for DMSII database use.


Security PolicyAuditors

• Locum SafeSurvey (ASSESS)– Allows assessment of MCP environment – For example, password strength of all users

• Locum SecureAudit (ANALYZE)– Allows easy analysis of sumlog data for any security worthy

event– Correlation report allows forensic analysis of log data

• Locum RealTime Monitor (MONITOR)– Allows real time insight into one or more ClearPath MCP

systems

• Timed evaluation keys available at Unisys.com


Locum RealTime MonitorSyslog feed

• If corporate system policy is to continuously monitor system events for any abnormalities, Locum RealTime Monitor can be used for pushing MCP events to syslog collector.

• MCP 13.1 IC required• Can select events on:

– Functional areas (Security Violations, etc.)– Major/Minor log types

• Further selection on security relevance also available.


ClearPath MCP Security

• As we’ve seen, ClearPath MCP integrates into the defined security policy– Secure data repository– Access control from internal and external (network)

resources can be limited– Errors are logged to system sumlog


ClearPath MCP Specialty Engines

• Specialty Engines also allow deployment of secure, mission-critical applications with MCP security protection

• Allow data to reside on ClearPath MCP and accessed from external sources from inside the ClearPath complex.

• Two specialty engines:– JProcessor– ePortal


ClearPath MCP JProcessor Specialty Engine

• JProcessor allows you to host JAVA applications and use MCP data with MCP access control.

• Allows you to extend the ClearPath MCP security model with new applications and the same data.


ClearPath MCP ePortal Specialty Engine

• Allows allows extension of ClearPath MCP security models to external environments

• Data stays on ClearPath MCP• Security via connectors• But rendered in new and exciting ways


ClearPath MCP Security PolicySummary

• ClearPath MCP allows integration into site security policy through many mechanisms

• Allows access of enterprise mission-critical data without worry.


ClearPath MCP Your Security Policy

• What challenges do you have at your site with regard to site security policy and the ClearPath MCP?– System settings– User settings– Analysis– Network settings– Access control– Data analysis & visibility– Others?


Thank you

2012-mcp3025 enterprise security policy · how the clearpath mcp integrates into your enterprise...

Documents