To detect and prevent attacks on your system, you need to use firewalls, intrusion detection tools, and anti-virus tools.
Firewalls block certain traffic from entering your environment and examine network traffic. Intrusion detection tools examine network behavior behind the firewall for abnormal patterns. Anti-virus tools examine data content for suspicious modifications and virus signatures.
8.5.1 Firewall considerations for Linux on the mainframe
One of the threats you need to assess in any environment, including a Linux-on-the-mainframe environment, is the denial-of-service attack. One part of the defense against denial-of-service attacks is using firewall techniques.
A firewall is a secure and trusted system that acts as a barrier between private and public networks. A firewall, when combined with a VPN, can provide secure, encrypted communications with sites outside the firewall.
Firewall techniques include:
Where does your Web server reside within the infrastructure? Traditionally, a Web server is located between filtering devices, such as firewalls and routers. This places it in a "demilitarized" zone (DMZ), which offers some protection from Internet intrusions, as illustrated in Figure 8-8.
The internal network receives protection from the Web server. Outbound filtering devices permit, for example, only ports 80 and 443 to reach the Web server; other potentially dangerous traffic is inhibited. The inside filtering device is important, because the Web server itself should not rely on other hosts within the secure LAN. Although you must allow potentially dangerous parties access to your Web server, careful measures should be taken to prevent unwanted entry. (There are many reference books that address the different DMZ methods in more detail, such as Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky and Linux Firewalls by Robert L. Ziegler.)
An example of when a DMZ is needed is to separate Web applications from the Web server, as StoreCompany does for its Web catalog.
With Linux on the mainframe, it is possible to consolidate firewalls on the mainframe. The network firewall can be outside the mainframe to save mainframe resources and the other DMZ firewall can be on a separate image. A firewall can be implemented either on an LPAR or under z/VM (Figure 8-9). This consolidation makes administration of the firewall easier and eliminates the need for separate hardware.
Figure 8-9. Using a firewall in a Linux-on-the-mainframe environment
Linux firewall capabilities
Some firewall capabilities have been integrated into the Linux kernel. These include:
Using only these capabilities and Open Source tools, you can implement firewalls on Linux. Most distributions deliver some sort of firewall support.
You can also turn to commercial firewalls. For information about firewalls for Linux on the mainframe, refer to IBM's ISV support for mainframe servers Web site: http://www.ibm.com/servers/eserver/zseries/solutions/s390da/.
While a firewall blocks certain traffic from entering the company network, intrusion detection recognizes strange behavior within the network.
8.5.2 Intrusion detection
The goal of intrusion detection is to detect malicious attacks on your infrastructure, such as denial-of-service attacks.
Denial-of-service attacks can occur in different ways. For example, a compromised image could try to use all the CPU resources or all the network resources. Although the damage that a compromised Linux image can cause could be limited by z/VM definitions, the better solution is to detect an intrusion before damage is caused.
Intrusion detection systems (IDS) can be designed for network-based and host-based systems.
Sites should install both network-based and host-based detection systems. Network analyzers should be available to help determine the nature of an incident and to help formulate possible filtering and rate-limiting responses in the event of an actual denial-of-service attack.
The Linux community and ISVs have developed some sophisticated, useful tools for Linux that work on Linux on the mainframe as well. The leading Open Source intrusion detection solutions include Tripwire and Snort. It is important to note, however, that IDS systems come in different flavors. For instance, Snort (available with SuSE SLES8) is more of a network IDS, while Linux Intrusion Detection System (LIDS) is targeted more to the protection of, and the intrusion detection in, the Linux image.
Tripwire detects and reports file and directory modifications. This can help to detect Trojan horses and modified software (for example, for sniffing out passwords).
IBM offers a Tivoli IDS solution. Tivoli Risk Manager is a network-based IDS that can recognize basic attacks and prevent denial-of-service incidents.
8.5.3 Anti-virus protection
With access control in place and isolation of power between root and user, Linux is not so susceptible to common viruses. (A virus is a program that actively operates, independently of a user, to attack various system resources.) It is reportedly unusual for UNIX-based operating systems to suffer system-level damage from a virus, because most viral code cannot get access to low-level system functions. However, it is possible for a Linux server to host an infected file or e-mail and send it to a Windows user. For this reason, it is still a good idea to routinely check incoming e-mail and downloaded files for viruses.
It is important to note that the commercial definition of "anti-virus" includes not only viruses, but also Trojan horses, worms, and other similar threats. Although it is not technically or semantically accurate, this discussion includes these other threats as part of the "virus" context. The threat of virus can be broken down into three basic areas:
Careful use of standard Linux features can reduce the risk of virus attacks. If a system is serving static files (non-writeable), the file system can be mounted as read-only.
When considering anti-virus protection on a server platform, you need to identify the work that is going to be done and what needs to be protected. If the customer is running a mail server on Linux on zSeries, his or her definition of anti-virus protection is likely to be a mail-scanning anti-virus tool that can be integrated with his or her mail server of choice. The mail clients are likely to be PC-based, so the security manager should check for viruses in the customer's stored mail prior to distribution or delivery. This would be necessary to prevent the zSeries server from spreading a virus.
Commercial anti-virus tools are available for Linux on the mainframe. For information about anti-virus tools, refer to IBM's ISV support for mainframe servers Web site: http://www.ibm.com/servers/eserver/zseries/solutions/s390da/.