 |
Updated: 07 Jan. 2008
Keep apprised on security related to z/VM. This page
includes news, news archive,
pertinent presentations, papers, Redbooks, and publications,
links to press articles and pointers to online discussions.
|
Feb. 06, 2007
|
Statement of Direction (*) for z/VM V5.3
Common Criteria Certification:
IBM intends to evaluate z/VM V5.3 with the RACF Security Server optional
feature for conformance to the Controlled Access Protection Profile
(CAPP) and Labeled Security Protection Profile (LSPP) of the Common
Criteria standard for IT security, ISO/IEC 15408, at Evaluation
Assurance Level 4 (EAL4).
This represents a modification to IBM's previously expressed Statement of
Direction of July 27, 2005, which stated IBM's intent to evaluate z/VM V5.2 at
EAL4. Based on additional assessment of requirements, IBM no longer intends to
evaluate z/VM V5.2.
|
|
Feb. 06, 2007
|
New security-related enhancements for z/VM V5.3
- Delivery of LDAP server and client
- Enhanced system security with longer passwords
- z/VM V5.3 adds Secure Sockets Layer/Transport Layer Security
(SSL/TLS) support for industry-standard secure
FTP (RFC 4217), Telnet (draft specification #6), and SMTP (RFC 3207)
sessions.
- SSL server enhancements
- Support of drive-based data encryption with the IBM System Storage
TS1120 Tape Drive (machine type
2 3592, model E05).
|
|
Dec. 16, 2005
|
New for z/VM V5.2
The z/VM V5.2 SSL server has been enhanced to provide support for a wider
range of Linux for IBM zSeries and System z9 distributions:
-
Novell SUSE Linux Enterprise Server 8
-
Novell SUSE Linux Enterprise Server 9
-
Red Hat Enterprise Linux AS Version 3
-
Red Hat Enterprise Linux AS Version 4
Support is provided for both 31-bit and 64-bit kernels.
|
|
Dec. 16, 2005
|
New for z/VM V5.2
z/VM V5.2 introduces the ability for a guest to trace (sniff) all traffic
flowing within a Guest LAN or Virtual Switch (VSWITCH) to which it is
coupled. This is a privileged function requiring special authorization.
Authorization can be provided by the SET LAN or SET VSWITCH commands,
the MODIFY LAN or MODIFY VSWITCH statements in the CP system
configuration file, or in your external security manager. For RACF/VM,
authorization is granted by giving the user UPDATE authority to the
VMLAN profile protecting the Guest LAN or VSWITCH.
|
|
Dec. 16, 2005
|
New for z/VM V5.2
The Directory Maintenance (DirMaint) feature of z/VM V5.2 has been
updated to more easily integrate it with RACF/VM. Many of the functions
that previously required a separate RACF command (such as when adding or
deleting minidisks) now issue the needed RACF commands for you. This
reduces both the time it takes to manage user resources and the
opportunity for errors. This capability is also available for use on
z/VM V5.1.
|
Read more about z/VM Security in the
z/VM Security News archive
Papers, Redbooks, and Publications
Redbook:
Introduction to the New Mainframe: Security
(04-2007)
Redbook:
IBM Tivoli Security and System z
(01-2008)
Redpaper:
Monitoring System z Cryptographic Services
(12-2007)
Redpaper:
Security on z/VM
(12-2007)
z/VM Security and Integrity
04-2005
Linux on IBM eServer
zSeries: Best Security Practices
Linux on zSeries Security White Paper
Exploring Open Source Security for a
Linux Server Environment
Presentations
z/VM Security and Integrity (Alan Altmark, Aug.2005)
Press articles
Understanding z/VM Integrity and Security,
by Alan Altmark
(eServer Magazine Mainframe Edition, 11/2002)
Discussions
Fora and Listserv discussions
with the VM and Linux community
Note: *
All statements regarding IBM's plans, directions, and intent are subject to
change or withdrawal without notice. Any reliance on this Statement of
Direction is at the relying party's sole risk and will not create any liability
or obligation for IBM.
|
