2007 Linux on System z Security Customer - IBM z/VM · Linux on System z Security Building Blocks...
Transcript of 2007 Linux on System z Security Customer - IBM z/VM · Linux on System z Security Building Blocks...
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux on System zLinux on System zSecuritySecurity
Security, here today, ready for tomorrow!
2
Linux on System z and Virtualization
© 2007 IBM Corporation
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
The following are trademarks or registered trademarks of other companies.
* Registered trademarks of IBM Corporation
* All other products may be trademarks or registered trademarks of their respective companies.
Intel is a registered trademark of the Intel Corporation in the United States, other countries or both.Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.Java and all Java-related trademarks and logos are trademarks of Sun Microsystems, Inc., in the United States and other countries.UNIX is a registered trademark of The Open Group in the United States and other countries.Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.SET and Secure Electronic Transaction are trademarks owned by SET Secure Electronic Transaction LLC.
Notes:
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
DB2*DB2 ConnectDB2 Universal Databasee-business logoGDPS*Geographically Dispersed Parallel SysplexHyperSwapIBM*IBM eServerIBM logo*Parallel Sysplex*
TrademarksTrademarks
HAforLinux_TM1
System zTivoli*VM/ESA*WebSphere*z/OS*z/VM*zSeries*RACF*Lotus*Domino*developerWorks*
3
Linux on System z and Virtualization
© 2007 IBM Corporation
SpeakerSpeaker
Peter SperaLinux for System z Security Architecture/Design
IBM System Integrity Competency Center
CERT Focal Point for System z
4
Linux on System z and Virtualization
© 2007 IBM Corporation
AgendaAgenda
� Key Security Technologies� Isolation and Certification� Cryptography� Platform Synergy� DMZ� Utility Services� References
5
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux® for System z is not z/OS®
Linux for System z is not RACF®
Linux for System z is not ICSF
Linux for System z is not Linux for System z is not ……
6
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux for System z has security-rich features.
Linux for System z is open, no security through obscurity, anyone can see flaws and fix them.
Linux has a large active developer base enabling a thorough code review.
Linux has a worldwide user base which allows testing on a wide range of hardware and diverse scenarios.
Linux benefits from almost immediate response tosecurity advisories and rapid implementation of new technologies.
Linux is Linux is ……
7
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux Security ObjectivesLinux Security Objectives
� Ensure the System Integrity of the Linux for System z Kernel.
� Allow the Linux for System z offering to take advantage of and not be excluded from current security offerings available on other Linux platforms. These offerings may be available in the open source community, requiring little or no modification to run on Linux for System z or may need to be developed internally.
� Ensure that the Linux for System z offering to take advantage ofSystem z cryptographic offerings.
� Provide security solutions as needed to enable Linux for System z to take advantage of or complement the overall System z Security Strategy and Architecture.
9
Linux on System z and Virtualization
© 2007 IBM Corporation
Key Technologies Available on LinuxKey Technologies Available on Linux
10
Linux on System z and Virtualization
© 2007 IBM Corporation
Vendor ProductOpen Source Product
Linux on System z Security Building BlocksLinux on System z Security Building Blocks
Snort, Snare, PortSentry, TripWire, LIDS, IPLog,IBM Tivoli Risk Manager (->Tivoli Security Operations Manager), PredatorWatch, SafeZoneNet
Intrusion Detection
IPTables/NetFilter, zGuard, StoneGate, webApp.SecureFirewall
Freeware PKI, z/OS PKI ServicesDigital Certificates
Open LDAP, NIS/NIS+, IBM Directory, CA's eTrustDirectory, PADL’s XAD, Quest’s VAS
Directory Services
ClamAV, OpenAntiVirus, AmaViS, MIMEDefrag, TrendMicro’s ServerProtect & ScanMail, Network Associates, Roaring Penguin’s CanIt
Anti-Virus/Anti-Spam
SELinux, AppArmor, sudo, IBM Tivoli® Access Manager & WebSeal, CA's eTrust Access Control & Web Access
Access Control Lists
11
Linux on System z and Virtualization
© 2007 IBM Corporation
Vendor ProductOpen Source Product
Linux on System z Security Building BlocksLinux on System z Security Building Blocks
Proxy Suite from SuSE, IBM Edge ServerProxy Server
IBM Tivoli Access Manager, CA's eTrust DirectoryDistributed Policy Management
dm-crypt, ppdd, CFS, Network Associates' e-Business Server
Secure Data
Bastille, Tiger, DistributionsSystem Hardening
OpenSSL, PKCS#11, GSKITSecure Socket Layer (SSL)
OpenSSH, PGP, GNU PGP, USAGI IPv6, FreeS/WAN, CA's eTrust VPN, StoneSoft's StoneGate VPN, SecureAgent Software
Secure Network Communications
12
Linux on System z and Virtualization
© 2007 IBM Corporation
Vendor EnablementVendor Enablement
� Software Developer Products for Linux for System z� ibm.com/zseries/solutions/s390da/linuxproduct.html � Over 1600 Vendor Applications
• Almost 900 with keyword “security”
� Data Encryption� Network Associates' E-Business Server offers PGP encryption and
compression for data transfer and storage
� Patch Management� BMC Software’s SystemCheck
� User Management� Blockade Systems’ Syncserv� IBM Tivoli Identity Management
13
Linux on System z and Virtualization
© 2007 IBM Corporation
Distributions Embracing SecurityDistributions Embracing Security
� Hardening
� Secure shell
� Virtual Private Network
� Enhanced Audit Capability
� Enhanced Authentication Options
� Enhanced Firewall Management
� Intrusion Detection Systems
� Cryptographic Libraries and Access to Hardware
� Host and Network Scanning Tools
� Certifications
15
Linux on System z and Virtualization
© 2007 IBM Corporation
Logical Partition (LPAR) CertificationLogical Partition (LPAR) Certification
� IBM eServer zSeries 900 (z900)� 12/02 Common Criteria EAL4/EAL5
� IBM eServer zSeries 800 (z800)� 5/03 Common Criteria EAL4/EAL5
� IBM eServer zSeries 990 (z990)� 10/04 Common Criteria EAL4/EAL5
� IBM eServer zSeries 890 (z890)� 6/05 Common Criteria EAL4/EAL5
� IBM System z9 109� 3/06 Common Criteria EAL5
� IBM System z9 EC & BC� 8/06 Common Criteria EAL 5
16
Linux on System z and Virtualization
© 2007 IBM Corporation
z/VM Certificationz/VM Certification
� Statement of System Integrity
� Common Criteria
� z/VM 5.1 certified 2Q 2005• EAL 3+ for LSPP & CAPP
� z/VM 5.3 in evaluation
17
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux on System z CertificationLinux on System z Certification� Common Criteria
� CAPP• Controlled Access Protection Profile• Created by NSA• Audit, Access Control, etc.
� LSPP• Labeled Security Protection Profile• Mandatory Access Control• Multilevel Security (MLS)
� Evaluation Assurance Level• EAL 3 = methodically tested and checked• EAL 4 = methodically designed, tested and reviewed• + = Maintenance (Flaw Reporting Procedures)
� FIPS� OpenSSL – FIPS 140-2 Level 1 Validated� CP Assist
• SHA-1 validated for FIPS 180-1• DES & TDES validated for FIPS 46-3
18
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux for System zLinux for System zCertifications by DistributionCertifications by Distribution
StatusCertification LevelVersion
CompleteCAPP – EAL 3 +RHEL 3
CompleteCAPP / LSPP – EAL 4 +RHEL 5
CompleteCAPP – EAL 4 +RHEL 4
RedHat
In evaluationCAPP – EAL 4 +SLES 10
CompleteCAPP – EAL 4 +SLES 9
CompleteCAPP – EAL 3 +SLES 8
Novell SUSE
20
Linux on System z and Virtualization
© 2007 IBM Corporation
Crypto Hardware AvailabilityCrypto Hardware Availability
AES-128, SHA- 256, PRNGYesSystem z9 EC/BCCP Assist Instructions
DES, TDES, SHA-1Yesz990, z890CP Assist Instructions
Replaced by CP Assist in z990NoG5, G6, z900, z800CCF
RemarksLinux SupportSupported HWName
RemarksLinux SupportSupported HWName
2 cards per book, each card can have a 2A or 2C personality
Clear key SSL + secure key
System z9 EC,System z9 BC
CEX2 (Coprocessor & Accelerator)
2 cards per adapter (cards same as PCIXCC)
Clear Key SSL only
z990 GA 4, System z9CEX2C
1 card per adapterClear Key SSL only
z990 GA 2, z890PCIXCC
5 processors/cardYesz900 GA 2, z800, z990PCICA
1 processor/cardClear Key SSL only
G5, G6, z900, (not z800)PCICC
PCI Cards
Instructions
New
21
Linux on System z and Virtualization
© 2007 IBM Corporation
Cryptography Cryptography –– Clear KeyClear Key§ Hardware Acceleration
§Asymmetric§Acceleration of RSA handshake
§PCICC§PCICA§PCIXCC§CEX2
§Crypto Express2 Coprocessor and Accelerator (CEX2C CEX2A)
§Symmetric§DES, TDES, AES, SHA-1 and SHA-256
§PRNG
§ Software Libraries for crypto access§Kernel APIs§OpenSSL§PKCS#11 §GSKit
22
Linux on System z and Virtualization
© 2007 IBM Corporation
Clear Key Performance Clear Key Performance (Approximate)(Approximate)
Handshakes / SecondCard Name
3000 per card6000 per feature
CEX2A (Accelerator mode)
1200 per cardCEX2C (Coprocessor mode)
1000 per cardPCIXCC
1000 per card2000 per feature
PCICA
200 per cardPCICC
Cryptographic Performance Report and Technical Overview & Test
ibm.com/systems/z/security/cryptography.html (See “Learn more” in the right-hand column)
ibm.com/developerworks/linux/linux390/perf/tuning_res_security_crypto.html
“per feature” = 2 cards
23
Linux on System z and Virtualization
© 2007 IBM Corporation
Clear Key CryptoClear Key Crypto SolutionSolution
WAS
GSKit
Apache OpenSSL engine
PKCS#11Library
(OpenCryptoki)libICA
/dev
PCI
Java™
CP Assist
TAMe
mod_SSL
DES, TDES, SHA-1, AES-128, SHA-256, PRNG
SSL
PCICC, PCICA, PCIXCC, CEX2C, CEX2A
IHS
Kernel APIs
Key:HardwareSoftware
API
cryptoFS
24
Linux on System z and Virtualization
© 2007 IBM Corporation
Java Crypto ResourcesJava Crypto Resources� Java Security Page:
� ibm.com/developerworks/java/jdk/security
� How to use the IBM Java Hardware Crypto Providers:� ibm.com/developerworks/java/jdk/security/142/HardwareCryptoHow-to.html
� The IBMPKCS11Impl Provider Guide:� ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMJavaPKCS11Implem
entationProvider.html
� IBM Java PKCS#11 Supported Devices� ibm.com/developerworks/java/jdk/security/50/secguides/pkcs11implDocs/IBMPKCS11SupportList.
html
25
Linux on System z and Virtualization
© 2007 IBM Corporation
Cryptography Cryptography –– Secure keySecure key
§ Hardware Acceleration§Asymmetric and Symmetric
§CEX2C
§ Software Libraries for crypto access§CCA – Common Cryptographic Architecture§PKCS#11 – Limited
§key generation/encrypt/decrypt for TDES & RSA§Java/JCE – Limited as above
§ Card Management§Trusted Key Entry (TKE)§Linux CCA utility§Configure via z/OS then re-assign to Linux
26
Linux on System z and Virtualization
© 2007 IBM Corporation
Secure Key CryptoSecure Key Crypto SolutionSolution
/dev
PCI
CEX2C
PKCS#11Library
CCA Library
Customer Application
Secure Key
Java/JCE
Limited Support
TKE
Key:HardwareSoftware
API
Limited Support
Linux Utility
See Reference section for more details about this support.
27
Linux on System z and Virtualization
© 2007 IBM Corporation
Secure Key Crypto Secure Key Crypto -- Information & DownloadInformation & Download� Crypto Cards – select “PCI-X Cryptographic Coprocessor”
� ibm.com/security/cryptocards/
� Hardware Overview• ibm.com/security/cryptocards/pcixcc/overview.shtml
� Hardware Summary• ibm.com/security/cryptocards/pcixcc/overproduct.shtml
� CCA Overview• ibm.com/security/cryptocards/pcixcc/overcca.shtml
� Programmer's Guide• ibm.com/security/cryptocards/pcixcc/library.shtml
� CCA Library Download• ibm.com/security/cryptocards/pcixcc/ordersoftware.shtml
� Hardware Order Information• ibm.com/security/cryptocards/pcixcc/order.shtml
� Crypto Support• ibm.com/security/cryptocards/pcixcc/support.shtml
28
Linux on System z and Virtualization
© 2007 IBM Corporation
Shameless PlugShameless Plug
Cutting-Edge Cryptography
IBM Systems Magazine: Mainframe editionMay/June 2007
http://ibmsystemsmag.com/ & search on “Spera”
30
Linux on System z and Virtualization
© 2007 IBM Corporation
Synergy OutlookSynergy Outlook
� Public Key Infrastructure
� Centralization with z/OS and z/VM� Authentication – available today� Audit – coming soon� Authorization – possible next step
� Über Testing
31
Linux on System z and Virtualization
© 2007 IBM Corporation
LPAR
Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)
� Public/Private Key Pair� Confidentiality and Data Integrity
� RACF’s Digital Certificate Support� Life Cycle Management (create, manage,
store, distribute, verify)� z/OS as Certificate Authority (trusted
third party)� SSL Support
Windows
Browser
Linux:CA/PKI
Administration
Linux:Web Server
Linux
Linux:End User
RACF DB
RACF
PKI Services
Browser
Sign for data integrity
Encrypt for confidentiality
z/OS z/VM
CA Server
HTTPD
Workstation
Browser
System z
Management of PKI Services
HW Crypto
32
Linux on System z and Virtualization
© 2007 IBM Corporation
RACF
ITDS(LDAP)
or
z/OS
Centralized Authentication & User ManagementCentralized Authentication & User Management
� Common Client – PAM� Integrated LDAP Server on z/OS and
coming on z/VM� LDAP backed by RACF or DB2®
Linux
PAM
Linux
PAM
Linux
PAM
Linux
PAM
Linux
PAM
Distributed
z/VM
System z
ITDS(LDAP)
or
z/VM
DB2
BFS RACF
Linux
PAM
Linux
PAM
LPAR
33
Linux on System z and Virtualization
© 2007 IBM Corporation
Centralized AuditCentralized Audit
� Common Client – auditD with plug-in� Integrated LDAP Server on z/OS
and z/VM� LDAP backed by RACF
Plug-in
Distributed
RACF
ITDS(LDAP)
z/OS or z/VMz/VM
System z
auditD
Linux
Plug-in
auditD
Linux
Plug-in
auditD
Linux
Plug-in
auditD
Linux
Plug-in
auditD
Linux
LPAR
34
Linux on System z and Virtualization
© 2007 IBM Corporation
LPAR
Ethical HackingEthical HackingSystem z
DMZ
Internet
SSLSSL
MailServer
DBServer
SSL over Virtual LAN
Firewall
Firewall
Firewall
SSL
WebSphere®
WebServer
z/OS
HWCrypto
z/VM
Workload Generator
Ethical Hacker
SSL over HyperSockets
� Setup end-to-end solutions � Ethical hacking� Technical whitepaper available
WebSphere®
For details see:•Linux Security: Exploring Open Source Security for a Linux Server Environment (GM13-0636-00)•zSeries Platform Test Report for z/OS and Linux Virtual Servers
36
Linux on System z and Virtualization
© 2007 IBM Corporation
Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)
Definition:A DMZ is a perimeter network, between an external
network and a private or protected network, that provides isolation for a publicly available service, with the ultimate goal of protecting the private network and private services in the enterprise. The DMZ is most often bounded by two firewalls.
Scenario:A web server that is available to the Internet would
need to be isolated, via DMZ, from the enterprise’s internal network and/or transaction and data services.
37
Linux on System z and Virtualization
© 2007 IBM Corporation
z/OS
Anatomy of a DMZ on System zAnatomy of a DMZ on System z
� Isolation with LPAR� Common Criteria Certified EAL 4/5
� z/VM� Common Criteria Certified EAL 3� Integrity Statement� RACF
� Linux� Common Criteria Certified EAL 4
� Networking� HiperSockets� Virtual LANs
� Demilitarized Zone � Bastion & Choke Firewalls� Hot -> Caution -> Safe
� Application or public service� Auditability
LinuxDMZ
Firewall
Firewall
Internet
ApplicationApplication
z/VM
LPAR
Ext
erna
l
Net
wor
k
Pro
tect
ed
Net
wor
k
Protected
Network
38
Linux on System z and Virtualization
© 2007 IBM Corporation
Shameless PlugShameless Plug
Living Next Door to the DMZ
IBM Systems Magazine: Mainframe editionJanuary/February 2007
http://ibmsystemsmag.com/& search on “Spera”
40
Linux on System z and Virtualization
© 2007 IBM Corporation
Utility ServicesUtility Services
� Software Appliances
� Tools to build DMZ� Firewall� Application Firewall� Centralized User Authentication
� Today� Demonstration of value for z/OS� Documentation� Testing� Marketing messages
� Future� Automation of Utilities� Integration with IBM Director� Addition of new Utilities
For more information on Linux Utilities for IBM System z
ibm.com/systems/z/os/linux/utilities/
41
Linux on System z and Virtualization
© 2007 IBM Corporation
from StoneSoft
� Compatible with and complimentary to z/OS, IPSec and IDS
� Full function firewall - simple IP filtering to complex packet interrogation
� Includes a VPN for management and secure communication
� Centralized enforcement and management of diverse security policies across all deployed firewall instances
� Provides real time surveillance of firewall traffic with IPS (Intrusion Prevention System) capability
� Includes support for HiperSockets, QDIO and CTC, providing physically secure communications to z/OS
� Workload balanced Firewall Farm can meet load peeks and high availability requirements without additional hardware
StoneGate Utility ServiceStoneGate Utility Service
42
Linux on System z and Virtualization
© 2007 IBM Corporation
Basic Distributed DMZBasic Distributed DMZ
Linux
DMZ
StoneGate
StoneGate
Internet
Application
z/OS
IDSIPS
z/VM
LPAR
43
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux
Diverse DMZ (various policies)Diverse DMZ (various policies)
DMZ
StoneGate
StoneGate
Internet
z/OS
IDSIPS
Intranet
StoneGate
Application
z/VM
LPAR
StoneGateManagement
Console
VPN
VPNVPN
44
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux
High Availability DMZHigh Availability DMZ
DMZ
StoneGate
Internet
z/OS
IDSIPS
Application
StoneGate
z/VM
LPAR
45
Linux on System z and Virtualization
© 2007 IBM Corporation
webApp.secure Utility ServicewebApp.secure Utility Service
from WebScurity
� Network security in some cases is not enough, webApp.secure protects web applications from attack
� Application Firewalls are a strategic
� Should be used in conjunction with traditional firewall/perimeter security
� webApp.secure in conjunction with z/OS ensures that transaction content is validated
� Inserted in the DMZ, before the web server, protecting z/OS from the growing threat of application attacks
� Ensures that web site guidelines, policies and rules are enforced and auditable
For more information on the webApp.secure Linux Utility
ibm.com/developerworks/linux/linux390/perf/tuning_pap_security_webApp.html
46
Linux on System z and Virtualization
© 2007 IBM Corporation
webApp.securewebApp.secure
DMZFirewall
Firewall
Internet
z/OS
webApp.secure
WebServer
Linux
z/VM
LPAR
47
Linux on System z and Virtualization
© 2007 IBM Corporation
from IBM
� WebSeal, together with Tivoli Access Manager and WebSphereresiding on z/OS provide end-to-end, centralized authentication and single sign on capability for secure transactions
� z/OS remains safely isolated from Internet traffic and threats
� A client would be authenticated by WebSeal via user ID and password, and a token would be assigned and associated to the transaction for the remainder of the communication
� There is no WebSeal offering for z/OS
� Can take advantage of hardware crypto acceleration for SSL
WebSeal Utility ServiceWebSeal Utility Service
For more information on the WebSeal Linux Utility
ibm.com/developerworks/linux/linux390/perf/tuning_pap_security_TivoliWebSEAL.html
48
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux
WebSealWebSeal
DMZFirewall
Firewall
Internet z/OS
WebSeal
TAMe
WebSphere
z/VM
LPAR
UID
Password
Token
50
Linux on System z and Virtualization
© 2007 IBM Corporation
System z Advantage SummarySystem z Advantage Summary� Image Isolation and Certification
� LPAR� z/VM�
� Common Criteria Certification
� Hardware Encryption� Asymmetric Algorithm provides SSL performance enhancements� Symmetric Instructions - DES, TDES, AES-128, SHA-1 and SHA-256� Secure key cryptography
� HiperSockets™ Provide Physical Security
� Qualities of Service
� Integration with IBM Software• IBM Director• Tivoli Access Manager and AM-OS provide enforcement and management of security policy across
platforms• Tivoli MQSeries�
• Tivoli Risk Manager provides Host, Network and Web IDS• Tivoli Identity Manager• Tivoli Federated Identity Manager
51
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux for System z General InformationLinux for System z General Information
publib-b.boulder.ibm.com/cgi-bin/searchsite.cgi?query=Linux+AND+zSeriesLinux for System z Redbooks
ibm.com/zseries/vm/linux/z/VM and Linux on System z Resources
ibm.com/zseries/linux/Linux for System z
52
Linux on System z and Virtualization
© 2007 IBM Corporation
Linux for System z Security ResourcesLinux for System z Security Resources
� Linux on zSeries Security (White paper)
� GM13-0488, ibm.com/zseries/library/techpapers/pdf/gm130488.pdf� Linux on zSeries Security (Presentation)
� ftp://ftp.software.ibm.com/systems/z/linux/pdf/linux_on_z_security.pdf� Linux Security: Exploring Open Source Security for a Linux Server Environment (White paper)
� GM13-0636, ftp://ftp.software.ibm.com/eserver/zseries/misc/literature/pdf/whitepapers/gm130636.pdf
� z/VM Security and Integrity (White paper)
� GM13-0145, ibm.com/zseries/library/techpapers/pdf/gm130145.pdf� Linux on IBM eServer zSeries and S/390: Best Security Practices (Redbook)
� SG24-7023, publib-b.boulder.ibm.com/abstracts/sg247023.html?Open
� Security Web pages for Linux on zSeries� ibm.com/systems/z/os/linux/security/
� Platform Test Reports� ibm.com/servers/eserver/zseries/zos/integtst/
53
Linux on System z and Virtualization
© 2007 IBM Corporation
General Security SitesGeneral Security Sites
� Security Vendors�www.trendmicro.com�www.stonesoft.com�www.webscurity.com�ca.com/solutions/linux
� Secure Distribution Info�novell.com/linux/security�redhat.com/security�nsa.gov/selinux�www.rsbac.org
� General Security� www.linuxsecurity.com� www.securityportal.com� www.ibm.com/developerworks
� Security Related Tools� www.apache-ssl.org� www.bastille-linux.org� www.openssl.org� www.tripwire.org� www.tripwiresecurity.com� linux-firewall-tools.com/linux
54
Linux on System z and Virtualization
© 2007 IBM Corporation
� Questions?
� Comments!
� Suggestions?
Peter [email protected] 435 1088