3270 IDS overview

The z/OS® Communications Server VTAM® 3270 Intrusion Detection Services (IDS) function can help alert you to 3270 protocol violations as they occur in real time. This can be useful in identifying potential intrusions that attempt to manipulate 3270 protocol flows with the goal of compromising 3270 SNA applications and data that are deployed on your z/OS systems. This function can detect, in real time, an attempt by a malicious 3270 client emulator to modify protected fields on a 3270 screen. By modifying protected fields, the malicious 3270 client emulator might be trying to subvert the normal processing of the 3270 server application. The effect of such an attempt depends on how well the application guards itself against unexpected changes to protected fields. In the best case scenario, a modification to a protected part of the screen is ignored by the application. In the worst case scenario, it could cause a potentially harmful change in the application's behavior.

Well behaved 3270 client emulator software typically prevents users from entering input into protected parts of the screen. The concern is over malicious users that use 3270 client emulators that do not honor the 3270 protocol and allow changes to protected fields. The 3270 IDS function can detect these types of protocol violations. However, note that SNA 3270 protocol violations might occur without malicious intent. This might be the result of race conditions or lax adherence of the SNA 3270 protocol by software such as 3270 client software emulators, the TN3270 client, session managers, or other SNA based 3270 protocol software. These anomalies might even occur with a regular frequency in your environment and most often go unnoticed as they do not have an impact that is visible to administrators, applications, or users. In some cases, they might cause a temporary error condition on the 3270 client's screen that they can easily recover from. While the 3270 IDS function can flag all detected protocol violations, it cannot determine whether a protocol violation is a malicious attack or an inadvertent anomaly in the 3270 protocol. Additionally, it cannot provide any insight on how a server-side 3270 application deals with these protocol anomalies. In other words, it cannot detect whether an application is vulnerable to a 3270 protocol-based attack or not. The 3270 IDS function simply detects and notifies system administrators of the presence of protocol anomalies, which can be useful as an audit log of potentially suspicious events. In addition to notification, the 3270 IDS function can be configured to take action on the SNA session when a protocol violation is detected, such as terminating the session.

Figure 1. 3270 IDS protection overview

The diagram shows an overview of the 3270 data stream protocol validation solutions, including CICS basic mapping support (BMS), IMS Message Formatting Service (MFS) support, and VTAM 3270 IDS support.

Note: The z/OS Communications Server VTAM 3270 IDS solution is one of several solutions that can provide detection and protection from malicious 3270 attacks.

Figure 1 provides an overview of the following 3270 data stream protocol validation solutions:

CICS® basic mapping support (BMS): CICS provides 3270 IDS detection and protection for any applications that exploit CICS basic mapping support (BMS) interfaces to create and parse their 3270 screens. When this support is activated, CICS monitors the 3270 data streams to detect any attempted modifications to protected fields on the screen. CICS can then provide warnings (log and error message) or prevent the application from processing the data by abending the transaction. See the CICS product documentation through the IBM® Knowledge Center: http://www-01.ibm.com/support/knowledgecenter/ for more information on the CICS BMS IDS solution.
IMS™ Message Formatting Service (MFS) support: Similar to the CICS BMS, IMS provides 3270 IDS support for any IMS applications that use the IMS Message Format Service (MFS) to format and parse their 3270 messages. When this function is enabled, IMS prevents modifications to protected fields from being passed on to IMS server applications. See the IMS product documentation through the IBM Knowledge Center: http://www-01.ibm.com/support/knowledgecenter/ for more information on the IMS MFS IDS solution.
VTAM 3270 IDS support: The VTAM 3270 IDS support is described in this topic.

ISPF also provides built-in IDS support. ISPF is one of the other subsystems shown in Figure 1. Applications that use ISPF services to display their 3270 panels are automatically protected by ISPF. ISPF automatically detects and prevents any modifications to protected areas of the panels from occurring.

The list of 3270 data stream protocol validation solutions is not intended to be an exhaustive list. The other subsystems or other middleware category shown in Figure 1 is intended to indicate any other potential application layer 3270 IDS support that might exist but is not identified here.

Note:

The 3270 client emulators that are used by the 3270 users can use native SNA attachment directly to VTAM or IP attachment through TN3270. The VTAM and middleware 3270 IDS support that is shown in Figure 1 covers all 3270 users.
The terminology in this topic refers to general 3270 validation support, which is different from the specific terminology, such as CICS BMS, IMS MFS, or VTAM 3270 IDS, which refers to validation support within specific products that support the 3270 protocol.