ISS - Internet Security Systems

Enhanced Definition

Internet Security Systems (ISS) was a prominent cybersecurity company acquired by IBM in 2006. While its products were not native z/OS components, ISS solutions provided critical network and host -based security capabilities often deployed to protect the perimeter and network access points for IBM mainframe environments and their associated applications.

Key Characteristics

- External Security Focus: Primarily offered network-level and host-based security products (e.g., intrusion detection/prevention systems, vulnerability management, firewall technologies) rather than being an intrinsic z/OS operating system component.
- Acquired by IBM: Post-acquisition, ISS technologies were integrated into IBM's broader security portfolio, enhancing IBM's enterprise security offerings that often included mainframe protection.
- Threat Detection and Prevention: Products like RealSecure and Proventia were designed to identify and block network-based attacks, including those potentially targeting TN3270 sessions, FTP servers, or WebSphere applications running on z/OS.
- Vulnerability Management: Provided tools for scanning networks and systems to identify security weaknesses, which could include infrastructure components connecting to or supporting mainframe operations.

Use Cases

- Perimeter Defense for Mainframe Access: Deploying ISS Proventia appliances at network entry points to monitor and protect against external threats attempting to access z/OS systems via TCP/IP services.
- Intrusion Detection for Mainframe Applications: Using ISS solutions to detect suspicious network traffic patterns or known attack signatures targeting CICS, IMS, or DB2 applications exposed over the network.
- Securing TN3270 Traffic: Monitoring TN3270 sessions for unauthorized access attempts or unusual activity that could indicate a compromise of mainframe terminal access.
- Vulnerability Assessment of Supporting Infrastructure: Employing ISS vulnerability scanners to assess the security posture of network devices, LPAR network interfaces, and other infrastructure components that facilitate connectivity to z/OS.

Related Concepts

ISS products complemented native z/OS security features like RACF (Resource Access Control Facility) or ACF2/Top Secret by providing an external, network-centric layer of defense. While RACF manages internal access control, authorization, and auditing within z/OS, ISS focused on detecting and preventing attacks *before* they could reach or exploit vulnerabilities in the mainframe's network services, acting as a crucial front-line defense.

Best Practices:

Layered Security Approach: Integrate ISS solutions as part of a comprehensive, multi-layered security strategy, complementing z/OS's robust internal security controls and RACF policies.
Regular Signature Updates: Ensure that ISS intrusion detection/prevention signatures and software are regularly updated to protect against the latest known threats and attack vectors targeting enterprise systems, including those that interact with mainframes.
Event Correlation: Integrate security alerts and logs from ISS products with SMF records, RACF audit logs, and other z/OS security events into a centralized SIEM (Security Information and Event Management) system for holistic threat analysis.
Network Segmentation: Utilize ISS capabilities in conjunction with network segmentation strategies to isolate mainframe environments, limiting the attack surface and containing potential breaches.