Clearpath mcp encryption
1 / 53

ClearPath MCP Encryption - PowerPoint PPT Presentation

  • Uploaded on

ClearPath MCP Encryption. Steve Koss, Distinguished Engineer and Chief Architect. The What and Why of Encryption. Terminology Symmetric Key Encryption Public Key Encryption (PKE) Certificates SSL/TLS - Combines all three Why Encrypt Reduces the chance of data exposure

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'ClearPath MCP Encryption' - zaria

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Clearpath mcp encryption

ClearPath MCP Encryption

Steve Koss, Distinguished Engineer and Chief Architect

The what and why of encryption
The What and Why of Encryption

  • Terminology

    • Symmetric Key Encryption

    • Public Key Encryption (PKE)

    • Certificates

    • SSL/TLS - Combines all three

  • Why Encrypt

    • Reduces the chance of data exposure

    • Makes Auditors Happy 

Data privacy capabilities overview
Data Privacy CapabilitiesOverview

  • Encryption of data across networks

    • File transfer via FTP/SFTP/NFT/DMV

    • Terminal emulator sessions

    • Transport Layer Security/Secure Sockets

    • IPsec – packet layer encryption

  • Encryption of data at rest

    • Tape encryption

    • Disk encryption

  • Security Center – Key Management

  • Stealth

Network security file transfer protocols products
Network SecurityFile Transfer Protocols/Products

  • Many different methods to transfer and protect files between MCP and other systems.

    • FTP/FTPS

    • SFTP (SSH) – introduced in MCP 14.0

    • Secure File Transfer (NFT)

    • SAN DataMover

  • File transfer capabilities on remote systems determine most suitable product.

  • Security is configurable on all but SFTP (no unsecure version).

  • To use any of these on ClearPath MCP, MCP cryptography must be available.

Network security file transfer protocol ftp
Network SecurityFile Transfer Protocol (FTP)

  • File Transfer Protocol (RFC 959) supported by most systems

  • Transfers can be secured via SSL/TLS

    • IMPLICIT model – two sets of ports (one secure, one insecure)

    • EXPLICIT model – one set of ports (usually 21/20) and there are commands to turn SSL/TLS on/off

  • AUTHMODE controls where SSL/TLS is used


  • New features introduced in MCP 13.1

    • Client Certificates – ability to specify an X.509 certificate for additional validation

    • Can allow acceptance of self-signed server certificates

    • Can secure data port when control port is not secured.

Network security secure file transfer protocol sftp
Network SecuritySecure File Transfer Protocol (SFTP)

  • Secure File Transfer Protocol (SFTP) is part of the SSH protocol suite

    • Defined by <draft-ietf-secsh-filexfer-02.txt>

  • MCP implementation supports version 3 (but does NOT support all of the commands yet)

  • Interoperable with implementations which use openssh() toolkit (most flavors of Linux) and psftp (part of PuTTY).

  • Full list at:


Sftp configuration

  • Support for SFTP has been integrated into the FTPSUPPORT product and can be accessed from:

    • Batch FTP Client (COPY)

    • Interactive FTP Client (U FTP)

  • SFTP configuration is through FTPSUPPORT configuration file (*SYSTEM/FTP/SUPPORT/CONFIGURATION)

  • Keys and trust are configured through SecurityCenter

    • Server public keys (management and trust)

    • Usercode public keys (management)

Sftp copy example 1
SFTPCopy – Example #1

Batch Client


    Interactive Client

  • U FTP


  • OPEN GUEST/GUEST credentials)



Sftp copy example 2
SFTPCopy – Example #2

Remote username defaults tocalling usercode, but can beoverridden

Batch Client


    Interactive Client

  • U FTP



  • OPEN


FTP will prompt for the remote

Username during the OPEN

Sftp server configuration
SFTPServer configuration

  • To configure the MCP software as an SSH Server:

    • Create a public key for server’s identity (default name is SSH_SSHKEY)




  • Detailed information can be found in FAQ 5847 on the Product Support Website and in standard MCP 14.0 documentation.

    • FAQ 5847 also contains the list of software (Interim Corrections) which must be downloaded.

Sftp enhancements in mcp 15 0
SFTP Enhancements in MCP 15.0

  • Server support for Windows SFTP clients.

    The ClearPath SFTP Server transfers files with the following Windows SFTP clients.

    • WinSCP

    • Attachmate Reflection FTP Client

    • FileZilla FTP Client

  • We’ll update the compatibility matrix on the support website.

  • Server support to append to ClearPath files.

    SFTP clients can append data to the end of existing ClearPath files.

    Example using WinSCP

    put -append TransactionHistory

  • Network security secure file transfer nft
    Network SecuritySecure File Transfer (NFT)

    • Secure File Transfer for ClearPath MCP allows data transfer between two MCP hosts

    • New Feature introduced in MCP 13.1

      • Does NOT require BNA network connectivity

      • MCP file attributes of source file are retained across the transfer

      • Can also be secured with SSL/TLS (cryptography support required)

      • Hazardous files controlled with the RESTRICTUNWRAP system security option

      • Transfers initiated with COPY [FTP] command or FTP Interactive and Batch clients

    Secure file transfer nft securing hazardous files
    Secure File Transfer (NFT)Securing Hazardous Files

    Hazardous files (codefiles for example) are marked restricted unless:

    The RESTRICTUNWRAP system security option at the destination host is reset

    – or –

    The Library RESTRICTED option is reset by the FTP Administrator at the destination host

    - and -

    The RESTRICTED option is reset in the COPY command and the usercode at the destination host is a security administrator

    Secure file transfer nft new mcpdata transfer type
    Secure File Transfer (NFT)New MCPDATA transfer type

    • Transfers use data transfer type “MCPDATA”


    • Copies all files under the TEST/CASE_1 directory on the remote MCP host to the local host

    • All attributes, including FILEKIND, are retained at the destination host.

    • No BNA network is required.

    Secure file transfer nft copying of codefiles
    Secure File Transfer (NFT)Copying of codefiles


    The codefile (SYSTEST)OBJECT/TESTFILE on TESTPACK is copied to USERPACK at the remote MCP host, MCPEAST

    Resetting the RESTRICTED option prevents the codefile from being marked restricted, but only if user ABC is a security administrator at MCPEAST

    Secure file transfer nft network security
    Secure File Transfer (NFT)Network Security

    Data transmission can be secured by Secure Sockets Layer (SSL/TLS)

    Specify the level of security required for the file transfer (using the SSLMODE attribute)



    Command and data path are secured, different control ports are used.



    After logon command path can be optionally unsecured

    Data path security is independently selected


    Secure file transfer nft other issues
    Secure File Transfer (NFT)Other Issues

    MCPDATA transfers are incompatible with older levels of FTPSUPPORT

    Non encrypted transfer speeds are similar with NFT

    Encrypted transfers are slower than non-encrypted transfers

    Non-MCP hosts running FTP can be used as store and forward hosts for MCPDATA transfers

    Documented in the TCP/IP Distributed System Services Operations Guide

    Network security san datamover dmv
    Network SecuritySAN DataMover (DMV)

    • SAN DataMoverprovides an efficient way to move large amounts of disk data (local Windows environment required).

      • Between MCP and local Windows environment,

      • Between MCP and remote Windows, Linux or UNIX environment (by way of a local Windows environment)

    • Offloads data transfer to Windows environment (freeing ClearPath MCP MIPS)

    • Security Features (introduced in MCP 13.0)

      • SSL Support – Secure Communication between Windows and MCP SAN DataMoverComponents (requires MCP Cryptographic Services)

      • FTPS & SFTP Support – Secure Remote File Transfer

      • Both require MCP Cryptographic Services and configuration to enable and configure secure transfers.

    Network security securing terminal emulator sessions
    Network SecuritySecuring Terminal Emulator Sessions

    • Protect data terminal emulator sessions to MCP servers

    • Many options available:

      • WebEnabler for ClearPath MCP – supports a 2-tier model – direct SSL connections from WebEnabler to ClearPath MCP

      • Secure TELNET – MCP Telnet can offer secure and/or unsecure sessions. Controlled via system security option (SECURECOMM)

      • Attachmate INFOConnectand MCP Telnet can also use a custom encryption protocol

    • SSH terminals are not supported at this time.

    Network security securing print data
    Network SecuritySecuring Print Data

    • Secure data between MCP and Print Server

    • Use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to protect data

    • MCPPRT Server (introduced in MCP 13.1)

      • Just Specify SSL in IOHandler Parameter

      • See PrintS Guide (8600 1039–514)

    • EOM (Depcon) Server (introduced in MCP 13.1)

      • Specify SSL in PC and MCP Configuration Files

      • See EOM Documentation

    Ip security ipsec security for the ipv6 network
    IP Security (IPsec)Security for the IPv6 network

    • Can authenticate and/or encrypt each IP packet in a data stream

    • Uses policies to define security at the MCP-to-network boundary. IP packets can be:

      • Forbidden from being transmitted unencrypted (DISCARD)

      • Allowed to be transmitted unencrypted (BYPASS)

      • Authenticated or encrypted prior to transmission (PROTECT)

    • Subject to US Government export control

      • Packaged in the operating environment encryption option

    • Supports 3DES and AES algorithms for packet encryption

    • IPv6 ONLY (no IPv4 support)

    Tape dvd encryption enhancements1
    Tape / DVD Encryption Enhancements

    • Provides Enhanced Security for Encrypted Tapes/CDs/ DVDs

      • AESGCM encryption, the standard algorithm for tape encryption as specified by the IEEE

      • ESSIV scheme is used with CBC-mode to ensure each tape and each file on a tape are encrypted using a “random” Initialization Vector (IV)

      • Additional data integrity checking added to encrypted data

    • Enhancements are known as Version 2 Media Encryption

      • Format of Version 2 encrypted media is different from the original, Version 1, tape encryption format

    Tape dvd encryption enhancements2
    Tape / DVD Encryption Enhancements

    • Examples


        • Specifying ENCRYPT=AESGCM by definition creates a Version 2 Encrypted Tape


        • Specifying ENCRYPTVERSION=V2 forces the use of ESSIV when doing AES with CBC-mode encryption

    Tape dvd encryption enhancements3
    Tape / DVD Encryption Enhancements

    • Migration and Compatibility

      • Version 1 is used by default but Version 2 is recommended

      • A tape/CD/DVD created using Version 2 Media Encryption cannot be read on a system that only supports Version 1 tape encryption

      • Systems that support Version 2 Media Encryption can read and write both Version 1 and Version 2 tapes/CDs/DVDs

      • Library Maintenance will not support encryption using Version 1 in software released after October 2015 but decryption of media created using Version 1 will continue to be supported

      • Only Library Maintenance supports the new Media Encryption Version 2 enhancements – TapeStack and DMUTILITY do not

    Tape dvd encryption enhancements4
    Tape / DVD Encryption Enhancements

    • Operator Controls

      • The existing LMENCRYPT SYSOP can now be set to AESGCM

        • Thus all tape/CD/DVD copies would be encrypted using AESGCM unless over-ridden in the COPY statement itself and would be in Media Encryption Version 2 format

      • A new LMDEFENCRYPT SYSOP can be set to “V1” or “V2”

        • LMDEFENCRYPT defaults to “V1”

        • LMDEFENCRYPT set to “V2” and LMENCRYPT set to “AES256” causes ESSIV to be used along with AES256 in CBC-mode and creates the encrypted media in Version 2 format

        • LMDEFENCRYPT set to “V1” and LMENCRYPT set to “AES256” uses AES256 in CBC-mode and creates the media in Version 1 format

    Disk encryption options
    Disk Encryption Options

    • Encryption Capable SANs

      • EMC VMAX: newer versions

      • EMC VNX: newer versions

      • Must be done at setup time. Can’t change a disk to be encrypted

    • BitLocker

      • FS1760 Internal Disk

      • Can be turned on and off

    • DMSII field level “obfuscation”

      • Not true encryption

      • Can’t search, sort, index, or replicate data with Databridge

    • What disk encryption is really for:

      • Data protection at time of disk dispose or theft

    Security administration securitycenter
    Security AdministrationSecurityCenter

    • Security Center

      • Preferred security administration tool

      • PC-based GUI and wizards

      • Enables security administrators to define, manage, and test/assess MCP security.

      • Replaces command line/batch tools such as MAKEUSER and SYSTEM/GUARDFILE.

    • Microsoft Management Console “snap-ins”

      • Security Policy Management

      • File Access Management

      • Cryptographic Services Management

      • Kerberos Configuration Management

      • User Account Management

      • Locum SafeSurvey

      • Locum SecureAudit

      • Locum RealTime Config

    Securitycenter cryptographic services manager
    SecurityCenterCryptographic Services Manager

    • Used by security administrators to perform key management (create / import / export / renew)

      • SSL keys and certificates (used by WebTS, FTP, Sockets programs, User Programs)

      • Tape encryption keys (introduced in MCP 13.1)

      • IPsec keys (symmetric)

      • SSH Keys (introduced in MCP 14.0)

    • Also used for Certificate Management (SSL clients)

      • Certificate Stores

      • JAVA Certificate Stores

    Securitycenter tape encryption compromised key sets
    SecurityCenterTape Encryption - Compromised Key Sets

    • MCP-based software tape encryption can now mark a set of tape encryption keys as invalid for writing, and generate a replacement keyset

    • This may be done because:

      • A key of the set is thought to be compromised

      • The keyset’s lifetime (according to corporate policy) has been reached

    • Compromised keysets can still be used for decryption (retained indefinitely)

    • Only one active keyset per system / MCP mark release.

    Securitycenter tape encryption managing key sets
    SecurityCenterTape Encryption - Managing Key Sets

    To manage sets: Under MCP Cryptographic Services, Trusted Keys, select node: Tape Encryption Keys

    Sets uniquely identified by

    Host name

    Release level

    Set number

    Securitycenter tape encryption managing key sets1
    SecurityCenterTape Encryption - Managing Key Sets

    Icon shows state of set:



    Only the Active set for the local host is used to encrypt

    All sets are used for decryption. If a tape was encrypted with a key of that set, it will be automatically decrypted

    Securitycenter tape encryption managing key sets2
    SecurityCenterTape Encryption - Managing Key Sets

    • Create a set:

    • Right-click Tape Encryption Keys node, select “Create New Keyset”

    • Current (Highest-numbered) set is disabled, new set is created

    • Mark set compromised:

    • Right-click local host’s Active set, click “Mark as Compromised”

    • Selected set is disabled, new set is created

    Securitycenter tape encryption best practices
    SecurityCenterTape Encryption - Best Practices

    • When a new keyset is generated, you must back up the keyset (via Export) and transport it to any systems that will need to decrypt tapes created on this host

    • Ensure that keys are stored securely

    • Ensure that keys are transported between systems securely

    Stealth solution suite you can t hack what you can t see changing the security paradigm

    Stealth Solution SuiteYou Can’t Hack What You Can’t SeeChanging the Security Paradigm

    Imagine a world
    Imagine a World…

    Where your sensitive data is


    And is only visible…

    to users youselect

    Unisys stealth solution suite
    Unisys Stealth Solution Suite

    An NSA certified enterprise wide security innovation,incrementally and non-disruptively implemented,

    that makes data communication end points invisibleon a network and therefore be removed as a target for hackers.

    Stealth can reduce costs through consolidation and virtualization of a network and adds unprecedented protection to enterprise information.

    LAN/ Internet

    Stealth solution key elements
    Stealth Solution Key Elements

    Stealth consists of four important elements:


    • Cryptographic Service Module

      • Provides FIPS 140-2 certified AES-256 encryption.


    Information Dispersal Algorithm & Data Reconstitution

    Stealth formatted messages can only be reassembled by Stealth.

    7. Application

    6. Presentation

    5. Session

    4. Transport


    Virtual Communities of Interest (COI)

    Hides users, data and servers from non-COI members.

    3. Network

    2. Link

    1. Physical




    Executes Very Low in the Protocol Stack

    Protects device from attack. No changes required to Applications.

    Unisys stealth solution suite1
    Unisys Stealth Solution Suite

    A Virtual Web Server

    B Virtual Web Server

    A Virtual App Server

    B Virtual App Server

    A Virtual DB Server

    B Virtual DB Server

    Enterprise wide – Consistent Security Approach

    Stealth Secure Remote Access

    Stealth secures information exchanged over public or private networks from many geographic locations.

    Stealth Regional Isolation


    Cloud Data Center

    Stealth Solution for Cloud

    Stealth protects data communication for teleworkers across the Internet superior to traditional VPN, using the Stealth driver loaded to a laptop or SSVT.

    Corporate Site

    External Network

    Stealth Data Center Segmentation

    Stealth cloaks the servers running sensitive applications or storing private information; these servers are not visible to anyone without the required Stealth crypto keys.


    In a cloud, Stealth hides virtual workloads from unauthorized access in single or multi-tenant environments.

    Regional Site



    App Server




    Protected Database


    Data center segmentation
    Data Center Segmentation

    Enterprise Network

    • “Compartmentalize” data center using Communities of Interest (COI) instead of physical infrastructure

    • Mitigate Threats

      • Theft or Misuse of IP

      • Compliance Penalties

      • Minimizes scope of attacks

    • Benefits

      • Fosters Availability while ensuring Confidentiality and Data Integrity

      • Enhances application security by enforcing “Least Privilege”

      • Uses existing infrastructure

      • Security is not Port based

      • Facilitates regulatory compliance

    • Cost Savings potential 20%-50%

      • Reduce data center complexity; reduce VLANs and physical segmentation

      • Re-segment the data center using Active Directory

      • Simplified management






    (Phys or VM)


    App Server

    Protected Database Server

    Value: Protect high impact systems from intrusions on intranet

    Regional isolation
    Regional Isolation

    • Regional Isolation prevents unauthorized access to information in the local region and on the corporate intranet

    • Mitigate Threats

      • Data communication eavesdropping by regional telecommunication providers and governments

      • Intrusions to corporate intranet

      • Intrusions to local site from within the region itself

    • Benefits

      • Assures only authorized access to corporate intranet

      • Protect regional assets from rogue endpoints

      • Segregate regional assets based on“need to know”

      • Segregate corporate assets based on “need to know”

    Enterprise Network

    A trusted country



    Stealth GW

    Stealth Cloaked Geographic Region

    Value: Protect corporate data assets in a global topology

    Stealth in the cloud
    Stealth in the Cloud

    A Virtual Web Server

    B Virtual Web Server

    A Virtual App Server

    B Virtual App Server

    A Virtual DB Server

    B Virtual DB Server

    • Stealth in the Public or Private Cloud secures and isolates communication between virtual resources in a multi-tenant environment

    • Mitigates Threats

      • Theft or Misuse of IP within a tenant and between tenants

      • Workload is vulnerability to unauthorized access from inside or outside the cloud

    • Benefits

      • Protection follows the workload, regardless of where it is physically executing

      • Provides secure resource sharing within Communities of Interest

      • Isolates workloads between different COI

      • Integrated with Unisys Secure Private Cloud Solution for seamless deployment

    Stealth Solution for Cloud

    Cloud Data Center


    Value: Bring Stealth security to the Cloud

    Stealth solution for secure virtual terminal ssvt
    Stealth Solution for Secure Virtual Terminal (SSVT)

    • SSVT secures and controls transmission over the Internet “from anywhere,” locking the communications channel to targeted endpoints.

  • SSVT is deployed via a locked down SecureUSB-based device running Stealth network security software. This virus-free, trusted environment is verified at each boot.

  • SSVT requires no change to your web enabled applications

  • SSVT enables workers to securely access

    • Their own desktop located in the enterprise, via an RDP session

    • Microsoft Remote Desktop Services or other VDI

    • Web enabled applications

  • Clearpath mcp encryption

    Cost Reduction

    Stealth Organizational Value


    Business Benefits & Priorities

    Clients that want to increase security for their “crown jewel” applications and servers.

    Clients that need to protect corporate assets from regional facilities that may reside in hostile territories.


    Cost Savings

    Clients that want the simplicity of deployment and cost structure of public or flat networks but cannot sacrifice security…equally ideal for clients with multi-tier networks that need to contain costs while increasing security.



    Commercial Organizations

    Public Sector /


    Clients that want to simplify data / resource access management

    Stealth extreme security
    Stealth Extreme Security










    DIACAP MAC-1 Certification


    Network Risk Assessment

    CWID 05

    AF Comm Agency

    DIACAP MAC-1 Certification

    CWID 10


    R&D Prototype


    Testbed IO Range


    National Center for Counter-terrorism and Cybercrime SOCOM

    FIPS 140-2 Certification


    NSA EAL4+



    Export License

    Dept of Commerce



    Warrior ‘12



    CWID 05


    Combined Endeavour EUCOM

    CWID 08


    CWID 09


    CWID 10


    “Large Integrator”

    Tests and fails to break Stealth

    JUICE 09



    DJC2 PMO


    Private Lab

    SSVT Validation: Failed to compromise

    DIACAP: DoD Information Assurance Certification and Accreditation Process

    MAC: Mission Assurance Category (Level 1 is Highest) DISA: Defence Systems Information Agency

    EUCOM : European Command

    SOCOM: Special Operations Command

    JFCOM: JOINT Forces Command

    JIL: Joint Intelligence Laboratory

    CWID: Coalition Warrior Interoperability Demonstration

    JUICE: Joint User Interoperability Communications Exercise

    CECOM: Communications Electronics Command (US Army)

    GTRI: Georgia Tech Research Institute

    DJC2: Deployable Joint Command and Control

    NIST: National Institute of Standards and Technology

    NIAP: National Information Assurance Partnership

    Where is stealth deployed
    Where is Stealth Deployed?

    Hertz, NZ uses Stealth to facilitate PCI DSS compliance

    The US Coast Guard uses SSVT for secure telecommuting

    We do use our own product! Unisys uses Stealth to secure and protect our high value application and database servers, and for secure remote telecommuting

    An Australian Military agency uses Stealth in a secure VDI Solution

    A large Midwestern Healthcare Agency is piloting Stealth to protect servers with sensitive data

    Many Commercial and Government pilots in progress

    Stealth at unisys
    Stealth at Unisys

    Unisys not only sells Stealth to clients, we use it internally too.

    Data Center Segmentation:

    • At Unisys, Stealth has been deployed to secure some of our critical multi-tier applications.

    • With the web server, application logic and database on separate COIs, users cannot ping or even discover the existence of the application and database servers, ensuring that these cannot be tampered or hacked in any way. Users can only access the web server.

    Secure Remote Access:

    • More than 200 Unisys employees use Stealth on their laptops (with dual factor authentication) in order to securely access the corporate network when working from home or when travelling.

    • Unisys is deploying Stealth incrementally with our existing commercial VPN solution.

    Regional Isolation:

    • Currently in test!

    Stealth in the Cloud:

    • Unisys executes Stealth in our outsourcing Cloud environment to service our cloud clients.

    Value based pricing model
    Value-based Pricing Model

    Client pays relative to the differentiated value they receive from Stealth

    Example:Regional Isolation

    Example:Data Center Segmentation

    Example:Secure RemoteAccess

    Unisys stealth solution value
    Unisys Stealth Solution Value

    Unprecedented Security and Value

    • Protection of private corporate data

    • Facilitates regulatory compliance

    • Significant cost reduction

    • Easy, quick deployment

    • Incremental implementation

    • Identity-based management

    • No application changes

    • Highest security performance

    Why unisys security
    Why Unisys Security?

    We have a 6,000-person strong global field force (> 1,700 cleared)

    Our security solutions can be found worldwide in 600+ airports, 1,500 government agencies, and in use by 200+ airlines

    Positive: Gartner’s MarketScope on Data Center Outsourcing rated Unisys as “Positive”, 2010.

    World’s largest RFID network (U.S. Army)

    More than 8.1 million service events managed per year

    100 million people use Unisys secure ID’s

    Strong Performer: The Forrester Wave™ – Managed Security Services, 2010

    To know more,

    visit us at view:

    YouTube: Stealth Solution

    YouTube: Overview of How Stealth Works