StoneSoft Readies Updated Firewall/VPN Software for Mainframes

Published: March 14, 2006

by Timothy Prickett Morgan

Security appliance and software developer Stonesoft is previewing an update of its StoneGate firewall and virtual private networking appliance software for IBM mainframes. The updated software takes advantage of features in the z/VM platform that hook into the layer of the network stack that resides below the TCP/IP layer, allowing instances of the StoneGate firewall and VPN software to be clustered for load balancing and high availability.

According to Mark Boltz, senior security consultant for Stonesoft, which is based in Helsinki, Finland, and which has offices in Atlanta, Georgia, many companies have firewalls on the perimeter of their networks, but not inside their servers. This practice, which he characterizes as "crunchy on the outside, but chewy on the inside," is not the kind of mainframe-class security that big enterprises have come to expect. With the mainframe being positioned as a server consolidation platform running IBM's mainframe platforms as well as Unix applications in the Unix Services environment and in Linux instances running in z/VM guest partitions and on Integrated Facility for Linux (IFL) processors, mainframe shops are interested in having their firewall integrated right at the server level.

Stonesoft launched the first StoneGate for Linux on the mainframe back in January 2003, and has been selling the product on X86 servers since 2001. The StoneGate appliance is based on the raw Linux kernel from kernel.org, to which Stonesoft adds OpenSSL, OpenSSH, and other open source projects, which it then hardens and locks down. When you buy the product and pay for support, you are paying to get upgrades--like the one that is coming some time in the second quarter for the mainframe--as well as for having Stonesoft continually monitoring and patching the code inside the security appliance software.

Stonesoft's firewall uses a multi-layered approach to understanding and blocking Internet traffic, combining packet filtering, stateful connection tracking, and application-level security (also known as protocol agents). According to Stonesoft, this combination of different techniques (configurable rules-based protocol agents, in particular) provides the highest level of protection, especially with the array of different protocols in use by applications today. The VPN component of StoneGate, which provides both IPsec and site-to-site capabilities, runs directly on the mainframe (as does the version of this software for IBM's iSeries midrange servers), which means there is less chance of exposing data than if a company ran VPN from a separate box.

While X86 platforms have had clustering and load balancing capabilities--and Stonesoft has even sold hardware appliances based on StoneGate that had this functionality--new features in z/VM 5.1 and 5.2 now allow StoneGate instances running within two z/VM partitions or across two physical mainframes to be clustered together in an active-active manner so each firewall and VPN server is taking a portion of the load. In the event that one piece of software crashes, which is unlikely, or it needs to be taken offline to be updated, which is more likely, the users accessing resources on the mainframes do not see any network downtime. Being able to use the Layer 2 networking functionality embedded in z/VM also allows for disaster recovery, since the machines can use an IP network that spreads across town or around the globe.

The version of StoneGate that provides this clustering and load balancing function is 2.2.11, and customers who want to use this functionality cannot be on z/VM releases earlier than z/VM 5.1. However, a single, unclustered instance of the StoneGate security software will run on z/VM 4.3 or later. While pricing and packaging are still being sorted out, Boltz says that Stonesoft will probably put together a base package with the StoneGate Management Center management software and two instances of the firewall for a base price. The pricing model for the software will not be tied to MSUs or MIPS, or on the CP or IFL processor counts, for that matter. Users will have to pay an incremental fee for each instance of the StoneGate appliance they want to add, and they will also have to pay for support. And because patching any Linux--even a homegrown one like what Stonesoft is using--requires some deep expertise of the mainframe, Stonesoft works pretty closely with IBM's System z team to keep it all in synch.