Quest Defender Mainframe Edition

Affordable, Achievable Security

Token-based Authentication

Whether you require security for your entire System z mainframe network, or a single business transaction, Defender ME network security managers provide a wide range of user authentication and access controls. Defender ME gives you the ability to authenticate users via any of the leading dynamic password tokens at three levels:

Resource control systems do not protect your mainframe network. Anyone can enter a network, roam around at will and probe for weaknesses. Defender ME products extend security defenses from the kernel of the individual mainframe systems to the network periphery so users are validated before they enter the network.

Defender ME encompasses the latest cryptographic developments in hardware technology and includes support for multiple token types from multiple vendors. 

Now, Defender ME has been further extended to include support for the Defender Go-3 token. The Go-3 token represents an ultra-portable, strong authentication solution for maximum convenience and user acceptability. 

User acceptance of security tools is a crucial factor in guaranteeing the success of any security solution. As an alternative to the risks posed by static passwords, the Go-3 token is an elegantly designed, affordable user-friendly device that is quick and efficient to roll-out to users.

Defender ME also supports the latest RSA SecurID® AES token with 9-Digit Serial numbers. Quest's Defender ME is the only two-factor authentication solution available on System z itself that has fully integrated support for 128bit AES tokens. With Defender ME users with AES tokens do not need to be authenticated by connecting to a Unix or Windows installation of RSA ACE® Server. This allows your organization to take full advantage of Defender authentication within your existing mainframe environment providing you with security and reliability while reducing your overall investment.

Benefits of Defender ME

• For greater flexibility, network access can be secured by user ID or terminal ID and users can be validated at network, application and transaction levels.
• Maxmium security at the most sensitive points -  network jumping prevented, traffic denied based on originating or destination network
• Authentication by user ID, terminal, application or transaction via optional dynamic password tokens provides greater security
• Message warnings can be escalated, including the raising of a NetView alert to an operator console or central host
• Effective for controlling outside contractors, EDI clients and remote dial-in users based on frequency, time of day or the severity of a security breach.

Application/transaction protection
Defender Mainframe Edition (Defender ME) Network Security Managers protect information by directing the user via user ID and password to permitted applications only. You can also force users to provide additional personal token authentication information either at the application level, the transaction level, or both.

MVS-based products
For MVS systems, three levels of Defender ME are available: Defender ME VSSE, Defender ME Secure and Defender ME Authenticator. These products incorporate the capabilities described below:

• Defender ME VSSE
  Defender ME VSSE (VTAM Session Security Exit) uses the VTAM Session Management Exit (SME) to allow only authorized connections. It controls which LU to LU sessions VTAM will allow or deny. Includes terminal to application, application to printer, peer to peer and Network Job Entry (NJE) sessions.
   
• Defender ME Secure
  Defender ME Secure provides active network security and information protection by directing the user, via user ID and password, to permitted applications only. Incorporates the features of Defender ME VSSE to allow sensitive applications to be user ID protected.
   
• Defender ME Authenticator
  Defender ME Authenticator maintains the full range of facilities including all the features of Defender ME Secure as well as incorporating three-factor authentication using personal devices. With this option, it is possible to validate a user's identity via a user ID, a user-changeable password and a personal device generated code.

Transaction Level Interface (TLI)
Defender ME gains flexibility by extending security beyond the VTAM network front end to the user's own business transaction. User authentication through the TLI can be implemented from any point in the network using the TCP/IP TLI. The TLI can also be used to protect sensitive transactions such as challenging a user attempting to raise an insurance claim payment in excess of a certain value, by requesting user ID and password validation from within the transaction.

Home node processing
In multi-node networks, Defender ME databases may be held on individual nodes supporting definitions for users and terminals assigned to that node. Users connecting to a node that is not their normal connection machine can specify the name of the machine where they want to be authenticated. Home node processing is useful on large networks where users access their system from both home and remote locations.

Also see:

Defender WebMail