Controlling Remote Access to IBM i

Transcription

1 Controlling Remote Access to IBM i White Paper from Safestone Technologies

2 Contents IBM i and Remote Access...2 An Historical Perspective...2 So, what is an Exit Point?...2 Hands on with Exit Points...3 What can Exit Programs Do?...4 Monitor Traffic...4 Securing Traffic...5 Securing Objects...5 Swapping Profiles...6 Supplemental Exit Programs...6 Summary...6 About Safestone...8 Safestone s Solutions...8 1

3 IBM i and Remote Access IBM i and remote access security is a topic that has been around for almost as long as the IBM i itself, and much has been written about it since its inception in the late 1980 s. An industry of ISV s (independent software vendors) has developed and matured which provides exit point software to many organizations. The discussion about exit point security vs. native security in the Operating System (OS) has long been debated, to the point where little new argument has emerged recently on the subject. Nevertheless, questions still remain about the exit points on IBM i issues which this white paper aims to cover and resolve. An Historical Perspective In the 1990 s IBM introduced the TCP/IP stack and the Host Servers on IBM i, or OS/400 as it was known then. This was done in order to keep the IBM i relevant, as the marketplace evolved and as servers needed to connect to the network. These new protocols were not native to the operating system and IBM ultimately recognized it had created a huge security hole. The problem was that before the stacks were introduced, menu security had been very effective at keeping users from accessing data directly. However, after their introduction, this was seriously compromised. Menu security provided excellent end-user security in the days of dumb displays and twinax cabling, but just wasn t effective after PC s began to connect using telnet over a network. Telnet wasn t the problem, but other protocols like FTP, ODBC and Remote Command were. Once users could bypass their menus and get to data using network access without any menu or program control, the security flood gates were opened. So, what is an Exit Point? Having realized they had created a problem, IBM also recognized it wasn t an easy one to solve. The native operating system on IBM i couldn t secure this new server traffic, so the exit points were born. They are nothing more than API s (Application Program Interfaces) associated with each network server. They receive and send information to their network server. The information they receive includes the server and function that has been accessed, and what IP address and user it is associated with.. It can also include information about the data that is associated with the traffic for instance, the library and file that were accessed during an FTP connection. The exit point also sends information back to the network server. The most important information sent is a yes or no, as to whether the traffic should be allowed. The key to understanding exit points is that they call a user-written program that is registered to the exit point; the program processes the information that is passed to it, and then returns a yes or no back to the exit point, as to whether the traffic should be allowed or not. IBM didn t want to write the exit programs, but preferred to provide the framework so that system programmers could write them. Exit points are the hooks into network servers that exit programs use to secure the TCP/IP and Host server traffic. 2

4 Figure 1 Figure 1 provides a graphical view of how a network server, an exit point and an exit program are designed to secure network traffic. Exit points have been described as a software firewall, and this is a reasonably good analogy. Hardware firewalls and exit points provide visibility into details about traffic on the network, and allow you to control that traffic. There are certainly differences between them and what they are capable of, but both perform similar functions, allowing the monitoring and securing of network traffic. Hands on with Exit Points There are hundreds of exit points which ship as part of the IBM i OS. They provide access and control over a number of areas, such as cryptographic support, managing profiles and commands, Mail Server Framework, and other system functions. The exit points associated with network access are those that control TCP/IP services like FTP and Telnet, and the Host Servers such as Database and Remote Command. You can view and manage the exit points by running command WRKREGINF. Option 8 will display any exit programs associated with the exit point, and you can add or remove exit programs using this option. 3

5 Figure 2 Figure 2 shows an FTP Exit Point using the WRKREGINF command. What can Exit Programs Do? The exit program functionality can help to better secure the IBM i. Indeed, there are a number of areas where exit programs can be valuable in providing an organization with better security than it would have without them. Monitor Traffic The first thing anyone who registers an exit program sees is what their network traffic looks like. This can be an eye-opening experience because the traffic is very foreign to IBM i administrators. It must be remembered that the TCP/IP stack isn t native to IBM i; there is no way to look at network traffic in the native O/S it must be captured and viewed using an exit program. Having visibility into which users are accessing network servers is good security practice, and invaluable if forensic analysis will need to be performed. Some exit points provide enough detail to the exit program to enable you to see which file the user accessed and whether it was changed or viewed. It is important to note that network traffic can be very high volume, creating many thousands of transactions an hour in busy environments. It is important to be able to filter not only the traffic which is captured, but also what is reported on. Network traffic which represents activity associated with business applications is not required to be logged or reported on. If you do log and report on daily traffic then it makes it much harder to find traffic that is outside application traffic and much more interesting from a security viewpoint. 4

6 Figure 3 Figure 3 displays network traffic Securing Traffic Another feature which exit programs can provide is the ability to secure network traffic. All the exit points return a yes or no to the network server job, as to whether that transaction should be allowed. The exit program can enforce rules about which users and IP addresses should be allowed to use the different network servers. Well-written exit programs can globalize users and IP addresses so that a few rules apply to many situations. This simplifies the initial setup and makes ongoing maintenance more manageable. An example of globalizing users is entering a group profile or supplemental group profile in a user rule to allow everyone in the group access. IP addresses can be entered as wildcards so that * allows all 255 addresses instead of 255 individual rules. There are situations where it is necessary to have network access secured at specific times and not others. An organization s security policy might allow all traffic during working hours, but restrict it after hours and on weekends. Time dependent rule enforcement is an enhanced option found in fully-featured exit programs. Securing Objects Sophisticated exit programs have the ability to specify which objects users are allowed to access. This can only apply to network servers which access data such as DDM, FTP or ODBC but nevertheless is a powerful feature. It is important to note that native IBM i security is the best way to secure file access because the file is secure regardless of how the user accesses it. The exit points can t secure a file if a user runs an SQL command from a command line or changes the file using DFU (Data File Utility) because no network connection was made. However, it is much more complex to reengineer the public access to data, especially if the applications were created by a 3 rd party software vendor. The exit points make it very easy to allow or restrict access to data 5

7 as long as that access is made using a TCP/IP or Host server connection. For instance, it is simple to secure a user to a specific file when they run an FTP file transfer if the FTP exit program supports securing objects. Swapping Profiles Another function which an exit program provides is the ability to change the identity of a user when they access a network server. This is very useful in IBM i shops, since most have a security model which allows users too much access to production data. Using a combination of native IBM i security and the swap profile api s, an exit program can swap a user to a different profile with read-only access to the data. Exit programs which allow this can make ODBC connections read-only for any chosen user, and that user will not be aware that the swap has occurred. Supplemental Exit Programs A very powerful feature that extends exit point functionality is supplemental exit programs. Exit points only allow a single exit program to be registered to them. The idea behind a supplemental exit program is that if the exit program that is registered to the exit point doesn t provide the functionality required, the registered exit program can call a second program. The second program is passed the same parameters the registered program received from the exit point, and does whatever additional processing is required. It returns the yes or no to the registered exit program which it uses to decide how to handle the traffic. This is extremely useful for those who have purchased 3 rd party exit programs which meet most of the requirements, and yet they need some additional functionality unique to the business. Summary This paper has discussed why the exit programs were created and provided a basic understanding of how they work. They can supplement native security on IBM i and make an organization more secure. Exit programs have become more sophisticated and offer a wide range of functionality which IBM probably never imagined when they created the exit points. Safestone Technologies created Network Traffic Controller (NTC) as the module in the DetectIT Security Suite which secures network access. NTC includes the features discussed in this paper, and many others, that allow you to quickly and easily make the IBM i more secure. Writing exit programs is not for the faint-hearted. They are very technical and most network servers have unique characteristics that can be complex to understand. A sophisticated system programmer can certainly write their own exit programs. IBM offers sample exit programs on its website as shown at the following link: - 6

8 The challenge a business faces is that the skills needed to write useful and efficient exit program could be better spent helping grow the core business. Most businesses find that it makes most sense to purchase exit programs that meet their requirements and create supplemental exit programs if they need additional functionality. 7

9 About Safestone Safestone is the leading supplier of security, audit and compliance solutions for IBM Power Systems (i, AIX, Linux). The module-based solutions are flexible, scalable, and easy to implement and use, and address all varying degrees of audit, compliance and security requirements. An Advanced IBM Business Partner and long-standing member of the IBM i ISV Advisory Council, Safestone helps businesses meet compliance regulations (Sarbanes-Oxley, PCI DSS, Basel II, HIPAA) and information. Partner of choice for global financial and banking institutions with the most stringent security and compliance requirements, Safestone provides the most comprehensive solution in System i security to over 500 blue-chip customers worldwide. Their global network, developed over more than 21 years provides localized sales, consultancy and professional services to help organizations manage all their System i security requirements. Safestone s Solutions Security Audit and Detection Comprehensive real time intrusion detection and alerting allowing pro-active management of security events and potential breaches. Risk & Compliance Monitor Identifies policy compliance vulnerabilities by reporting against off-the-shelf policies (SOX, PCI, Basel II, ISO etc.) and in so doing helping to prepare organizations for audit. Powerful User Passport enables system administrators to limit the number of powerful users. It provides auditors and management a comprehensive audit trail of user activities. Password Self-Help enables users to reset their own passwords on System i immediately, without needing to call the Help Desk and wait for the request to be processed. The user is presented with a series of challengeresponse questions to validate their authenticity. If approved, the password reset is made instantly. Compliance Center is a powerful and flexible query-based reporting solution that simplifies the task of collecting and converting a vast array of audit, compliance and security events into compliance reports. Reports can be scheduled and automated with easily read graphics. This is multi-platform tool collects data across IBM Power Systems (i, AIX and Linux) User Profile Manager provides full identity management systems across multiple System i machines / partitions. For more information please contact: - info@safestone.com Call: (US) or +44 (0) (UK) 8