AS/400e Internet Security Principles

AS/400e Internet Security Principles COMMON Europe December 2000 Based on a Presentation by Patrick Botz Tom Grigoleit, Rochester, MN PSBotz 1

Agenda The Internet Security Threat Establishing a Security Policy Protecting a Public Server ISP Security Host Security Network Security Application Security Protecting Internal Servers The Role of a firewall PSBotz 2

Internet Security Threat Explosive growth of the Internet $1.3T market forecast in 2003 Estimated $50B in 1998 Revised from $32B mid-1998 estimate Makes the Internet... Desirable place to do business Attractive place to steal from business (IDC - March 99) Serious Breaches Occuring 500 firms surveyed 32% sought help from law enforcement Up 17% from last year (Computer Security Institute - March 99) Finacial losses $124 million from all security breaches Down from $137 million in 1997 Losses from financial fraud and theft of data up sharply Estimated real losses in $10s of billions (Computer Security Institute - March 99) Percent whose computer systems had unauthorized use within the year. Yes - 64% No/Unknown- 36% Number of entry attempts Don't know > 10 5 to 10 1 to 5 0 10 20 30 40 50 Percent of sites... and not just once. (Computer Security Institute - March 98) PSBotz 3

Example Internet Security Exposures Sniffing user=jim pw=xl2rq Spoofing Internet user=jim pw=xl2rq Internet addr=192.168.67.3 addr=192.168.67.3 Denial of service Trusted hosts Internet Internet user=jim pw=porsche PSBotz 4

Security In Your Company Security is a business function It's all a matter of Risk Management Open System Your Business Locked Down Tight SmartSuite Office PSBotz 5

Internet Security Issues Authorization "Does this person have access to this data or application?" Authenticity "Is this person who he says he is?" Privacy "Is any personal information I give out being compromised?" Integrity of Information "Am I confident that the data I receive and send is not being tampered with?" Non-repudiation "How can I ensure the data was received, signed for, and time stamped? Will it stand up in court?" PSBotz 6

AS/400 Answers Authorization OS/400 Object Level Authorities HTTP Server Protection Directives Authenticity Encryption using SSL, Certificates Hide Addresses w/ NAT, Proxy Passwords, Validation Lists Privacy Encryption using SSL Integrity of Information Integrity Checks with SSL Digital Signatures with Domino Block Unwanted Traffic with Firewalls, IP Filtering Non-repudiation Certificates, SSL, Signatures, Logs PSBotz 7

Internet Security Policies Corporate Security I/T Security Networking Security What are your security policies? What services are to be permitted (http, ftp, telnet...)? What Internet sites may be accessed? What may be accessed from the Internet? Host Security Access Vs. Security Appl Security FTP access<-> PC virus introduction Mail exchange<-> mail flooding Web server <-> web graffiti PSBotz 8

Internet Security Principles Simplicity Explicit Authority Untrusted Internal Network Tested Internet Educated Users Secondary defenses Chokepoints PSBotz 9

Encryption Symmetric Key Public Key Digital Certificates Secure Sockets Layer - SSL Digital Signatures Security PSBotz 10

Symmetric Key Encryption Secret Key Plaintext Dave, here are the specs Encrypt Cyphertext x9*hn7$fd#)gk Decrypt Plaintext Dave, here are the specs Sandy Secret Key Secret Key Dave PSBotz 11

Public Key or Asymmetric Encryption Dave's Public Key Plaintext Dave, here are the specs Encrypt Cyphertext x9*hn7$fd#)gk Decrypt Plaintext Dave, here are the specs Sandy Dave's public key Dave's private key Dave PSBotz 12

Digital Signatures Dave, here are the specs Plaintext Plaintext Dave, here are the specs Sandy Encrypt Decrypt Dave Sandy's private key Sandy's public key Signed Message mj3#p%kl@4nv Cyphertext Cyphertext mj3#p%kl@4nv Signed Message Dave's Public Key Cyphertext x9*hn7$fd#)gk Dave's private key Encrypt Signed and encrypted Message Decrypt PSBotz 13

Data Integrity Message to be Sent Received Message Secure Hash Message Digest Secure Hash Message to be Sent? Message Digest Signature Digital Certificate Signature Sender's Public Key Message Digest Sender's Private Key Signature PSBotz 14

Digital ID -- "Digital Certificates" Identifies a user or a system Digital document - a file, that validates identity of certificate's owner Contains public key Created by trusted 3rd parties called Certificate Authorities Can be distributed freely Digital signature prevents tampering Certificate University of the Internet Issue Date Distinguished Name Public Key Expiration Date Digital Signature of CA Internet Certificate Authorities (CA) Verisign CyberTrust Entrust Equifax...many others Intranet Certificate Authorities (CA) AS/400 system can be intranet CA Most corporations have their own Certificate Authority PSBotz 15

Secure Sockets Layer (SSL) End-to-end encrypted communication session Uses certificates for identification Public/Private keys used to prove server identity Optional client-side authentication Data privacy (encryption) Internet or intranet Supports HTTP server (https) and LDAP for V4R3. Supports Client Access/400, TELNET, and DDM for V4R4. More to come. Applications must be rewritten to use SSL SSL version 2.0 for Server and 3.0 for Client Authentication. web server Owner: Issuer: John Doe Verisign web browser Client identity authenticated Internet Owner: Issuer: Server Corp. Verisign Server identity authenticated PSBotz 16

SSL Handshake HTTPS Client Hello Encryption Options Server Client Client verifies server certificate Client Generates a master session key which is used to generate client and server encryption keys Client write-key Client read-key Server authenticated Server Hello Encryption Option OK Server certificate Client pre master secret key Master session key encrypted by server's public key Client write-key = Server read-key Client read-key = Server write-key Server verify Client Hello encrypted by session key Encrypted Application Data Server decrypts pre master secret key with private key. It then uses it to generate a server key pair Server write-key Server read-key PSBotz 17

Protecting a Public Server Public server must be secured even if it is isolated or if you have a firewall. Layers of security Internet Service Provider Host Communications (TCP/IP) TCP/IP application Public Server XYZ Co. Home Pg Internal Network Firewall?? Router Internet?? PSBotz 18

Internet Service Provider Security Block incoming telnet connections Block finger, snmp,... Provide Domain Name Services Public Server Internal Network XYZ Co. Home Pg Router Domain Name Services Internet Packet filter PSBotz 19

AS/400 Host Security Enable Resource Security QSECURITY >= 40 Password attack prevention QPWDMINLEN = 6... QMAXSGN = 3 QMAXSGNACT = 3 QAUTOVRT = 0 Public Server Tightly control "high-powered" profiles QLMTSECOFR = 1 Limit profiles with *ALLOBJ, *SECADM and *IOSYSCFG Use Object Security The libraries/directories you create should be PUBLIC(*EXCLUDE) Verify and Monitor GO SECTOOLS or GO SECBATCH Check passwords (ANZDFTPWD) Check security relevant values (PRTSYSSEC) Use QSYSMSG message queue Router Internet PSBotz 20

TCP/IP Security Public Server *IOSYSCFG authority controls who can make changes Only start TCP/IP applications you need HTTP Mail FTP Others CHGCMDDFT CMD(STRTCPSVR) NEWDFT('SERVER(*HTTP)') CHGTELNA AUTOSTART(*NO) CHGWSGA AUTOSTART(*NO)... TCP/IP No IP forwarding CHGTCPA IPDTAGFWG(*NO) Don't define host name of internal systems Define only one route (default) PSBotz 21

Web Server Security Public Server Lots of things to consider when securing web servers and web applications! HTTP Mail TCP/IP FTP Others Server directives Protection directives Secure data transmission (encryption over the wire) Secure Sockets Layer (SSL) Digital Certificates Managing digital certificates CGI-BIN programs Java Servlets PSBotz 22

Web Server Configuration Directives Server directives control which directories can be accessed http://www.yourserver.com/app1/main.htm http://www.yourserver.com/app1/pgm/update Libraries (QSYS.LIB) APP1 requests from the Internet Exec /App1/Pgm/* /QSYS.LIB/APP1.LIB/* Pass /App1/* /www/html/app1/* QGPL WEBTOOLS DirAccess OFF Directories PASS controls which files can be accessed Use MAP and PASS to provide an alias for file locations EXEC controls which CGI programs can be run Don't mix CGI programs with other programs Don't put any sensitive data in directories accessible by URLs Don't allow directories to be viewed /www /html /App1 /App2 PSBotz 23

Web Server Protection Directives Server PROTECTION directives control who can access data Application #1 - public application Example Security Models No userid or password required Programs and data are accessed using a default profile (e.g. QTMHHTTP) Application #2 - employees only AS/400 user profile and password required (basic authentication) Programs and data are accessed using the user profile Application #3 - limited set of Internet users only "Internet userid" and password required (basic authentication) Userid are entries in a Validation List object Programs and data are accessed using a default profile (e.g. WEBAPP3) Normal AS/400 object level security "backs up" the server directives PSBotz 24

Additional Web Server Considerations Securing the public server is not enough Internet users want secure communications (e.g. passwords) Internet users want secure transactions (e.g. credit card numbers) HTTP Server for AS/400 Provides encryption support for HTTP Secure Sockets Layer (SSL) Digital Certificate Manager US/Canada and International versions HTTP Server for AS/400 Server Certificate Internet SSL - encrypted session PSBotz 25

Securing Other TCP/IP Applications Public Server HTTP Mail FTP Others FTP Mail Various other applications TCP/IP PSBotz 26

FTP FTP client user=anonymous password=user@anysys.com FTP Server User="ANYFTPUSR" "GET" -> OK *USE *EXCLUDE Libraries (QSYS.LIB) DATALIB QGPL WEBTOOLS Don't use passwords Server Logon Exit Point Exit Program Server Request Validation Exit Point Exit Program from the Internet Only support ANONYMOUS FTP Provide exit program to select user profile (e.g. ANYFTPUSR) Provide exit program to determine allowed operations (e.g. GET only) Strictly limit access of FTP user Don't rely on client's IP address Directories /www /html /App1 /App2 PSBotz 27

Mail A public server should have limited or no mail support Don't want to store mail on system accessible by the public Not for general mail delivery Set auxiliary storage threshold No *ANY *ANY directory entry Directory entries - INFO YOURSYS - SUPPORT YOURSYS SMTP mail support@yoursys.com PSBotz 28

What we haven't talked about Protecting Internal Servers Internal systems www.mycomp.com Internal host names not visible from Internet Internal addresses do not reach Internet Firewall Router Internet Sensitive data kept behind a firewall 192.168.5.23 Private network accessed with encrypted sessions PSBotz 29

AS/400 Internet Security Summary The Internet can be a reasonably safe place to do business Caution is advised, poor planning or mistakes could be disastrous Cryptography plays a major role Internet security is still evolving AS/400 security features make it a good Internet Server Proven operating system integrity Excellent host level security Integrated communications security Secure HTTP serving PSBotz 30

Additional Resources SecureWay, AS/400 and the Internet, G325-6321 Tips and Tools for Securing Your AS/400, SC41-5300 AS/400 Internet Security: Securing Your AS/400 from HARM in the Internet, SG24-4929 (Redbook) Building Internet Firewalls; Chapman and Zwicky, O'Reilly and Associates 1995, ISBN #1565921240 http://www.as400.ibm.com/techstudio AS/400 Security AS/400 Firewall Solution AS/400 Host Security Advisor Operations Navigator Security Wizard http://www.ibm.com/security http://www.ncsa.com/ publications now available via the web!!! http://as400bks.rochester.ibm.com/ PSBotz 31

Trademarks Copyright International Business Machines Corporation 2000 References in this document to products or services do not imply that intends to make them available in every country. The following terms are trademarks or registered trademarks of the Corporation in the United States or other countries or both: ADSTAR DataGuide NetFinity AIX OS/2 AnyNet Network Station OS/400 Application Information PowerPC Development Warehouse APPN Integrated Language PowerPC AS Environment AS/400 Intelligent Printer Data Stream Print Services Facility cc:mail, Lotus, Lotus Notes, Lotus Domino, Domino.Action, and Domino.Merchant are trademarks or registered trademarks of Lotus Development Corporation. Microsoft, Windows, NT, and the Windows 95 logo are trademarks or registered trademarks of Microsoft Corporation. UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Java and all Java-related trademarks or logos are trademarks or registered trademarks of Sun Microsystems, Inc in the United States and other countries. 's VisualAge products and services are not associated with or sponsored by Visual Edge Software, Ltd. Pentium is a trademark of Intel Corporation. Other company, product, and service names may be trademarks of their respected providers. Information is provided "as is" without warranty of any kind. Mention or reference to non- products is for informational purposes only and does not constitute an endorsement of such products by. All statements regarding future direction and intent are subject to change or withdraw without notice, and represent goals and objectives only. Contact your local office or authorized reseller for the full text of the specific statement of direction. PSBotz 32