Controlling Remote Access to IBM i



Similar documents
Exporting IBM i Data to Syslog

Password Self Help Password Reset for IBM i

Password Self Help Password Reset for IBM i

8 Best Practices for IT Security Compliance

Successful Identity Management for IBM i

Enforcive / Enterprise Security

Managing Special Authorities. for PCI Compliance. on the. System i

About the white paper: The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and Basel II,

TNT SOFTWARE White Paper Series


Someone may be manipulating information in your organization. - and you may never know about it!

Secure Remote Control Security Features for Enterprise Remote Access and Control

The State of System i Security & The Top 10 OS/400 Security Risks. Copyright 2006 The PowerTech Group, Inc

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

IBM Tivoli Netcool Configuration Manager

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

Enterprise Security CPA for IBM MF

The Auditors Agree!!! SafeNet/i Solves the Need

PowerSC Tools for IBM i

How to complete the Secure Internet Site Declaration (SISD) form

DMZ Gateways: Secret Weapons for Data Security

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

STERLING COMMERCE WHITE PAPER. Four Keys to Effectively Monitor and Control Secure File Transfer

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

White Paper. Sarbanes Oxley and iseries Security, Audit and Compliance

VULNERABILITY & COMPLIANCE MANAGEMENT SYSTEM

IBM Tivoli Compliance Insight Manager

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

SECURELINK.COM REMOTE SUPPORT NETWORK

The Networthy iseries

White paper September Realizing business value with mainframe security management

RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Information Technology Solutions

Integrated and reliable the heart of your iseries system. i5/os the next generation iseries operating system

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

IT Security & Compliance. On Time. On Budget. On Demand.

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

CSP & PCI DSS Compliance on HP NonStop systems

A Decision Maker s Guide to Securing an IT Infrastructure

FTP-Stream Data Sheet

Application Monitoring for SAP

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Navigating Endpoint Encryption Technologies

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Guardium Change Auditing System (CAS)

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Best Practices for Audit and Compliance Reporting for Power Systems Running IBM i

Enterprise Remote Support Network

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

Virtual Compliance In The VMware Automated Data Center

Logging and Alerting for the Cloud

The Sumo Logic Solution: Security and Compliance

The syslog-ng Store Box 3 F2

ESM s management across multi-platforms eliminates the need for various account managers.

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

IBM Tivoli Monitoring for Network Performance

Auditing Data Access Without Bringing Your Database To Its Knees

SECURELINK.COM ENTERPRISE REMOTE SUPPORT NETWORK

McAfee Database Security. Dan Sarel, VP Database Security Products

Introduction to the HP Server Automation system security architecture

Alliance Key Manager Solution Brief

CMPT 471 Networking II

IBM WebSphere MQ File Transfer Edition, Version 7.0

Four keys to effectively monitor and control secure file transfer

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Three significant risks of FTP use and how to overcome them

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Maximizing Your Workforce Management Software In a SaaS Environment

Setting up an MS SQL Server for IGSS

Considerations for securing BAS networks

IBM i Encryption in a Snap! Implement IBM FIELDPROC with a simple to use GUI and a few clicks of your mouse.

8 Steps to Holistic Database Security

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

The Comprehensive Guide to PCI Security Standards Compliance

BANKING SECURITY and COMPLIANCE

How To Achieve Pca Compliance With Redhat Enterprise Linux

HP Server Automation Standard

How PatchLink Meets the Top 10 Requirements for Enterprise Patch and Vulnerability Management. White Paper Sept. 2006

Securing the Database Stack

Stateful Inspection Technology

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Beyond Remote Control Features that Take Remote Control Capabilities to the Next Level of Network Management

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

F Cross-system event-driven scheduling. F Central console for managing your enterprise. F Automation for UNIX, Linux, and Windows servers

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

MANAGED MICROSOFT AZURE SERVICES

ICAWEB423A Ensure dynamic website security

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

PCI 3.0 Compliance for Power Systems Running IBM i

CASE STUDY ALLSCRIPTS

Information Technology Solutions. Managed IT Services

Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Systems Operations SUITE. Operations. Network Server SUITE

Preemptive security solutions for healthcare

Transcription:

Controlling Remote Access to IBM i White Paper from Safestone Technologies

Contents IBM i and Remote Access...2 An Historical Perspective...2 So, what is an Exit Point?...2 Hands on with Exit Points...3 What can Exit Programs Do?...4 Monitor Traffic...4 Securing Traffic...5 Securing Objects...5 Swapping Profiles...6 Supplemental Exit Programs...6 Summary...6 About Safestone...8 Safestone s Solutions...8 1

IBM i and Remote Access IBM i and remote access security is a topic that has been around for almost as long as the IBM i itself, and much has been written about it since its inception in the late 1980 s. An industry of ISV s (independent software vendors) has developed and matured which provides exit point software to many organizations. The discussion about exit point security vs. native security in the Operating System (OS) has long been debated, to the point where little new argument has emerged recently on the subject. Nevertheless, questions still remain about the exit points on IBM i issues which this white paper aims to cover and resolve. An Historical Perspective In the 1990 s IBM introduced the TCP/IP stack and the Host Servers on IBM i, or OS/400 as it was known then. This was done in order to keep the IBM i relevant, as the marketplace evolved and as servers needed to connect to the network. These new protocols were not native to the operating system and IBM ultimately recognized it had created a huge security hole. The problem was that before the stacks were introduced, menu security had been very effective at keeping users from accessing data directly. However, after their introduction, this was seriously compromised. Menu security provided excellent end-user security in the days of dumb displays and twinax cabling, but just wasn t effective after PC s began to connect using telnet over a network. Telnet wasn t the problem, but other protocols like FTP, ODBC and Remote Command were. Once users could bypass their menus and get to data using network access without any menu or program control, the security flood gates were opened. So, what is an Exit Point? Having realized they had created a problem, IBM also recognized it wasn t an easy one to solve. The native operating system on IBM i couldn t secure this new server traffic, so the exit points were born. They are nothing more than API s (Application Program Interfaces) associated with each network server. They receive and send information to their network server. The information they receive includes the server and function that has been accessed, and what IP address and user it is associated with.. It can also include information about the data that is associated with the traffic for instance, the library and file that were accessed during an FTP connection. The exit point also sends information back to the network server. The most important information sent is a yes or no, as to whether the traffic should be allowed. The key to understanding exit points is that they call a user-written program that is registered to the exit point; the program processes the information that is passed to it, and then returns a yes or no back to the exit point, as to whether the traffic should be allowed or not. IBM didn t want to write the exit programs, but preferred to provide the framework so that system programmers could write them. Exit points are the hooks into network servers that exit programs use to secure the TCP/IP and Host server traffic. 2

Figure 1 Figure 1 provides a graphical view of how a network server, an exit point and an exit program are designed to secure network traffic. Exit points have been described as a software firewall, and this is a reasonably good analogy. Hardware firewalls and exit points provide visibility into details about traffic on the network, and allow you to control that traffic. There are certainly differences between them and what they are capable of, but both perform similar functions, allowing the monitoring and securing of network traffic. Hands on with Exit Points There are hundreds of exit points which ship as part of the IBM i OS. They provide access and control over a number of areas, such as cryptographic support, managing profiles and commands, Mail Server Framework, and other system functions. The exit points associated with network access are those that control TCP/IP services like FTP and Telnet, and the Host Servers such as Database and Remote Command. You can view and manage the exit points by running command WRKREGINF. Option 8 will display any exit programs associated with the exit point, and you can add or remove exit programs using this option. 3

Figure 2 Figure 2 shows an FTP Exit Point using the WRKREGINF command. What can Exit Programs Do? The exit program functionality can help to better secure the IBM i. Indeed, there are a number of areas where exit programs can be valuable in providing an organization with better security than it would have without them. Monitor Traffic The first thing anyone who registers an exit program sees is what their network traffic looks like. This can be an eye-opening experience because the traffic is very foreign to IBM i administrators. It must be remembered that the TCP/IP stack isn t native to IBM i; there is no way to look at network traffic in the native O/S it must be captured and viewed using an exit program. Having visibility into which users are accessing network servers is good security practice, and invaluable if forensic analysis will need to be performed. Some exit points provide enough detail to the exit program to enable you to see which file the user accessed and whether it was changed or viewed. It is important to note that network traffic can be very high volume, creating many thousands of transactions an hour in busy environments. It is important to be able to filter not only the traffic which is captured, but also what is reported on. Network traffic which represents activity associated with business applications is not required to be logged or reported on. If you do log and report on daily traffic then it makes it much harder to find traffic that is outside application traffic and much more interesting from a security viewpoint. 4

Figure 3 Figure 3 displays network traffic Securing Traffic Another feature which exit programs can provide is the ability to secure network traffic. All the exit points return a yes or no to the network server job, as to whether that transaction should be allowed. The exit program can enforce rules about which users and IP addresses should be allowed to use the different network servers. Well-written exit programs can globalize users and IP addresses so that a few rules apply to many situations. This simplifies the initial setup and makes ongoing maintenance more manageable. An example of globalizing users is entering a group profile or supplemental group profile in a user rule to allow everyone in the group access. IP addresses can be entered as wildcards so that 10.1.1.* allows all 255 addresses instead of 255 individual rules. There are situations where it is necessary to have network access secured at specific times and not others. An organization s security policy might allow all traffic during working hours, but restrict it after hours and on weekends. Time dependent rule enforcement is an enhanced option found in fully-featured exit programs. Securing Objects Sophisticated exit programs have the ability to specify which objects users are allowed to access. This can only apply to network servers which access data such as DDM, FTP or ODBC but nevertheless is a powerful feature. It is important to note that native IBM i security is the best way to secure file access because the file is secure regardless of how the user accesses it. The exit points can t secure a file if a user runs an SQL command from a command line or changes the file using DFU (Data File Utility) because no network connection was made. However, it is much more complex to reengineer the public access to data, especially if the applications were created by a 3 rd party software vendor. The exit points make it very easy to allow or restrict access to data 5

as long as that access is made using a TCP/IP or Host server connection. For instance, it is simple to secure a user to a specific file when they run an FTP file transfer if the FTP exit program supports securing objects. Swapping Profiles Another function which an exit program provides is the ability to change the identity of a user when they access a network server. This is very useful in IBM i shops, since most have a security model which allows users too much access to production data. Using a combination of native IBM i security and the swap profile api s, an exit program can swap a user to a different profile with read-only access to the data. Exit programs which allow this can make ODBC connections read-only for any chosen user, and that user will not be aware that the swap has occurred. Supplemental Exit Programs A very powerful feature that extends exit point functionality is supplemental exit programs. Exit points only allow a single exit program to be registered to them. The idea behind a supplemental exit program is that if the exit program that is registered to the exit point doesn t provide the functionality required, the registered exit program can call a second program. The second program is passed the same parameters the registered program received from the exit point, and does whatever additional processing is required. It returns the yes or no to the registered exit program which it uses to decide how to handle the traffic. This is extremely useful for those who have purchased 3 rd party exit programs which meet most of the requirements, and yet they need some additional functionality unique to the business. Summary This paper has discussed why the exit programs were created and provided a basic understanding of how they work. They can supplement native security on IBM i and make an organization more secure. Exit programs have become more sophisticated and offer a wide range of functionality which IBM probably never imagined when they created the exit points. Safestone Technologies created Network Traffic Controller (NTC) as the module in the DetectIT Security Suite which secures network access. NTC includes the features discussed in this paper, and many others, that allow you to quickly and easily make the IBM i more secure. Writing exit programs is not for the faint-hearted. They are very technical and most network servers have unique characteristics that can be complex to understand. A sophisticated system programmer can certainly write their own exit programs. IBM offers sample exit programs on its website as shown at the following link: - http://www-01.ibm.com/support/docview.wss?uid=nas19da47e690dc4c0368625677d0077f4cd 6

The challenge a business faces is that the skills needed to write useful and efficient exit program could be better spent helping grow the core business. Most businesses find that it makes most sense to purchase exit programs that meet their requirements and create supplemental exit programs if they need additional functionality. 7

About Safestone Safestone is the leading supplier of security, audit and compliance solutions for IBM Power Systems (i, AIX, Linux). The module-based solutions are flexible, scalable, and easy to implement and use, and address all varying degrees of audit, compliance and security requirements. An Advanced IBM Business Partner and long-standing member of the IBM i ISV Advisory Council, Safestone helps businesses meet compliance regulations (Sarbanes-Oxley, PCI DSS, Basel II, HIPAA) and information. Partner of choice for global financial and banking institutions with the most stringent security and compliance requirements, Safestone provides the most comprehensive solution in System i security to over 500 blue-chip customers worldwide. Their global network, developed over more than 21 years provides localized sales, consultancy and professional services to help organizations manage all their System i security requirements. Safestone s Solutions Security Audit and Detection Comprehensive real time intrusion detection and alerting allowing pro-active management of security events and potential breaches. Risk & Compliance Monitor Identifies policy compliance vulnerabilities by reporting against off-the-shelf policies (SOX, PCI, Basel II, ISO 27002 etc.) and in so doing helping to prepare organizations for audit. Powerful User Passport enables system administrators to limit the number of powerful users. It provides auditors and management a comprehensive audit trail of user activities. Password Self-Help enables users to reset their own passwords on System i immediately, without needing to call the Help Desk and wait for the request to be processed. The user is presented with a series of challengeresponse questions to validate their authenticity. If approved, the password reset is made instantly. Compliance Center is a powerful and flexible query-based reporting solution that simplifies the task of collecting and converting a vast array of audit, compliance and security events into compliance reports. Reports can be scheduled and automated with easily read graphics. This is multi-platform tool collects data across IBM Power Systems (i, AIX and Linux) User Profile Manager provides full identity management systems across multiple System i machines / partitions. For more information please contact: - info@safestone.com Call: 800 558 3544 (US) or +44 (0) 1494 442396 (UK) 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information