W H I T E P A P E R The Networthy iseries An effective and secure network services implementation strategy. SG-001 REV2b MARCH 2005 Bytware, Inc. All Rights Reserved.
2 The Networthy iseries: A Secure Network Services Strategy Recent security studies show that financial losses Rdue to computer system breaches have increased Rdramatically in the past several years. In fact, Rnine out of ten large businesses and government Ragencies acknowledge system break-ins each year, resulting in losses exceeding $200,000 per organization. Two categories theft of proprietary information and financial fraud are the most frequent and most damaging types of security failure. According to the studies, up to forty percent of the damage originates from the Internet, but surprisingly, about two-thirds of the attacks come from inside the firewall by trusted insiders operating within the corporation. The Borderless Network One of the most dramatic challenges to enterprise security is the borderless corporate network.the rapid adoption of network services, telecommuting employees, contractors and consultants, and B2B and B2C e-commerce has eroded the once well-defined borders of corporate networks. Today s enterprises are often so interconnected that when enterprises electronically interact with other companies, they may end up with virtual insiders. The dilemma arises in the unintentional use of OS/400 public authority. Most iseries sites have accumulated their corporate resources over time, propagating the default public settings that typically allow any user to read (and potentially alter) any file, or execute any program. Security was often implemented by using menu-based business applications, thus preventing users access to a command line and limiting access only to corporate data managed by each application. The dilemma continues when OS/400 security is implemented without considering network services (FTP, ODBC, DDM and Telnet). As companies implement network services and desktop client applications to conduct business, menu-based applications are phased out or are bypassed, returning the enterprise to relying on its OS/400 security as its only means of defense. An additional source of risk occurs when sites install vendor-supplied software, and do not have adequate control over the software s use of network services. Virtual insiders are the people connected to the corporate network that the enterprise does not know are there. As illustrated in Figure 1.1 below, these connections are unintended and dynamic. These connections are difficult to include in a traditional security policy, because they often occur when one enterprise grants access to another enterprise. Ubiquitous connectivity is driving fundamental changes in the approaches to enterprise security planning and implementation. The iseries Security Dilemma OS/400 provides excellent security features, which enterprises may (and should) use to secure their corporate data and commands, regardless of how data is accessed (via terminal sessions or network services). A properly implemented exclusion-based, object-level security policy that includes event logging may reduce or eliminate the requirement for exit-point security. figure 1.1 Your iseries operates in a borderless network. Interconnection means that you must also take into consideration virtual insiders.
The Networthy iseries: A Secure Network Services Strategy 3 It is usually not practical or cost-effective to redesign a system to implement an exclusion-based security policy using OS/400 s object-level security features. Unless you have fully implemented an exclusion-based, object-level security policy, PC users have unlimited, untraceable access to your iseries files and programs using their 5250 user ID and password in desktop applications. Additionally, no audit logging or time constraints may be enforced, thus allowing open access to your corporate data resources without monitoring of any kind. The dilemma is resolved by implementing exclusion-based security, phased in over time to avoid business disruptions. StandGuard implements security by focusing on your users and groups (sources), and their relationship to databases, applications, and objects figure 1.2 StandGuard s phased approach to exclusion-based security allows you to unobtrusively implement security so that (resources). StandGuard monitors each network there is no disruption to your daily business operations. service and command at the OS level, controlling access to your corporate data. The result is highly-effective, low-maintenance, flexible security for your you know are by business practice either permitted or prohibited. iseries assets. How StandGuard Enforces Security Policies Exclusion-based security is conceptually simple access that is not specifically allowed is inherently rejected. StandGuard implements a phased, exclusion-based security approach to secure resources on your iseries: objects (files, databases and programs, for example) and network services (FTP, ODBC, DDM and Telnet) and CL commands. These resources are accessed by sources end users running client applications on your network. These include common desktop products such as Microsoft Word, Excel, and Access, IBM Client Access, and others. StandGuard uses the concept of rules to represent sources entities in your iseries that identify the specific user, group or location of network service utilization and commands user IDs, group profiles, authorization lists, and IP address ranges, for example. StandGuard uses the concept of filters to represent resources objects in the iseries that identify paths, objects, libraries, etc. resources on the iseries that sources (users) can gain access to. Filters are organized by rule, and allow or reject access to the network services and resources that Rules and filters are the backbone of StandGuard they identify your corporate assets and control who may access them. You can specify levels of access, for example, granting some users create and read authority, and others delete authority. Filters also can control who may execute commands. The collective body of rules and filters you create is your security policy. StandGuard allows you to implement your security policies in an existing operating environment, without disrupting your normal network-based business transactions and activities. To achieve this, StandGuard promotes a phased approach to implementation, beginning with an open trust-based policy, and progressively strengthening security by securing or turning up network services on a service-by service basis. (See Figure 1.2, above). As your policy is implemented, tested, and fine tuned, the result is a lower risk, exclusion-based security policy, all accomplished without operational disruption.
4 The Networthy iseries: A Secure Network Services Strategy StandGuard s Phased Implementation When you first install StandGuard, it silently monitors access to services in your system and logs these events for your review. You can review these events and create filters to specifically allow or reject access to resources. Over the course of a few days or weeks, you will create rules and filters that shape your security policies to: control access to specific objects and services control access to objects and services during scheduled times control access for specific users, groups, and IP addresses reject access to objects and services that have nt been granted provide an audit log of ongoing activity reject access to objects and services that have nt been granted. Monitoring Phase During the monitor phase, StandGuard allows network service access to continue unimpeded, so users of these services are not affected in any way. In fact, users are completely unaware that their utilization of network services is even being monitored and logged. In this phase, StandGuard silently collects event records that describe who access what resource, what network service was employed, and when it happened. In and of itself, this has no material impact on reducing your security risk: it is at the same level as before StandGuard was installed. However, it provides the data you need to begin identifying sources and resources and legitimate connections between them. StandGuard provides you the ability to audit the events it generates, so that you develop knowledge of the actual risks you may experience. Trust-based Security Phase As you begin implementing your security policies, Stand- Guard is continuing to allow network services to function normally and record all events for your analysis. Your goal in this phase is to reduce your high risk events to a lower risk level as unobtrusively as possible. When you complete this phase of implementation, your security policy is trustbased. A trust-based security policy identifies resources that should not be accessed by certain sources. Next, you create rules for the sources, and attach filters that reject access to the resources known to be inappropriate for that source. In short, you create a security policy that rejects inappropriate access to resources. All other activities via any network service are allowed, or trusted. In most cases, the development of the trust-based security policy is an ideal phased approach to a strong, exclusionbased policy, because it is the least intrusive method one that if implemented correctly, causes no interruption to normal business activity on your system. Some iseries servers are implemented in an environment or used in certain ways that may permit you to maintain a trust-based security policy StandGuard s phased implementation takes you from monitoring to trust-based to exclusion-based policies, allowing you to build targeted access priveleges for effective yet flexible security.
The Networthy iseries: A Secure Network Services Strategy 5 indefinitely. These characteristics include an iseries that: is not connected to the Internet is used by a small corporation has a small, stable set of individual users has a small, stable set of libraries and objects most or all access is via 5250 terminals However, most iseries servers operate in a borderless network. The borderless network becomes the primary source of security risk, requiring you to implement an exclusionbased policy to maintain the highest level of security for your corporate assets. Exclusion-based Security Phase After a trust-based security policy has been implemented (and stabilized) in StandGuard, you are ready to implement an exclusion-based security policy, again without disrupting normal network services activity. This phase is the one that most significantly reduces your risk of security breaches. Implementing exclusion-based security involves two steps: 1. Identify all sources and their legitimate resources 2. Secure network services and commands When you identify the sources, you match them with each legitimate resource they can access. Next, create a rule for each source, and attach filters that explicitly allow access to the legitimate resources you ve identified. This seems ineffective at first since you are allowing access (to a resource they already have access to), it has no material effect on your existing policy yet. Next, you ll secure each network service by changing the default access from allow to reject. Immediately, requests for network services to access resources from unknown sources or access to unidentified resources by known sources are rejected. Unknown sources are those that do not exist as rules in StandGuard; unidentified resources are those that are not identified in StandGuard as filters. In short, your security policy does not include them. The events that are generated as a result of these two types of activity are recorded and listed in a warnings report, where you can review them and take action. You can make minor adjustments and implement new rule and filters immediately, fine tuning your security policy over time to adjust to changes in the environment and usage patterns. Upon completion of this phase, you have completed a strong, effective, and manageable exclusion-based implementation phase without disrupting normal network activity, while shielding your system from network service activity from unknown sources, and from known sources accessing improper resources. Benefits of Using StandGuard Complement External Firewall Security A firewall protects your internal network from Internet access. However, it does not protect your system from internal access or provide any system audit trail. For example, firewalls cannot prevent a file from accidental or intentional deletion. StandGuard provides a complementary layer of security to your general-purpose firewall by monitoring and controlling access to specific network services and resources behind the firewall and within the corporation. Improve System Availability and Meet Service Level Expectations StandGuard improves service levels and system availability by significantly reducing the risk of downtime caused by accidental or intentional deletion of corporate data by unauthorized personnel. Simplify Administration and Implementation of Your Security Policies StandGuard reduces system administration and saves you money by simplifying security policy implementation and administration. For example: group filter s by group profile and location apply wildcards to a range of objects (all objects in a library) Protect Corporate Assets from Unauthorized Viewing, Altering, Theft or Destruction Two types of activity that may compromise the privacy of corporate data require significant proactive policies: unauthorized viewing and theft, and inappropriate destruction. Data destruction is usually obvious: data has been deleted, altered or corrupted. Unauthorized data alteration is more difficult to identify than data that has been deleted, particularly if only selected records have been altered. Data privacy breaches involving unauthorized viewing of private information or theft do not leave evidence in the data itself you must look elsewhere to determine if corporate data has been compromised.
6 The Networthy iseries: A Secure Network Services Strategy StandGuard silently monitors and logs all requests for network services. Unauthorized transactions are rejected, based on your security policies. Allowed transactions are silently monitored, recording details about each file access and each command executed. In the unlikely event of damaging activity, you ll have an audit trail to assist you in re-constructing exactly who, how, and when the activity took place. Track Authorized Data Access to Comply with Legal Requirements or Corporate Policies Certain industries maintain public trust by closely monitoring and logging all access to certain classes of data. In the health and medical With StandGuard you can easily and quickly react to reports of an employee who may have reason to compromise or destroy corporate data by setting up policies to track there activity. industry, for example, private data includes patient records, drug purchases, and other key hospital operational information. StandGuard can be configured to log each access to specific data files, databases and other objects, identifying the access by user ID, IP address, time of request, and activities performed. These logs can be recorded for specific time periods, and archived for permanent storage, which may help meet auditing requirements. Monitoring, logging, and archiving in this manner can be a key step in complying with Sarbanes-Oxley and similar legislation. Log Legitimate Activity as an Audit Trail No security policy can prevent authorized users who exercise a corporate trust from accidentally or intentionally deleting or damaging data to which they legitimately have access to. StandGuard allows you to log all network service activities, including those that track legitimate, normal access to data and transactions. These event logs may help mitigate data damage, by clearly identifying the source that accessed the resource that was damaged, when it occurred, and via what network service. Protect from Insider Malicious Intent Most corporations focus on two general types of security to prevent unauthorized use or destruction of corporate data and resources: physical security (preventing unauthorized personnel from accessing personal computers or terminals), and network security (implementing firewalls, VPNs and other electronic security measures). Both are intended to reduce unauthorized access from people who are not a legitimate part of a corporate community. However, inside jobs are perpetrated by people who are authorized employees, contractors, clients or consultants.
The Networthy iseries: A Secure Network Services Strategy 7 These security breaches are the most difficult to track and prevent and prosecute. If you are alerted by a corporate officer or security personnel to an employee who may have reason to compromise or destroy corporate data, you can use StandGuard to quickly and without notice implement specific security policies to track the individual s activity. You can set up rules that track the person s user ID, and filters that monitor and control access to all commands, objects, IFS file access and native file access. These rules and filters log all activity for potential use in corporate or legal actions. For additional information about StandGuard, please visit bytware.com/products/standguard.html. StandGuard s Key Features Rules-based Security Create rules for users, groups, locations Create filters to allow or reject specific types of operations to files, programs, and IFS objects Specifically or generically identify sources and resources Perform actions when specific events occur Proactively monitor activity Interface with Messenger products for event management, escalation and notification Monitors and Secures FTP ODBC/SQL Telnet DDM/DRDA NetServer (Network Neighborhood) Integrated File System (IFS) CL Command Keywords Services Monitoring and Security Allow or reject requests for services from users, groups, and locations Apply schedules to control when iseries resources are available for specific users, groups and locations Provide audit trail of service usage, such as Telnet logins Audit Journal Monitoring User-configurable filtering of events from the OS/400 Security Audit Journal Perform actions when events are found, such as notifying administrators when system values are changed, or user profiles are disabled Provide audit trail of critical events Command Monitoring Monitor and secure usage of CL Command keywords, such as PWRDWNSYS RESTART(*NO) Override keywords for specific users and groups, such as RESTART(*YES) for QSYSOPR Reject specific keywords for users and groups Provide audit trail of keyword usage Reporting Log events for selected users, groups, files, operations Service and filter usage Search and print events Automatic cleanup Actions Send messages Run commands Alerts via an interface with Bytware s Messenger automated monitoring, notification, and consoling solutions. Helps with Sarbanes-Oxley Compliance Helps meet the following COBIT Objectives PO9.2: Risk Assessment Approach AI3.7: Use and Monitoring of System Utilities DS5.1: Manage Security Measures DS5.2: Identification, Authentication, and Access DS5.3: Security of Online Access to Data DS5.5: Management Review of User Accounts DS5.7: Security Surveillance DS5.10: Violation and Security Activity Reports DS5.17: Protection of Security Functions DS5.19: Malicious Software Prevention, Detection, and Correction
9440 Double R Blvd., Suite B, Reno, NV 89521-5990 775.851.2900 facsimile 775.851.2995 sales: 800.932.5557 2005 Bytware, Inc. All rights reserved.