Are you still debating the argument surrounding network exit points?

PowerTech began selling a network exit point solution more than 16 years ago. Since then, hundreds of customers have embraced the concept of exit points, making Network Security our best-selling solution. However, many people remain unaware of the existence of exit points while others declare that they don't need them. Why is there such a marked difference of opinion? And who's right?

What's An Exit Point?

An exit point is the stage in a process when a user-written program, known as an exit program, can be invoked in order to enhance the functionality of the original process. Some exit points only allow the exit program to perform an auxiliary function. Others return a pass/fail code that directs the original process to continue or to stop processing.

Software vendors sometimes provide exit points within their applications to enable functionality that can't be provided in the base application, and IBM i contains exit points for many system functions and for pre-processing transactions coming through network interfaces, such as FTP and ODBC.

So What's the Big Deal?

The mere presence of an exit program does not make the exit point more secure. To add value to the security infrastructure, a network exit program should perform two basic functions: 

• Access Control—The exit program should support access rules that determine whether a requested operation is allowed or rejected. Network exit points support the return of a pass/fail code, ensuring that users perform only permissible actions, regardless of how openly IBM i's object authorities are configured. 
• Auditing—Despite IBM i's comprehensive auditing facilities, moving data to and from the network isn't an auditable event. Best practices dictate that exit programs have the ability to record a user request into a tamper-proof repository. Real-time notification is also desirable as the most benefit comes when the server can proactively notify the security officer that an event has occurred.

Why Wouldn’t Everyone Want Them?

So why do some people believe that network exit programs are unnecessary? At first glance, users accessing data via network protocols appear to be utilizing a "back door" into the database. While some interfaces surprisingly do allow commands to be executed by limited-capability users, the reality is that IBM i object authorization still reigns supreme, regardless of the access methodology.

The problem is that many organizations base "security" solely on legacy techniques and ignore object-level controls. Legacy techniques work well for green-screen users but fall short against powerful desktop access tools.

I contend that a solid foundation provides the best chance of securing your server, but often circumstances prevent its full implementation. An exit program can facilitate access control and auditing, leaving the original legacy security to effectively control 5250 users.

However, even well-secured systems running without exit programs could suffer in two areas: 

• No Flexibility—IBM i supports only one object authorization setting per user. A user might require different access levels when using a legacy application versus an ODBC connection or FTP script. An exit program can provide the ability to programmatically designate separate authorities.
• No Auditing—People are often surprised that there's no auditing of data movement across the network. This contravenes every audit standard that demands a trail of events be recorded. Data breaches usually involve data being leaked from the server it resides on, so auditing and notification via exit program is critical.

Performance is a consideration when deploying an exit program, and steps should be taken to minimize the overhead. First, ensure that the exit program is coded optimally to handle large volumes of transactions. Then, consider the types of applications in use. Use an exit program that can switch off functionality so that the performance impact can be gauged before activating all features.

Build vs. Buy

Significant evidence supports the fact that well-written exit programs add value to an organization. Experts agree that commercial exit program solutions, such as PowerTech Network Security, are typically far more robust and functional than programs developed in-house.

In the 2012 "State of IBM i Security" study, 66% of audited servers had no exit programs, and nearly 10% of those that did had only one exit point covered. It's rare for internal programmers to include the necessary functionality in their exit programs. Auditors frown upon self-policing, and writing exit programs to monitor one's own activity is a conflict of interest that fails the separation-of-duties requirement of most compliance standards.

Make a Dramatic Exit

My suggested action items include: 

• Request a free Compliance Assessment to determine how much access your network users have and if you have exit programs registered to IBM i's network exit points to control and audit them.
• Evaluate the use of existing network services on your server by installing a trial of PowerTech Network Security.

For more information on PowerTech's comprehensive suite of security solutions for IBM i, visit www.powertech.com.

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached at 952.563.2768 or This email address is being protected from spambots. You need JavaScript enabled to view it..