22
Sun, Dec
3 New Articles

System Sentinel: Practical Exit Point Security

Security - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

For many years, you have been repeatedly advised that securing the exit points on a modern iSeries/i5 is critical. And for good reasons. Very few of the iSeries in use today have no need to secure at least one exit point. Because of the increases in the number of "non-5250" ways to get to the box, the authority and access rules that were adequate in the green-screen world no longer cut it.

However, as I stated in my last "System Sentinel" article, there is not always a commitment to do the right thing. The problem I find is that organizations have implemented exit point processing programs either halfheartedly or with no real thought of how to use it. This article offers a few tips on how to really use this security facility that I truly believe is critically important to you.

How We Got Here

First, a little background: In the mid-1980s, IBM introduced a couple of security exit points at the stage in the development of the OS when more and more data access methods were made available on the System 38. The need for these exit points can be simply explained. Imagine a user whose job function included changing an employee's department number in the good old days of native security. This involved signing on and navigating to the "change department number" program through menu options. Then, on executing this RPG program, the relevant files were updated in the background.

To do this, the user would normally be granted authority to update the necessary files, including the employee payroll file. Numerous authority methodologies could be in place to achieve this. But that was OK; the RPG coding was controlling the update, such as which records the user could access, what fields could be changed (only department number), and the acceptable values for department number.

But in the changed world of the newly connected System 38, this all went wrong! Using PC Support (later Client Access and now iSeries Access), that same user could transfer the whole payroll file to a PC, edit it, and send it back. There was nothing to stop the user from changing his own salary (or that of the CEO) or from changing a "Yes/No" flag to a "Z," potentially causing later problems with other data accesses.

OK, maybe this is a slight oversimplification of the problem, but it is valid nonetheless. Since IBM first recognized the exit point requirement, other types of requests that can be processed into the iSeries have been introduced--ODBC, FTP, file transfer, Telnet, DDM, remote commands, etc. You need exit points so that you can intercept the requests and either monitor what is coming through or prevent requests that would normally be acceptable in the view of the native authorities.

Whether you choose to build your own exit point programs (with instructions from IBM at iSeries Information Center; look for "iSeries Internet Security" and "FTP security" for some specific advice) or buy one from a vendor (e.g., Bytware, Kisco, NetIQ, PowerTech, or the company I work for, SafeStone) is up to you, but for most situations, something is necessary.

Collecting Data

Now, let's address what data you collect and what you do with it.

First, do not be surprised if there is a lot of data to be collected and monitored. I have seen many installations where millions of events per day are processed though the exit points. With the modern front-ends to our iSeries applications and the use of more and more PC-based tools to access the iSeries databases, this isn't surprising. In addition, application and tool vendors typically don't explain how their products work under the covers. I've seen fax software that checks data queues every fraction of a second and barcode reader software that performs ODBC-based polling over and over again. It is not my place to say whether this is good or bad application design; however, don't be surprised if you see things you don't expect when you activate your exit point monitor.

Many security administrators looking at exit points for the first time approach tools such as Microsoft Excel and Access as the computer embodiments of evil. That's unfair; applications like these are very important for business and provide powerful tools to help users. Think of them in the same way you think of power saws: Used correctly, they're perfectly safe. But if you ignore the necessary safety mechanisms, you might lose something.

Therefore, when collecting information from the exit point, you must be selective. In IT security, one of the most overused analogies is the "needle in the haystack" principle. But it does apply here. If you have many thousands of transactions to look at per day, how will you ever find the important requests?

This is particularly true for those organizations that have chosen to take the safe route; they have bought exit point software or written it themselves, but all they are doing is monitoring the requests. They are not prepared to take the next logical (and important) step, which is to reject any requests that are unknown. This is normally explained away by fear: "What if we have a 'special' transaction that occurs only once every five years and I don't have an authority rule in my exit point manager? It could stop my business processes!"

While keeping the business running smoothly is an admirable goal, it should not be used as a reason to dilute the attempt to secure your system. If you are not monitoring the exit point requests every day, you are going to either miss something or find out about it too late. The best solution is to reduce the amount of data being collected so that you have less data to audit. The first step to practical exit point security is ensuring that all of the acceptable requests that go through the exit points can be ignored.

The next step is to introduce control of the requests. Your program accepts or denies the request and passes a flag back to the exit point so that the user can be either allowed or disallowed to perform that function. Within this checking process, be as granular as possible in the authorizations you define. This will make your process more flexible as you fine-tune your authorities. By "granular" I mean...

  • Date/time processing--It may be useful to specify that an exit point is available only at certain times on certain days.
  • Function level--It may not be enough to allow a user access through an exit point; you may want to control the functionality of each exit point. For example, you may want to permit a file to be transferred from the iSeries/i5 to the user's PC but not back again to overwrite the file.
  • IP address--Sometimes, it is useful to be able to check that the user is requesting from an acceptable IP address range.
  • Object level--Some exit points lend themselves only to high-level checking (e.g., FTP logon). The user needs only "yes/no" definitions against this exit point. However, for most exit points (e.g., FTP server and client requests), the processing will be more useable if you permit user access to specific libraries, objects, folders, and documents.

Note: As a brief aside, I want to discuss the principle of inclusive/exclusive security checks. On a few occasions, I have spoken to clients who say they want to stop user access to only a couple of files, such as the payroll file and the price file. The user can FTP or file transfer everything else to their heart's desire. This is not standard security practice. We know that a high percentage of fraud is internal, and we know that most iSeries have more high-level (e.g., *ALLOBJ) profiles than the organization is comfortable with. So an unscrupulous user can simply create a copy of the payroll file or price file and then transfer it out of the iSeries. There goes your exclusive security principle.

The final aspect of practical exit point security is the necessity for continued review of the technology. This is not an area of security in which you turn it on, select the requests you want to audit, define your authority rules, and never touch it again! For a number of reasons, you need to keep on top of this technology on a regular basis. For example:

  • Sometimes, a new version of an application can process in a different way. Whether it is your 5250 access software, your business application, or a Microsoft tool, the requests may get processed through a different exit point or in a different way. For example, recent versions of iSeries Navigator process most of their functions through the "remote command/remote program" exit point. Therefore, some security administrators found that a lot of new authorities had to be granted.
  • New versions of the OS may need special actions to be performed. One example of this is the SQL packages created by products like Microsoft Excel. To avoid exit point processing problems IBM advises that "significant changes to the operating system or hardware should always be followed by the deletion of all SQL packages. If you do not perform these deletions, it is possible that your exit point monitoring software will not correctly validate SQL requests. For more details, see SQL Packages Q&A.

Don't be complacent. Repeat testing of your exit point programs whenever you make a major change to your OS level or business applications.

Security You Can Tailor

Exit point security is a great feature that tailors to your environmental needs. On numerous occasions, when demonstrating how we have expanded our iSeries security tools to other platforms in the enterprise, our clients have asked whether we can extend our exit point processing to other operating systems and databases. Unfortunately for them, the processing relies upon the fact that IBM provided the capability to invoke these programs in OS/400. Fortunately for all of us, we work on one of the most securable business systems available today.

Martin Norman is Senior Systems Engineer for SafeStone Technologies, an IBM BP specializing in compliance and identity management. As one of the original developers of SafeStone's security portfolio, Martin has performed security audits and advised on installations for clients throughout the United States and Europe. Martin can be contacted at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: