28
Sat, Dec
0 New Articles

Security Patrol: What Does Security Have to Do with High Availability and Disaster Recovery?

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

High availability (HA) and disaster recovery (DR) involve multiple systems as well as some type of data replication solution. Some people interchange the terms, but they are actually quite different and often require different security considerations. Let's look at some scenarios and discuss the security implications.

HA Scenario #1

This scenario involves two or more systems. All are "hot," and database updates on one system are propagated out to the rest of the systems. This situation often involves load-balancing software or hardware. A good example is a set of machines servicing high-volume Web sites. A request comes in and is "routed" to one of the systems. If the load-balancer does not receive a response from one of the systems for a period of time, it "knows" to not send any more "real" requests to that system until the system starts responding again to "test" requests sent by the load-balancer. In this scenario, it is critical that all systems be configured exactly the same way. System values, application profiles, application object *PUBLIC and private authorities, ownership of application objects--it's vital that you keep all of these exactly the same on all systems; otherwise, the application could start to fail.

All HA scenarios require careful consideration of application security schemes, but this particular scenario demands it. This scenario often occurs in a high-volume online retail environment in which credit card numbers and expiration dates are part of each transaction. As stated, all transactions are propagated to all of the other systems in the configuration. That means that the opportunity for a hacker, a devious employee, or a vendor to abuse a poorly designed application security scheme is the number of database files containing a credit card number times the number of systems in your configuration. You should seriously consider setting the *PUBLIC authority of these application databases to *EXCLUDE and re-working the application so that only an application profile can access these files. You may also want to consider encrypting the credit card numbers. You will also want to ensure that the profiles on these systems belong to users who have a direct business need to access these systems and the data that resides on them. All other profiles should be removed.

HA Scenario #2

This scenario typically involves two systems--one production and one backup--and it can apply to two configurations. In either configuration, "real" work occurs on the production system, and the transactions are subsequently reflected on the backup system. Real work never occurs on the backup system except in the case of a failover--that is, the production system is unavailable because of a disaster (such as a fire or flood), a failure (such as electrical or disk pack), or scheduled hardware or software maintenance. One configuration has the iSeries acting as the Web server with a Web site available on the Internet. In this case, when the systems failover, the external IP address of the Web site remains constant, but instead of being routed to the production system, it is routed to the backup system. Another configuration has the iSeries running mission-critical "back office" applications.

Once again, it is vital that system values, application profiles, application object *PUBLIC and private authorities, and ownership of application objects be kept consistent across both systems. You can usually keep these in sync with proper configuration of your replication software. For those of you who have the luxury of truly keeping one of those systems offline to use only when you have to failover to the other system, let's discuss some of the considerations you'll want to make:

Clean up your systems. All products and applications have security considerations that you should make decisions about. Replicating unused products and libraries doubles the exposures and chances for abuse. Unused profiles that can still sign on are one method that disgruntled employees or ex-employees use to breach the system--or, in this case, systems.

Systems running OS/400 typically hold vital corporate data. Replicating garbage (unused objects) and having a poorly implemented security scheme double your chances for a breach. You should carefully examine your security scheme to ensure it meets your corporate requirements for ensuring data integrity, confidentiality, and privacy. "This is one of the biggest concerns we have for our customers," says Ken Zaiken, VP of Research and Development of MIMIX at Lakeview Technology, one of the recognized leaders in HA solutions. "Our products can make sure that a security scheme is implemented on the backup system so that it exactly matches the production system. That's great in the case where they have locked down their confidential data, given appropriate authorities and capabilities to users, and set the security systems values to reasonable (secure) settings. However, if they haven't implemented a solid security scheme, they are now doubling their exposures."

Isolate the backup system. If the backup system is truly used only for backup purposes, what measures have you put in place to ensure that users can't get to the backup system and change the data? There are a couple of ways to accomplish this. You can turn off all of the communication and TCP/IP services except those required by your HA vendor software. Or you can use packet filtering rules to limit where incoming requests originate from. In other words, allow incoming requests only from the production system. You can further limit access by using an exit program to allow requests only when they're made by the vendor's application profile.

The more sophisticated HA solutions, such as Lakeview's MIMIX, have a configuration option to set profiles created on the target system to status *DISABLED and then to re-set them to status *ENABLED when a failover occurs. This ensures that users cannot access the system except in the case of a failover. If your HA software doesn't do this for you, you may want to consider writing a program that performs this function.

Examine the use of exit program software. If you are using an exit program solution to protect your network interfaces, you have a decision to make. Either you can purchase another license and protect your backup system with a totally separate set of rules or you can replicate the rules database to the backup system and only implement the rules in the failover condition. As noted above, you can use exit program software to help isolate the backup system from being accessed, but if this is not a concern, it may be sufficient to only replicate the rules database. In either case, you will want to talk to your exit program vendor to understand which databases need to be replicated and what procedures to follow in the case of a failover to ensure that the software is enforcing the proper set of rules.

HA Scenario #3

Scenario #3 looks much the same as Scenario #2, but the backup system is used for other purposes. This may include running queries against real-time production data without incurring the overhead on the production system and running additional, but typically less vital, applications. "This is the HA scenario we see most often," says Zaiken. "It is rare that you see a system used solely as a backup machine. Using backup systems to run non-production tasks (such as queries) boosts productivity in addition to providing protection."

Since users are allowed to access the backup system to perform legitimate job functions, how do you keep production data from being updated, especially if these users are allowed to update the data when running in production mode? Let's examine the options.

Application objects are *PUBLIC(*EXCLUDE). Users are allowed to run other applications. If your application objects are excluded from use except through use of the application (that is, the application uses adopted authority to access application objects), all you have to do is prohibit users from accessing the application. While this might sound easy, it will be a bit of a challenge if the profiles being replicated have an initial program that automatically brings the user directly into the application. If you set this program to *PUBLIC(*EXCLUDE), users will not be able to sign on to the system. In this case, you will have to find another program or programs to secure so that users can sign on but not run the application. Then, in the event of failover, you will have to set these programs back to be accessible.

Application data is allowed to be queried. This is the scenario I have seen most often. While there may be additional applications a user can run, users' access to the backup system is usually to allow for querying of real-time production data. So how do you easily switch between restricting users to only allow querying (that is, having *USE authority to the data) and having sufficient authority to update data (that is, having *CHANGE authority to the data) when in a failover situation? A solution I architected for one client uses authorization lists. This method can be applied whether the *PUBLIC authority needs to be changed, a private authority needs to be changed, or the owner's authority needs to be changed. How does it work? All of the objects that can be updated during an application's normal processing--database files and data areas, for example--are secured with an authorization list. Then, whatever method is used for users to gain authority to update these application objects is managed via the authorization list. For example, if the application requires a user to have *CHANGE authority to the application database files to run the application, you can enable this requirement by granting the user or the user's group profile authority to the authorization list. While the system is in backup mode, you grant the user or group *USE authority. This enables them to query the production files residing on the backup system but not to update them. When a failover situation occurs, the only authority you have to update is to change the user's or group's authority to the authorization list from *USE to *CHANGE. One quick and simple change enables updates to production data on the backup system.

If the application's security scheme relies on objects' *PUBLIC authority, you change the authorization list's *PUBLIC authority from *USE to *CHANGE. To make this work, when you secure the objects with the authorization list, you will need to set the objects' *PUBLIC authority to the value *AUTL, which indicates to OS/400 that the object's *PUBLIC authority is to come from the authorization lists' *PUBLIC authority setting.

If the application uses adopted authority and the profile that is being adopted has private authority to the application's database files (rather than owning them), simply secure the objects with the authorization list. Grant the application profile *USE authority to the authorization list when in backup mode. When in failover mode, change the application profile's authority to *CHANGE.

If the application uses adopted authority and the profile being adopted owns both the programs and the database files, you will have to remove the owner's authority to each object, secure the objects with the authorization list, and grant the application's owning profile either *USE or *CHANGE to the authorization list, depending on the mode in which the system is currently operating. Removing the owner's authority from each object is a bit strange, I'll admit, but unless you do, the authority OS/400 recognizes and uses will be the owner's authority to the object, not the owner's authority to the authorization list.

Disaster Recovery Scenario

In this scenario, you must recover your system after a disaster. Suppose you have systems that have not been kept in sync, and one system is lost through either a natural disaster or a catastrophic hardware failure. What do you do? Hopefully, you've done some--better yet, a lot--of planning for this scenario. If you have planned, then your backups are current and are recoverable from wherever you store them. Your system has been repaired or you are at a hot site, and now you have to bring up a system, configure it, and restore everything so that you can continue to do business.

The most time-saving step you can make is to ensure that you restore your objects in the order and method described in IBM's OS/400 Backup and Recovery manual, SC41-5304. After restoring OS/400, you must restore your user profiles (RSTUSRPRF *ALL), then your objects (e.g., applications, user libraries, device descriptions, etc.), and then the private authorities (RSTAUT). When restoring objects before user profiles, most profiles that own the objects won't yet exist on the system. Therefore, OS/400 has to set all objects owned by non-IBM profiles to be owned by the IBM-supplied profile QDFTOWN. This can have disastrous affects on application authorization schemes. Worse than that, this scenario is basically unrecoverable. Even if you restore the user profiles and then restore all of the objects again, the objects will remain owned by QDFTOWN. That's because, when an object already resides on the system and is restored again, OS/400 takes the ownership from the existing object, not from the owner of the object on the media. The only way to recover from this scenario is to start all over--that is, remove all the objects from the system and then do the restore process in the correct order.

Properly Managed, It's a Good Thing!

HA technology has provided the capability to keep businesses running when a system becomes unavailable. But it is not without its security challenges. Just because a sound and robust security configuration is replicated from a source system to a target system does not ensure that the target system will stay securely configured. I have been to sites that have implemented HA and data replication software where the target system has different--typically less secure--settings than the source system. Has the vendor product failed? No. These differences are typically due to inattentive or misinformed system administrators restoring or setting back-level values. In other words, once you have your source system cleaned up and securely configured, do not assume that your target system(s) will automatically stay that way. Just as you need to monitor your source system's security scheme, you also need to watch your target systems.

Carol Woodbury is co-founder of SkyView Partners, a firm specializing in security consulting and services and offering the recently released software, SkyView Risk Assessor for OS/400. Carol has over 13 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Look for Carol's second book, Experts' Guide to OS/400 Security, to be released soon. Carol can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: