As concerns about cyber security grow, even the reliable IBM i can use some protection help against myriad threats. Here are more than 50 products that can help you.
The start of a new year is always a good time to review and refresh our longstanding outlooks on a variety of topics, and computer security is certainly a deserving one. IBM's Power Systems (called here the System i) have a solid reputation for reliability and security, but each passing year sees growth in threats to systems and data. That makes any time a good time for reviewing the System i market's spectrum of products that can help avoid security problems.
Examples of Problems
A denial-of-service (DoS) attack is a fairly well-known example of a security threat. In this scenario, excessive external requests for communications can overwhelm a server and cause it to fail.
Other types of threats are less well-known but also potent.
Authorized system users can use the File Transfer Protocol (FTP) to copy documents and data to outside systems if there's no safeguard to stop them. Remote exploits occur when a remote user takes advantage of a software glitch to, in some cases, extend the system privileges of an account.
SQL injection attacks involve using escape characters inserted in SQL statements to subvert database security.
Buffer overflow attacks, best known in conjunction with use of C or C++ (a language seeing increasing use on the System i), overwrite space in memory outside that normally reserved for a buffer and can cause security breaches.
Cross-site scripting is an attack in which code is maliciously injected into Web pages and transmitted back to the viewer's machine.
These and similarly clever but dangerous methods of subverting computer security proliferate constantly. Systems that have seemed relatively safe for years suddenly are at risk, and the System i is no exception. Therefore, the concept of security today must take into account such diverse functions as encrypting data for transmission between systems, protecting data from unauthorized viewing, controlling user access and privileges on a system, analyzing and auditing the current state of a server's security, and protecting a system from viruses and other malware.
Generally speaking, because so many of the products' functions overlap, it's difficult to come up with a universally accepted categorization scheme with which to break all the offerings down into sharply delineated subgroups of the security function pie, so all are presented here as one group.
Help in Meeting the Threats
Below is a quick summary of the major players and software products available in System i security software. Because of the sheer number of products, this article covers only software (there are a myriad of hardware products for protecting systems and networks to which System i machines may be connected) and focuses only on solutions for the System i OS. These descriptions also only cover products from the original companies producing them (as opposed to resellers).
In addition, please be aware that there are products with functions that overlap or are closely allied with security and are covered in other articles available from MC Press Online. For example, for an overview of system auditing and compliance tools, see "Technology Focus: Useful Shortcuts for Lengthy Audits." For an overview of user authentication and authorization tools, see "Technology Focus: Protect Your System i with Authentication and Authorization Tools."
It's also important to note that while this article surveys individual products offered by name, some named products are extremely focused on just one aspect of security, while others represent entire suites of products under a single name that provide a wide range of protections. You may need a combination of products to provide the most complete possible protection for your computing assets.
Each product includes the vendor name, the product name, a link to more information about each product, and a brief description. These descriptions are in no way complete information about the products; they are just summaries of major features to help you decide where to focus your own research efforts first. And as always when looking for products or services, be sure to check the MC Press Online Buyer's Guide.
System Security Software Products for IBM System i
Applied Logic Corporation
Pro/Encrypt uses encryption algorithms to protect System i data for secure backup and storage, file transfer, or physical transport. The function can run interactively or in batch, can use up to 256-bit encryption, can encrypt single files or whole libraries, and uses a symmetric key or pass phrase for decryption.
AS/SURE Software
iSecure is a utility that provides end users with self-service user-profile and password-reset services, letting them bypass help desks with these common requests. Users can review password change rules and establish challenge questions to establish their identities. The product lets QSECOFR determine what functions users may access, logs all actions for later review, tracks which users have established password challenge questions, and provides an administrator-only menu.
Bsafe Information Systems, Ltd.
Bsafe/Enterprise Security is a suite of products that helps administrators control access to applications, data, and ports. It manages user profiles and object authorizations and controls IP use permissions. It also audits system, application, file, and SQL statement use. In addition, it generates online reports of security definitions, sensitive authorities, system values, and other security attributes.
Bsafe/IP Packet Lockdown includes intrusion detection, access control, and IP packet filtering. Based on IP packet filtering technology, it lets authorized users set up and manage the ports and IP addresses from which to send and receive (or block) network traffic.
Bsafe Policy Compliance Manager
Bsafe Policy Compliance Manager helps administrators create, document, and maintain security policies for an organization by creating templates embodying goals and then automatically comparing them to actual system conditions. It also helps non-technical users understand how systems implement security policy.
Security Assessment carries out automated penetration attacks on System i servers and generates analysis reports on weaknesses, currently defined security policies, and deviations from recommended system values. It also details application server protections and maps system ports and their activities.
Sensitive Field Masking restricts access and display of fields the administrator defines as sensitive but without requiring any changes to applications that must use the data. Masked files reside in a special library and can be optionally synchronized with the original files. The field masking operates independently of applications using the fields.
Bug Busters Software Engineering, Inc.
A la Carte Menu and Security System (ALC)
ALC lets administrators control access to applications and objects via a menu system based on i5/OS user and group profiles, *PUBLIC authorities, and authorization lists. Users can activate menu options or system commands at the command line, and each menu can offer up to 999 options.
Busch & Partner
PCSACC400 is a database access-control application that limits potential damage PC users can do to System i data when using menu-based application controls. It provides a range of object-level security protections based on its own subset of i5/OS authorities, monitors SQL query use, and provides user interfaces in either English or German. The company currently offers a three-month free testing period for the product.
Bytware, Inc.
StandGuard Anti-Virus uses a McAfee engine to find and destroy computer viruses that may have taken up residence on a System i. The product offers automatic updates of virus examples and both green-screen and GUI interfaces. It also lets users manage multiple machines from a single console, provides native email screening, and offers a Domino protection option.
StandGuard Network Security provides network access control for System i environments. It protects all exit points, secures more than 120 server functions, and supports both public and private authorities. It also activates and deactivates all exit points without restarts, provides a phased-in implementation approach, and provides extensive auditing tools.
Centerfield Technology, Inc.
Insure/SECURITY helps security officers protect application data from unauthorized access and changes without requiring modification of enterprise applications. Officers can apply rules at the *PUBLIC or group level, set different rules for different times of the day, and restrict or lock down access methods such as FTP. The product operates independently and requires no changes to existing software applications.
Camouflage Software
Data Masking Lifecycle Management Suite (DLM)
DLM is a suite of integrated products that help users discover, analyze, subset, and mask sensitive data. It includes tools for identifying sensitive data and protecting it from unauthorized access without changing the data's characteristics.
Cilasoft
CONTROLER secures the System i from security problems involving use of Client Access, FTP, ODBC, or Telnet access to server data. It lets system managers define the commands remote users can access and limits their use in specific ways. It also audits use of SQL and other query engines.
CXL, Ltd.
AZScan is a PC-based program that can analyze midrange system security, including System i machines running i5/OS, AIX, and Linux. For i5/OS, it performs 53 tests, supports 15 OS releases, and doesn't require users to load any software on the System i.
HiT Software, Inc.
SafeConduct uses SSL and 256-bit data encryption to protect access to sensitive data being transmitted across a LAN, WAN, or VPN. It provides node-to-node authentication to ensure the recipient is valid, requires no changes to application code, and provides a Windows-based audit log.
IBM Corporation
IBM Security Server Protection
IBM Internet Security Systems' server protection service uses two products, IBM Proventia Server Intrusion Prevention System and IBM RealSecure Server Sensor to protect any Power Systems server against denial of service, remote exploit, SQL injection, cross-site scripting, and other security attacks. The products provide a firewall, prevent intrusions, guard against buffer overflow attacks, and inspect secure Web transactions.
Identity Forge, LLC
IdF Advanced Adapter for IBM-System i5
Identity Forge (IdF) is a suite of user authorization and authentication products based on the Lightweight Directory Access Protocol (LDAP) and Microsoft's Active Directory, which supports the System i via the IBM Advanced Adapter for i5. IdF host agents complement directory services and identity- and access-management applications, monitor system events, and generate audit records of security events.
Innovatum
DataThread captures all changes to target databases and records them in an auditable database of its own. It lets one or multiple end users electronically sign changes to data to facilitate workflow environments, is scalable to any System i environment, and can combine data from multiple systems into a single report or GUI. It is also designed to meet U.S. Food and Drug Administration Part 11 requirements for auditability.
Kisco Information Systems
The iFileAudit product logs and tracks data updates and file changes to System i objects. The product records which user profiles and programs made the change and what the changes were, as well as tracking file-read operations with custom filtering. It also produces audit reports that show global or selected data for each change.
SafeNet/400 guards System i servers from unauthorized access via network connections. It logs all requests, limits access to server functions based on user profiles, and gives system managers control over exit-processing for applications. It lets managers limit use of server commands and functions and restrict Internet use to enterprise-defined IP addresses. The product is available in Lite, Basic, Advanced, and Enterprise versions.
ScreenSafer/400 is a security tool that takes control of unattended workstations during idle time, restricting access to information and functions to the user logged on to the device. In addition, the product doesn't terminate users during workstation idle time, but instead makes any displayed information illegible to passersby.
Linoma Software
Crypto Complete is a data-protection system that protects sensitive data via multiple strong encryption algorithms (e.g., AES128, AES192, AES256, TDES) at the field level and lets administrators rotate keys without having to change applications or re-encrypt data. It also provides encryption-key creation, management, and auditing features.
GoAnywhere Director is a managed file-transfer solution that automates data retrieval, translation, encryption, compression, and distribution. It automates FTP processes, exchanges data with HTTP and HTTPS servers, connects to many leading database servers, and includes a scheduler.
Although primarily a database and file editor, Surveyor/400 includes security features that protect System i databases from unauthorized access via Open Database Connectivity (ODBC). Surveyor/400 lets administrators restrict access to libraries and database files, fields, and records to prevent unauthorized or accidental changes and deletions.
NetIQ Corporation
PSAudit reports security exposures caused by user profiles, files, objects, and system values. It monitors access to sensitive data, tracks specific user access to System i machines, and analyzes changes over time to libraries, documents, program temporary fixes (PTFs), and network and device configurations.
PSDetect monitors System i servers for specific system and security events and sends alerts to the appropriate personnel. For example, it notes whether the system is running low on particular resources (such as disk space), whether someone is trying to access the system with an invalid password, and whether the auditing level of the system has been changed.
NetIQ Secure Configuration Manager
Secure Configuration Manager audits system configurations and compares them to corporate policies, previous configurations, and other systems to help identify problems, meet compliance obligations, automate some security operations, and enable the best allocation of security resources.
nuBridges, Inc.
nuBridges Exchange is a suite of products for handling secure file-transfer, connectivity, and Internet electronic data interchange (EDI) transactions for System i. It lets administrators manage file-transfer scripts and activities. The product also protects data transmissions between machines and business partners and provides error notifications and other reports.
nuBridges Protect is an encryption product for data at rest in databases, applications, and backup storage. It features centralized key management, user choice between two data-protection methods, and complete audit logging.
PowerTech Group, Inc.
Authority Broker attacks the problem of power users with special authorities who have too much power. By letting security officers reduce the number of user profiles with special authorities, enabling certain users to adopt higher authorities only in particular situations, and generating alerts if a user's authority changes, the product helps enterprises avoid excessive authority proliferation.
Network Security monitors traffic through i5/OS exit points, which enables system managers to control data access from client machines, audit end user access to network services, and close security loopholes not handled by traditional menu-based security methods.
Raz-Lee Security
Raz-Lee's iSecurity is a suite of more than 15 products that provides a broad spectrum of help for System i security concerns. Product modules identify security breaches and activate automated responses to them, provide antivirus protection, assess system security, and offer reporting and auditing facilities. Other modules control user authorities, track and monitor suspicious users, enable multiple-system monitoring from a central console, prevent intrusions, control password activity, mask sensitive data, and analyze system-log data.
Safestone
DetectIt offers individual modules for assessing risks and system security compliance, detecting intrusions, managing and auditing activities of ordinary and power users, controlling exit-point traffic, and centralizing multiple system operations. It also includes automated password self-help for end users.
Shield Advanced Solutions
FTP Security Manager fills the hole in System i security caused by a lack of monitoring tools for users accessing FTP. The product helps administrators restrict access to FTP functions and log FTP activity while providing a user-friendly GUI that lets authorized users employ FTP for legitimate purposes.
SkyView Partners, Inc.
SkyView Policy Minder for IBM i and i5/OS
Policy Minder automates security policy compliance and documents security implementation with templates. It automatically checks compliances for user profiles, objects, libraries, directories, and other system attributes and objects and then reports on discrepancies without requiring human analysis of data.
SkyView Policy Minder Real Time Add-on powered by DataThread
The Real Time Add-on product uses Innovatum's DataThread product to provide real-time administrator notification of security events.
SkyView Risk Assessor for IBM i and i5/OS
Risk Assessor automates analysis of more than 100 risk points in a system to provide a risk assessment from an objective, third-party view. It generates a report that specifies compliance shortfalls.
SoftLanding Systems, Inc.
CENTRAL for iAccess controls access to System i applications via menu systems. SoftMenu lets administrators restrict access to sensitive options, standardize management of all application menus, and use application exit points to customize menu-administration tasks. It also lets managers delegate administration of application menu systems to nontechnical personnel if desired.
SpaceTec
Fortress/400 prevents unauthorized access to data and server functions from client machines. It uses the exit program facilities of i5/OS, records activity to a separate security database, provides a GUI interface, recognizes group and *PUBLIC authorities, and records an audit trail of all remote instructions.
System Support Products, Inc.
Screen Manager II addresses the problems of signed-on workstations that are left unattended and inactive jobs that consume system resources uselessly. The product lets administrators manage inactive jobs by multiple criteria and specify actions (such as disconnection) after a specific time interval. It maintains a security log of actions for auditing.
Tango/04 Computing Group
VSS provides real-time auditing of user activity on the system and helps administrators establish and maintain control policies via wizards and analyze business effects. Available product extensions add exit-point security, monitor library and log files in real time, and protect TCP/IP services.
TIBCO
Managed File Transfer is a tool that provides secure and auditable use of FTP between System i and a wide range of other platforms. The product includes open-architecture APIs that enable integration with existing applications, it can handle files of any size, and it ensures compliance with all regulatory mandates.
Townsend Security
Alliance AES Encryption for System i
Alliances AES Encryption for System i is a system of strong encryption for databases, unstructured data, reports, and offline storage. It includes facilities for managing encryption keys, encrypting backup media and spooled files, and logging compliance activities.
Alliance AS-2 Integrator provides secure and automated AS1, AS2, and AS3 support for EDI over the Internet and includes all of the AS2 secure Web transfer and automation features needed for EDI data exchange. It transfers ANSI X.12 EDI data over the Internet using HTTP communications, automates EDI document exchanges, and lets users integrate automated document exchanges with existing applications.
Alliance LogAgent for IBM i collects security events and places them in a log server for consolidation with security event information from other enterprise platforms. It translates QAUDJRN and QHST entries to a common log format and can handle more than 800 log entries per second.
Alliance Secure TCP for the IBM i
Alliance Secure TCP for the IBM i offers secure TCP sockets data transfers between i servers and other internal and external platforms. It uses the native IBM i Digital Certificate Manager to create and distribute SSL certificates, provides preconfigured interfaces for passing data to other OSs, and provides an option for 128-bit SSL/TLS encryption.
Alliance Token Manager for IBM i
Alliance Token Manager for IBM i helps protect sensitive data by replacing it with a token that maintains the data's original characteristics but doesn't include data values. If the tokens are lost, the sensitive data remains safe. The product also includes a masking option for contents of data fields.
Alliance XML/400 provides secure Web services and Internet XML document transfers to IBM DB2 databases. It lets enterprises deploy XML-based Web services without changes to existing hardware or applications. It handles all XML data formats, converts XML to System i EBCDIC characters, and automates inbound and outbound processes.
The product provides a native i5/OS version of the PGP file-encryption algorithm. It protects sensitive data, automates encryption procedures, and provides encryption key-management features.
Syslog-ng was developed by BalaBit and is resold and supported in North America by Townsend Security. It collects and classifies the log messages of operating systems (e.g., Windows clients) and applications and transfers them to a high-performance log where the messages can be processed further and stored in secure, encrypted files or databases. Database storage lets users search and query the messages and interoperate with log-analyzing applications.
Valid Technologies
Valid Secure System Authentication (VSSA)
VSSA is a biometric user-authentication system that uses USB-attached sensor peripherals to validate user identities based on their fingerprints. Users undergo an enrollment process that creates a unique biometric template, which is encrypted so that no actual user fingerprints are stored on the system. Once enrolled, users can log on to any networked system without using passwords.
as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7,
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online