For a long time, the security of System i has been a byword. Indeed, it has been a core strength and one of the platform’s key selling features. But horrors, what’s this? There are newer, TCP-enabled features of the robust operating system that require enhanced protection from emerging threats.

As organisations move to use their i5s for collaboration and web-based applications, the difficulty of securing their i5s increases. Enterprises deploying i5 solutions are increasingly using the platform’s TCP/IP-enabled features. These include the bundled web (HTTP) server, POP3 email, Telnet, ODBC-compliant database services and FTP services. However, in contrast to the core security architecture, the i5’s network-enabled features are less robust. Auditing, logging and access controls are not really functional at best. For example, FTP and POP3 services leak information when coming across invalid user logins and don’t limit the number of invalid logins.

Jill Sherratt of Premier IBM Business Partner Life IT says: ‘The hacking community is not ignoring iSeries. Not many iSeries administrators have even a basic understanding of what might be the biggest security threat that faces the iSeries. The problem is vast in scope, and can render the iSeries open to attack by both internal and external hackers.

‘A major problem is network access. Unless you take specific, ultra-technical steps to secure your iSeries on the network, you are most likely leaving your system in a vulnerable state. Tools like ODBC, DDM, FTP, iSeries Access, and a myriad of others can gain access to your iSeries database. For example, a simple FTP statement like “QUOTE RCMD CLRPFM PAYROLL” can delete all records from your production payroll file.’

‘One possible solution is to write and maintain your own exit programs for each TCP/IP server,’ says Sherratt. ‘At the last count, there were more than 32 network servers, with over 180 network functions that may be monitored and controlled. That's a lot of exit programs to write and maintain.’

Sherratt believes that writing and maintaining a multitude of network exit point programs is not a realistic option for the vast majority of companies. So Life IT combines exit point software packages that provide the network exit programs and management facilities needed to customise network access permissions, along with consultancy and implementation services.

These exit point programs interface directly with OS/400 network servers to control and provide an audit trail of all network access transactions. Life IT also configures the software to provide intrusion detection capabilities to alert system administrators when unauthorised access is attempted through the network.

‘The good news is that the i5 community is not ignoring the problem either,’ says Sherratt. ‘We have monitored interest in the UK over the last 12 months and can report a steady increase since April this year to over 386 iSeries/AS/400 security searches in September.’

Founded in 1983, Bsafe Information Systems is a software company that provides security solutions for the i5, System z (mainframe) and other operating systems. Headquartered in Israel and with operations in the US and Canada, Bsafe’s flagship product is the Bsafe/Enterprise Security suite for i5. Other products in its portfolio include Bsafe/CICS for zSeries, Bsafe/DB2 for zSeries and Bsafe/Enterprise for Linux.

The Bsafe/Enterprise Security suite for i5 extends the OS/400 security architecture to better support TCP/IP-enabled services. It provides controls to analyse, manage and report on the security configuration of the i5 through seven key features.

In a Yankee Group report ‘Security’s Benefits for the IBM i5 Platform Security Solutions & Services’, authors Andrew Efstathiou and Andrew Jaquith provide an overview of the Bsafe/Enterprise Security suite for the i5 platform, which enhances the platform’s built-in security by adding access control, auditing, reporting, monitoring and anomaly detection features for TCP/IP.

Efstathiou and Jaquith argue that enterprises with i5 systems should:

* take inventory of network-enabled i5 hosts that provide TCP/IP services

* identify i5 hosts with enhanced security requirements

* determine the potential business impact of regulations, downtime, privacy violations and security breaches

* identify reporting and audit requirements for maintaining desired levels of assurance

* identify appropriate security solutions for securing high-value/high-impact networked i5 systems

‘We sell Bsafe with Quattro and have found the UK market to be very slow on the uptake – we have quite a close relationship with Bsafe and have sold more out of the UK than in it,’ says Kevin Passey of KDP Software.

‘I certainly think complacency is an issue,’ says Passey. ‘We had one instance where we quoted a company in the gaming industry for Bsafe to run on a machine that handled all the cash analysis – but the company didn't think it needed security as the machine was not connected to the internet, end of story. At the other end of the scale, we have a client in the US who has three machines -- production/backup/development -- and has Bsafe on all machines. Maybe it's a legislation issue.’

Bsafe 4.1 now has a central audit feature that will collect information from several machines and store it on a central database for comprehensive reporting. The GUI interface is now backwards compatible to which means you don't have to upgrade all your machines at once.

Bsafe also offers a field masking module. ‘We can now let users have access to the payroll files via query or other database enquiry tools and mask the information we don't want them to see – like the salary field,’ says Passey. ‘Down to a granular level, Bsafe secures information in database files now. The user may want to give access to certain information at a file level – but not individual fields.’

Carol Woodbury of SkyView Partners and all round i5 security guru says: ‘Organisations are finally realising that the security configuration with which most vendors leave their applications are no longer sufficient given the technology available on the system -- most notably TCP/IP -- and the regulatory issues that they face.’

‘The good news is that i5/OS provides the integrated features they need to secure their data,’ says Woodbury. ‘The problem is, administrators have really never been faced with using these features before and therefore are not comfortable using them. The system is perfectly “securable” if the integrated features are used -- most notably object-level security and auditing. But most administrators shudder at the thought of implementing object-level security – even though it's the most robust way to secure their sensitive, confidential and private information in their database files.’

‘Most administrators shudder because before, all they had to do was make sure users were limited capability users and put them into the right initial menu,’ she says. ‘Now they have to worry about the fact that their operators and programmers have command line access -- rightly so -- and but have no right to access the file containing credit card numbers. Yet the object-level security setting that the vendor used lets these users not only read, but also update these files.’

‘Because it used to be so easy, most administrators never took the time to learn about the security features of i5/OS and so now it appears to me that they're uncomfortable using them,’ Woodbury continues. ‘Vendors are trying to provide administrators help with the integrated security features of i5/OS. SkyView Partners provides SkyView Risk Assessor – a thorough and unbiased assessment of the security configuration across all of i5/OS – including the new technologies such as TCP/IP and WebSphere configurations and then provides guidance on how to remediate the issues discovered. Other vendors provide products that help retrieve information found in the audit journal, some provide another layer of defence that should be used in addition to and not in place of object authority, to control access to data through network interfaces (such as FTP and ODBC). In addition, we have another product – SkyView Policy Minder – that helps administrators know that their system is in compliance with their own security policy.

‘The bottom line is this – it's not that i5/OS has suddenly become “wide open” and unsecurable. The system has gotten this way because of the way applications have implemented their various security schemes. But again, the good news is that it remains a highly “securable” system. Administrators must just learn to use the features.’

Ed Blake, head of e-security at Real Solutions, says: ‘The general trend in security now is to integrate security at every level of the infrastructure providing an in-depth defence strategy. This includes the System i and its associated ecosystem of applications network services and storage, ensuring that data protection is at the forefront of any security strategy. Security consultants should use a mix of expertise, security products and policies to reach their overall goals’

Says Passey, ‘Of course there is still the internal threat to consider, be it malicious or erroneous.’ Indeed, the disgruntled employee remains the weakest link in any security chain, no matter how watertight.