When you park your car on a busy street, do you lock just the driver's door, or do you lock them all? It seems like a silly question, but it is an apt analogy to the security strategies deployed on many iSeries systems. When you lock the driver's door, you prevent someone from entering your car at its most obvious and useful opening, but you haven't really protected your car. Anyone can open one of the other doors to quickly gain access to the entire car, and from there it's a minor task to gain access to the driver's seat. iSeries security is a lot like that. Many iSeries shops lock the main door but neglect to check the security of other avenues of access.
Telnet Is the Driver's Door
If we were to map this analogy to your iSeries security, the driver's door would be your traditional iSeries menu security system. Your users log on using a Telnet (5250) interface and are immediately captured into a menu system. The menu system controls which applications a user can access by virtue of their presence or absence on the menu. And the menu system conspires with the LMTCPB parameter on the user profiles to prevent users from entering commands at a command line. In this way, the obvious method of access is controlled. And if OS/400 had only one door, security would be complete.
Secure the Other Doors
But the typical iSeries system, like the typical automobile, has multiple points of entry. Since OS/400 V3R1, the system has shipped with a variety of server programs that are ready, willing, and able to communicate with any outside computer that wants to talk. Occasionally, the conversationalists are remote hosts that send and receive files using TCP/IP, but usually they are users' PCs using some kind of client software to extract data from the iSeries. Virtually every PC comes with the ability to use FTP to send or receive files from OS/400. And if you use iSeries Access, those PCs have even more powerful tools—such as Remote Command and ODBC—that can be used to read, update, or delete iSeries data. And while your car may have just a few additional doors that need to be secured, your iSeries has as many additional doors as there are PCs that can connect to it.
A Thousand Points of Entry
When system administrators realize how glaring this exposure is, they sometimes try to prevent all the PCs from having tools that could access and damage iSeries data, like FTP and ODBC. But that task is worse than the labors of Sisyphus; you can't hope to know all the PCs on your network, let alone control what software is loaded on them. To carry our analogy a bit further, if each PC represents an open door, you might have to run around your car and individually check the security of 1000 doors before you could run into the store for milk. What you really want is a master locking switch that can lock all the doors at once.
PowerTech Exit Programs Protect Your Data
The way to protect iSeries data is by securing it on the iSeries itself, rather than on the PCs. PowerTech's NetworkSecurity software allows you to do just that. NetworkSecurity implements OS/400 network control exit programs that protect your iSeries data from users wielding ODBC, FTP, and Remote Command client software. NetworkSecurity can see inbound requests for data and, based on rules that you set up, allow or reject those requests. It also creates a permanent, irrefutable log of activity that shows who was trying to do what and when. NetworkSecurity can also alert you when someone is trying to break into your system. And it's all managed from a secure, straightforward management console.
Do Something Now, While You Still Can
Too many iSeries systems are not secure from users with tools like FTP and ODBC. While this was often overlooked in the older days of closed networks and limited-function users, the spread of PCs and other networking computers coupled with easy-to-use data access tools have put iSeries data in harm's way. For many organizations, the time to put network exit programs in place is now, while you still have control of your iSeries.
For more information or to download a trial version, visit www.powertech.com. And check out PowerTech's other offerings in the MC Showcase Buyer's Guide.
John Earl is Vice President and CTO of The PowerTech Group. He can be reached at
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online