DENVER -- The iSeries reigns as the sovereign of security and probably will for some time. Pity the poor administrator,...
however, who thinks the king of all midrange servers is invincible.
Blame it on the use of Internet Protocol (IP), the expansion of open systems and the use of multiple platforms. Upshot: the iSeries isn't as secure as it used to be.
It's not like its reign is over. Far from it. Administrators probably will never lie awake at night worrying about a possible system break-in.
Still, some of the people attending the COMMON Fall 2002 Conference & Expo, an event for iSeries (AS/400) professionals, said they know their systems have vulnerabilities. They said they are here looking for ways to secure their systems -- before they have to deal with a breach.
"We just implemented IP on our AS/400," said Stephanie Paglia, vice president and IT operations specialist for First Heritage Bank in Snohomish, Wash., "and we know we're going to need help providing that extra layer of security."
There are more than 20 educational sessions being held on security. Most have been heavily attended. Security vendors also have a large presence at the conference.
Businesses that require a high level of data security, such as banks and casinos, rely on the secure infrastructure of OS/400. However, as IBM expands applications on the server -- for example, by adding WebSphere and making way for open-source systems, such as Linux -- the number of entry points to data on the machine increases, as does the risk.
"The barn door is open," said Rich Deutsch, senior network engineer for midrange systems at Pacific Life Insurance Co. in Newport Beach, Calif. "The inherent stuff on the AS/400 is still secure. Once they opened it up to other stuff, that changed how we had to think about security."
Companies such as PowerTech Group Inc. in Kent, Wash., and PentaSafe Security Technologies Inc. in Houston, both exhibitors at the conference, have developed products that, in essence, will keep the animals in the barn.
According to consultant Carol Woodbury of SkyView Partners in Issaquah, Wash., IBM hasn't done a very good job of providing tools that help users manage security on the AS/400, although the company is working on it.
"IBM's security improvements tend to be things that insure the integrity of the OS, they're not yet providing anything in the way of security management," Woodbury said. "When users seek out security tools, they're looking for features that will help them manage security."
Security tools run between $2,000 and $20,000, and vendors say they are well worth the investment.
"IBM is a very securable machine," said John Earl, chief technology officer at PowerTech. "It doesn't mean it's secure. You've got to make it secure."
The problem, he said, is that the iSeries' reputation for being a secure system made a lot of administrators complacent about security.
"The iSeries has the best tools in the marketplace for making the server secure," he said. "The problem is that the people don't use the tools. If you don't lock your doors you can't blame anyone but yourself if your house was broken into."
PowerTech's PowerLock products are designed to provide users with ways to manage user access to files, detect intrusions and determine where the system tends to be most vulnerable.
Earl, like many users, realize that most of the security breaches come from within the company -- meaning they come from employees.
"I'm not worried about a 13-year-old hacking into my AS/400," he said. "I'm worried about Jane in accounting who has access to too many things."
According to Jack McAfee, director of iSeries security products for PentaSafe, which makes a security product called VigilEnt, what most users want to know is how can they restrict access to "exit" points. Exit points are openings in the system where users can access data. McAfee said that with employees and remote users constantly accessing the iSeries via a variety of protocols, managing security properly is a major challenge for users, especially when native security controls are weak or nonexistent.
"Our product provides the processes, the setup, the rules to ease the management of securing the system," he said.
He added that the company offers continual updates of its products to help users continue to manage remote access even as they install patches, migrate to new versions of OS/400 and begin using newly introduced protocols.
According to Woodbury, exit points are something that vendors such as PentaSafe are "hanging their hats on," even though many software companies, not only security companies, offer this feature. "This feature is almost a commodity," she said.
However, she added that both PowerTech and PentaSafe, in addition to other companies, including Bsafe Software Solutions Ltd. of Herzliya, Israel, which is also exhibiting here, offer robust security management suites with features that go beyond just managing the exit points.
FOR MORE INFORMATION:Webcast: Securing your iSeries: What to expect with V5R1 & V5R2 Featured Topic: How secure is your iSeries Best Web Links on Security SearchSecurity.com