Home > AS/400 Tips > iSeries security tips > Are all of your System i (iSeries) doors closed? -– part 2

	iSeries 400 Tips:	EMAIL THIS

	TIPS & NEWSLETTERS TOPICS

	ISERIES SECURITY TIPS Are all of your System i (iSeries) doors closed? -– part 2 Rich Loeber 10.16.2006 Rating: -3.83- (out of 5) Digg This!     StumbleUpon     Del.icio.us    [TABLE]In my last tip Are all of your System i (iSeries) doors closed? I pondered the need to watch the doors into your system. In the old days, there was a single door in the form of a display terminal. Today, that is only one of the many doors where users can get into your system. While most users are trustworthy, there is always the opportunity for inadvertent damage to your data from someone who happens to get into your system through a door that should be closed to them. Then, there are always those lurking in the shadows who are just looking for an unlocked door to gain access and wreak havoc in the process. [TABLE]			[IMAGE]

Last time, I talked about the most obvious doors and the most obvious solutions for those situations. This week, we'll take a closer look at the less obvious doors and how you can deal with them.

In addition to the obvious doors to your system, such as FTP and Telnet, OS/400 (i5/OS) has a variety of server functions included that provide network access points for a wide variety of host-client connectivity. These includes the likes of a TCP/IP DDM server that can share data files on a record-by-record basis with a client; the iSeries NetServer that allows files in the IFS to be directly accessed from desktop applications; the Remote Execution server that allows a desktop system to issue OS commands directly from the desktop; and so on. The list is quite comprehensive and many System i managers are not even aware of all of the possibilities.

My first recommendation for you is to educate yourselves about the doors that are there. Play around with iSeries Navigator and Management Central on your system to see all of the server settings and whether or not they are running on your system.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

his will present you with a short list of new tabs, open the "Servers" tab next. To see what servers are actually up and running on your system, look at the tabs marked "TCP/IP" and "iSeries Access". These will each show you a list of server functions on your system with a brief description of the function being served and what its current status is on your system. It behooves you to know about all of those that are showing as started.

Once you have identified all of the server functions that are running (these are each a door into your system), then you will need to validate its use on your system. Identify the application that is using it and check to make sure that security is in place to control what can be accessed through each of these doors. Also, make sure you know what user profiles are in use for each server function. If common user profiles are shared between different server functions, you could have a security risk due to contextual conflicts between uses. This kind of exposure can happen when an FTP user profile needs access to different data than an ODBC user. If the same profile is used in both contexts, you could end up with a security exposure. Also, remember that when you open a door for one application, it ends up remaining open for all of the profiles on your system. You need to have a plan in place to keep the wrong people away from doors that they should not be using.

In some instances, the only way you will be able to make sense out of what is going on will be to implement one or more exit point programs to allow you to see exactly what kind of network requests are happening. You can either write your own or get one of the several commercially available exit point solutions. This will tell you which profiles are getting into your system through each door and what they are doing when they are in there. Without knowledge at this level, you're only guessing at what's going on. Guessing at activity does not promote good security policy implementation.

If you have specific questions about this topic, email me at rich@kisco.com. All email messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.