Take control of your iSeries network security -- Part 1

Protecting your iSeries from network users can be a daunting and challenging task. This article, the first of two, will give you a few basic tips about it and hopefully get you thinking about this issue.

In the good old days, the iSeries-AS/400 was a closed system, with the only connections to other systems being dedicated telephone lines running IBM's SNA protocol. Control over access from remote users was pretty easy given this environment. Then along came networks and the Internet, and that all changed. Soon every iSeries on the block came with an Ethernet card and was TCP/IP-enabled. PCs running PC Support (now known as iSeries Access) replaced dumb terminals and emulation cards, and the iSeries became a much more open system.

Now, many users with iSeries Access can use upload and download utilities to access data on your system and even do entry and updates directly from those utilities. In fact, many installations have embraced these technology changes and implemented solutions with these capabilities in mind.

• Connect the dots: Get your iSeries servers talking to one another


• Controlling remote command processing


• Improve old iSeries communication methods

With the opening up of the system, however, new security considerations come into play. Consider the classic situation of a payroll clerk running your company's payroll application from his trusty old green-screen application. Using secure menu design, you can implement a system that easily restricts this user's access to the payroll files. However,...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

the OS/400 security for these files will probably be *USE or *CHANGE to allow this user to process updates.

If this user were to experiment with the iSeries Access utilities for download, that level of permission would allow him to quickly and easily download the entire payroll file to his PC, make changes and then upload it back to your system. That probably isn't something you had in mind when security was first envisioned for this application.

As the security officer, what's can you do?

For starters, there are some simple network attribute settings that you can use to implement controls. You can view the network attribute settings on your system using the Display Network Attributes (DSPNETA) command and make changes using the Change Network Attributes (CHGNETA) command. The three network attributes that I want to direct you to in this series of tips are the following:

• Job action (JOBACN)
• Client request access (PCSACC)
• DDM request access (DDMACC)

The Job action setting controls how the system will process remote requests to run jobs. It has three settings: *REJECT, *FILE, and *SEARCH. The default setting is *FILE. If you are concerned about this, change the default setting to *REJECT and you're safe. When it is set to *FILE, the incoming request is queued to a network file for the designated user and the job must then be reviewed and started by the user. *SEARCH sets up a search of the network job table, but that is a topic for an entire tip by itself.

Implementing the other two network attributes will be discussed in my next iSeries security tip, so come back in a couple of weeks for more on this topic.

If you have any specific questions about this topic, you can reach me at rich@kisco.com, I'll try to answer your questions. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.