News Stay informed about the latest enterprise technology news and product updates.

Focus on e-biz could compromise iSeries 400 security

As IBM pushes its e-business strategy, the iSeries 400 is increasingly being used as a Web server. The midrange system has always maintained a stellar reputation as an extremely secure machine, but will that change as more and more of them are connected to the Internet? AS/400 security expert Wayne O. Evans says that as the focus shifts from back-end applications to Web server duty, some midrange systems will fall victim to hackers. But failures will likely be from security procedures, not the technology itself. Recently, Edward Hurley, Search400's assistant news editor, discussed Web security on the iSeries with Evans.

What makes the iSeries so much more secure than other platforms?
I often say that Unix was made by hackers for hackers. The designers of Unix were interested in allowing access to information. Using security to restrict or limit access to information was secondary. As a result, security was added onto Unix systems as an afterthought. I feel that the security of the iSeries is far superior to Unix implementations. The iSeries has security built into the hardware instructions. The machine instructions will not allow access to data unless the user is authorized. Applications implemented using Intel instructions must add additional code to validate user access as part of the application. Since the application is responsible for security there is an increased possibility of the application designer missing or incorrectly checking user access in the Intel based applications. While in the iSeries programs the hardware enforces access control and cannot be circumvented. You say that security on the iSeries could be compromised because of an increased connection to the Internet. Why will it be affected and how?
The iSeries system architecture for security is excellent. The actual security validation is done by the hardware micro code, which prevents tampering with security checks. The change in marketing focus by IBM will have both positive and negative impacts on the system security. On the positive side, the increased focus on enabling the iSeries for e-business has added a number of features such a SSL (Secure Socket Layer), VPN (Virtual Private Networks) and the Kerbros (Authentication Protocol). These additional features are essential for the iSeries to be an effective player in e-business. On the negative side these added security features have complicated the task of properly securing the iSeries and unless properly secured, the e-business features have introduced new holes that a hacker can exploit. Is there anything about the machine, such as its architecture or software, which makes it especially secure for Web issues? Conversely, what makes it less secure?
As I stated previously, the machine architecture where security is built into the hardware instructions makes the iSeries much better than non-iSeries solutions. Another aspect that should not be overlooked is that most hackers are not familiar with the iSeries. As a result, hackers are less likely to attempt to attack the iSeries. While lack of knowledge is not security in itself, it is an effective deterrent for many hackers. Why break into an iSeries when there are so many other systems that are easier to attack? You don't recommend putting a production iSeries directly on the Internet? How does a firewall protect the machine, then?
A firewall is a computer and program that as screener of requests only allowing requests that you have designated through to the production system. In the case of the denial of service attack there is provision for detection and rejection of multiple requests from the same location. In the simple example of the phone being called repeatedly it would recognize the calling number and shut down reject requests from that number. The denial of service attack can and will keep the firewall busy rejecting the requests. This can effectively shut down your network access but other processing can be done on the systems on the network that are protected by the firewall Does setting the iSeries up for access to the Internet pose any problems?
Stated simply, the denial of service attack is possible and a production system should not be connected to the Internet. A separate Internet system (firewall or Internet Only iSeries) must be used. This multiple system configuration complicates the network design. The task of the system manager is more complex because the enabling the system for e-business now means new concepts such as firewalls and encryption. Will we hear about the iSeries being hacked as much as we do machines from other companies?
Not at the level of other platforms. I anticipate that there well be cases where security is breached because of improper or inadequate security design in an iSeries installation. You can have the best door on your house but if you fail to close and lock the door a thief will not have a difficult time break-in. So it is with iSeries security. Does this mean that administrators will be paying more attention to security?
Yes. There has been much trade and daily press about the security threats of the Internet and system. As a result, a growing number of system managers are concerned that they get security right before a system is placed on the Internet.

Dig Deeper on Security Tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.