Any AS/400 professional worth his weight understands the importance behind securing the data on AS/400s. But, security for these issues will present even more of a challenge as the AS/400 takes on a greater role on the Internet.
Search400.com News Editor Kate Evans-Correia interviewed AS/400 security expert Wayne O. Evans to get his point of view on the most prevalent security issues facing the AS/400 community today. A 27-year veteran of IBM, Evans designed many of the security features found in the AS/400. He now specializes in AS/400 security education and consulting.
SEARCH400.COM: What do you see is the future of AS/400 security?
EVANS: The AS/400 is already recognized as a very secure platform so future changes to AS/400 security will be minor. I anticipate that IBM will make passwords more difficult to guess by making passwords case sensitive. I expect new security features directly focused on Internet access. This could be the expanded use of certificates to authenticate users from a browser. I would like to see secure TELNET sessions available as part of OS/400.
SEARCH400.COM: How secure are most AS/400 shops?
EVANS: The bad news is security at most shops leave something to be desired. The security of the average AS/400 installation would allow a determined hacker to gain access to the system. But the good news is that there are few hackers that have knowledge of the AS/400. Few AS/400s are connected directly to the Internet so it is not easy for a hacker to get access to the AS/400. The hacker must somehow get access to the company network. As a result the major security exposure is not from the outsider but for the curious or unhappy authorized user (insider). Fortunately most AS/400 users have better and more productive uses for their time.
SEARCH400.COM: What security exposures are found in AS/400 installations?
EVANS: I find that many AS/400 installations fail to take advantage of the existing security features provided by OS/400. The most common exposure that I find at AS/400 installations is poor password controls. Many profiles have trivial passwords: i.e. a password that is the same as the user profile. IBM removed the password from the IBM-provided user profiles (QPGMR, QUSER, QSRV, QSRVBAS, and QSYSOPR) but I discover too many installations where these password profiles still exist. Another common exposure is failure to remove or disable inactive profiles. There are tools in the security tools (GO SECTOOLS) from IBM that will detect and eliminate both of these password exposures. The key is to get system managers to run these tools.
I am still amazed that many installations never require users to change their password. Simply setting a system value will ensure that users change their password. I recommend passwords be changed every 90 days. Another major exposure is that users are given too much access. Too often, users have a group profile that owns production data or have *ALLOBJ special authority. This gives the user the capability to modify and even delete production data. With the increased use of PCs to attach to the AS/400, menu security is not adequate because knowledgeable users can gain access to data outside of the standard application controls.
Most installations are now running security level 40. However there are still too many AS/400 installations at security level 30 or below. If your AS/400 is not at security level 40 then you are not doing all that is required to protect your system.
SEARCH400.COM: Can there be a computer virus on the AS/400?
EVANS: Yes, but not likely. The architecture of the AS/400 stores programs in an internal executable form that cannot be modified by another program. The programs must be recompiled from source in order to introduce harmful code into a program and makes a virus almost impossible to propagate.
reation of a program virus is very unlikely on the AS/400. Perhaps the most likely virus would attach a validity checker program to the CL commands, which could spread to other commands. This would require access to the AS/400 and the authority to change the CL command objects. Users should be given *USE access and not *CHANGE access to commands to prevent even this minor threat.
SEARCH400.COM: How safe is it to connect an AS/400 to the Internet?
EVANS: The AS/400 is an excellent platform to put on the Internet. The built-in security of the system can make the system very secure. The system can be secured to limit what Internet users can access. However I do not recommend connecting a production AS/400 directly to the Internet. The AS/400 can be secured to prevent most of the attacks except for a denial of service attack.
The "denial of service" attack most likely will not compromise the security of the system but the attacker floods the system with requests (often invalid transactions) which keeps the system so busy rejecting the invalid requests that no useful work can be done.
The recommended strategy is to protect the AS/400 with a firewall or use a separate AS/400 for Internet transactions. Avoid directly attaching a production directly to the Internet.
SEARCH400.COM: What changes would you like to see changed with AS/400 security?
EVANS: I have already mentioned the need for secure TELNET sessions. This is critical as more AS/400 users get access over the Internet. One area that I would like to see changed is better controls over the election of objects. Security at the library level can prevent users from adding new objects to a library. (*ADD authority to the library is required to insert a new object). However deletion of an object from a library only requires minimum access to the library and access to the object. I would like to see *DELETE authority required on the library object to remove objects from the library. This change would make securing the data from accidental deletion much simpler because the control for all objects in the library could be done once.
If you would like to share your opinion of AS/400 security issues, e-mail Search400.com news editor, Kate Evans-Correia at firstname.lastname@example.org