Protecting your iSeries from network users can be a daunting and challenging task. This article, the first of two,...
will give you a few basic tips about it and hopefully get you thinking about this issue.
In the good old days, the iSeries-AS/400 was a closed system, with the only connections to other systems being dedicated telephone lines running IBM's SNA protocol. Control over access from remote users was pretty easy given this environment. Then along came networks and the Internet, and that all changed. Soon every iSeries on the block came with an Ethernet card and was TCP/IP-enabled. PCs running PC Support (now known as iSeries Access) replaced dumb terminals and emulation cards, and the iSeries became a much more open system.
Now, many users with iSeries Access can use upload and download utilities to access data on your system and even do entry and updates directly from those utilities. In fact, many installations have embraced these technology changes and implemented solutions with these capabilities in mind.
With the opening up of the system, however, new security considerations come into play. Consider the classic situation of a payroll clerk running your company's payroll application from his trusty old green-screen application. Using secure menu design, you can implement a system that easily restricts this user's access to the payroll files. However, the OS/400 security for these files will probably be *USE or *CHANGE to allow this user to process updates.
If this user were to experiment with the iSeries Access utilities for download, that level of permission would allow him to quickly and easily download the entire payroll file to his PC, make changes and then upload it back to your system. That probably isn't something you had in mind when security was first envisioned for this application.
As the security officer, what's can you do?
For starters, there are some simple network attribute settings that you can use to implement controls. You can view the network attribute settings on your system using the Display Network Attributes (DSPNETA) command and make changes using the Change Network Attributes (CHGNETA) command. The three network attributes that I want to direct you to in this series of tips are the following:
- Job action (JOBACN)
- Client request access (PCSACC)
- DDM request access (DDMACC)
The Job action setting controls how the system will process remote requests to run jobs. It has three settings: *REJECT, *FILE, and *SEARCH. The default setting is *FILE. If you are concerned about this, change the default setting to *REJECT and you're safe. When it is set to *FILE, the incoming request is queued to a network file for the designated user and the job must then be reviewed and started by the user. *SEARCH sets up a search of the network job table, but that is a topic for an entire tip by itself.
Implementing the other two network attributes will be discussed in my next iSeries security tip, so come back in a couple of weeks for more on this topic.
If you have any specific questions about this topic, you can reach me at firstname.lastname@example.org, I'll try to answer your questions. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.