Safely does it: putting the AS/400 through its paces

Is the AS/400 as secure as we are told? Well, let's see.

There are three immediate tests we can make: we can look at AS/400 viruses, we can look at AS/400 vulnerabilities, and we can look at AS/400 third party security products. If we find a high number in any of these categories, then we need to question AS/400 security a little further.

Let's start with viruses, since they still represent the single largest threat to computer security. In a nutshell, there are no known AS/400 viruses. Compared to its main rivals, NT and Unix, this is impressive. A search on the AV supplier Sophos' web site for 'NT' reveals more than 100 separate papers. A search for 'Unix' reveals more than three dozen papers. A search for 'AS/400' reveals none.

What about vulnerabilities? Well, one of the most respected information resources is that of CIAC - the Computer Incident Advisory Capability of the US Department of Energy. A search of the web site for 'Unix' reveals 169 files discussing Unix vulnerabilities. A search for 'NT' reveals 54 files. And a search for 'AS/400' finds zero matches in zero files.

This is impressive.

A cynic would counter by saying that the AS/400 does not represent an attractive target for hackers and virus writers in terms of volume - but not everyone would agree. According to Zona Research (In Search Of A Secure E-Commerce Platform, 1999), there were already more than 1 million AS/400 programmers a year ago. This represents a sizable number of servers to attack, and a sizable number of people with the technical knowledge to do so. And given the strength of the AS/400 in banking and finance institutions, one could expect the target to be attractive enough.

So, how about our third test - the existence of third party security applications. Since there are no known AS/400 viruses, and no known AS/400 security breaches/vulnerabilities, there should therefore be little requirement for AS/400 third party security software. But this is where our test becomes confusing - because there is a thriving security software market for the AS/400.

A quick scan reveals, for example: Trend Micro's ScanMail for Lotus Notes; BMC's Control-SA (a security administrator); PentaSafe's PS PasswordManager, PS Audit, PS Secure, and PS Detect; Alliance FTP Security; and PowerLock, Audit Master and SecMan (from Rapport).

So we have an anomaly - a product that is almost totally secure that still apparently needs to be bolstered by additional security products. We obviously need to look further to understand both the strengths and apparent weaknesses in the AS/400.

The system's security lies in its structure - it is object rather than file based. Everything that can contain data that can be accessed via the operating system is an object. Objects also have attributes and an owner. The owner can grant, or revoke, other users' access rights to owned objects. Each object comprises the object header and the functional component (ie, the data or instructions).

The header includes information such as the object type, owner, date created, and an authorisation list. The authorisation list defines what 'authority' each user has over the object (eg, *USE, *CHANGE, *ALL, etc). There is thus a very finely grained access control capability built into the very heart of the system.

It is this structure that gives people confidence in the security of the AS/400. 'I feel that the security implementation of the AS/400 is one of the best (if not the best) for any commercially available system. The security was designed into the product not added on after the fact,' explains Wayne Evans, an AS/400 security specialist. He uses two arguments to justify the claim.

Firstly, the security is implementated in hardware (that is, the microcode). 'Even if a hacker is familiar with an AS/400, the system's security is built in below the machine-level interface layer. The actual security implementation is included in the microcode of the AS/400, down below a place where anyone can get at it and tamper with it. A user could use service tools to get access below the machine interface but access to these powerful service tools should be restricted.'

Secondly, the program architecture prevents viruses. 'Program objects on a PC are stored as file objects, which can be modified. On the AS/400, the program objects are encapsulated or stored in an internal form that cannot be modified. You can delete a program and recreate it from source, but there is no interface to go in and tamper with the internals of a program.

While IBM won't make the claim directly, because it's too strong a statement, I consider the AS/400 virus-proof. The only virus that could theoretically corrupt an AS/400 would be one that posed as a validity check program and could attach itself to a command definition object.'

This statement is, of course, substantiated by the lack of extant AS/400 viruses. Nevertheless prudence would make us heed the advice of Sophos' Graham Cluley, one of the world's leading experts on computer viruses. 'We should never underestimate the inventiveness of the virus writer. There is no such thing as a virus-proof operating system. Such an OS would be unusable for legitimate users.'

Cluley believes that the main reason for the lack of AS/400 viruses is that the platform is not sufficiently attractive to the virus writers. 'They have access to cheap Wintel PCs, not AS/400s. They want to spread their viruses fast and far - and that means PCs and Microsoft, not AS/400s.'

Nevertheless, neither Sophos, nor any other anti-virus producer, has seen the need to develop an anti-virus product for the AS/400. Basically, the AS/400 is a secure system - or it is at least as secure as you can get.

But... this is the age of telecommunications and the Internet. The AS/400 needs to compete with NT and Unix servers, and that means it has to serve Microsoft based PCs. Much has been made of NT's C2 security classification (well, NT 3.5, at least). But that's only if it stands alone and has nothing attached - which is a poor configuration for a server. The same can be said for the AS/400 - it's secure until you connect it to something else which is not so secure. And in the real world, that means almost always.

The AS/400 ceased to be the world's most secure computing platform the day the first PC was connected to it. 'Since then the environments in which the AS/400 operates have changed dramatically and the security implications have risen accordingly.

The transformation of the AS/400 into a server - whether hosting the web, Domino or NT - and the now commonplace integration of AS/400 applications with PCs, are creating new opportunities for security breaches that can easily be overlooked by system administrators. The explosion in e-business simply magnifies the problem,' explains Richard Wharton, the md of Rapport Software.

'The potential exists for what we might call 'high-level' manipulation. There are many places in the OS/400 operating system where a program can be tucked away, to run at a specified moment, or whenever a particular event occurs, or a special signal is sent. A programmer with sufficient knowledge or ill intent has many ways of causing damage and disruption, even in a secure site, perhaps rather less for actual theft or fraudulent use of data.

Also, the AS/400 obviously has no control over what happens to data streams before they reach it. Passwords can be sniffed, addresses altered. Hackers used to the PC world, judging from their literature and web sites, are beginning to take an interest in the AS/400, although from what I've seen, their understanding of the platform is quite limited. But it is only a matter of time...' he concludes.

This point is re-iterated by Graham Cluley. 'The real issue for AS/400 users is if they are storing PC files on AS/400 systems (for instance, DOC files and EXE files) and perhaps using AS/400 as a server for Wintel-compatible client PCs.' In these circumstances, while the AS/400 itself is not vulnerable, the network it serves may be very vulnerable.

And it may be more vulnerable simply because of the server's reputation for security. The weakpoint becomes the users and administrators, who may well take less care than they need, believing the system to be safe enough on its own. It is in these two areas, protection from the outside and security administration, that we find the majority of third party security software. So while we can say with some confidence that the AS/400 is still a very secure system, the network it serves may not be.