I believe that adding Secure Sockets Layer support improves AS/400 Internet security. How so, and how do I go about it? Also, given the AS/400's reputation for A1 security is there any point adding SSL support anyway?
With the dramatic way in which the internet has become a pervasive tool over the last few years, and with e-business becoming a reality both for B2B (Business to Business) and B2C (Business to Consumer), security has become an increasingly important issue, writes Nigel Adams.
So far as the AS/400 is concerned it has always had an excellent security record, and it is worth spending a little time reviewing those security characteristics which are such a strength. Firstly, AS/400 security is fully integrated into OS/400 and is used by the operating system, middleware, and applications. Very important, in that the AS/400 is an object based system.
Everything that is stored on an AS/400 is an object, and each type of object can only have certain operations carried out on it. This means for example that instructions that work on a program (eg Execute) will not operate on a file. It is thus not possible to disguise a file as a program in order to create a virus. Also Pointers cannot be created on the AS/400.
This is a popular means of attacking systems by turning an offset into a pointer and wiping out what is stored at that address. The AS/400 uses hardware tags to indicate when a pointer contains a valid address and when a user changes the contents of any pointer in memory, the hardware turns this tag off.
Another aspect of AS/400 security is that users require special authority in order to copy and restore a program from one system to another. This means that users cannot simply copy a program to another system and then run it.
The AS/400 also will stop unauthorised reboots of the system. The AS/400 security is flexible allowing administration authorisation to be given to users on an individual basis. In order to simplify the task of AS/400 administrators in setting up security on the system, the AS/400 Security Wizard makes recommendations for settings and policies based upon the intended uses of the system. This takes full advantage of the integrated security, by allowing these recommendations to be accepted or modified to fit particular circumstances, and the wizard can then implement the security automatically.
The US Government has certified V4R4 of OS/400 as compliant to their C2 Security Rating as:
- a standalone system;
- multiple AS/400s on a single Lan; and,
- multiple AS/400s with multiple Lan segments. The DB2 Universal Database is also included in this certification.
All of this shows that the AS/400 does indeed have very powerful inherent security characteristics. However, as I mentioned at the beginning, with the advent of the internet, this fundamental security needs to be even further enhanced. The capabilities of the AS/400 that address this include IP filtering, Network Address Translation (Nat), Virtual Private Networking (VPN), Proxy Server, Mail relay, DNS server, as well as Secure Sockets Layer (SSL).
Each of these will be appropriate in different circumstances. For example IP packet filtering is best used as a second level of defence protecting the AS/400 behind a secure gateway such as a firewall or a router. Use masquerade or hide Nat when the AS/400 is used as a security gateway connected directly to the public network. VPNs are appropriate when you wish to simulate the characteristics of a private network over public links.
So far as SSL goes, the recently available V4R5 supports Transport Layer Security (TLS) which is an industry standard definition of SSL. TLS standardises and clarifies SSL protocol definitions as well as adding some new security features. TLS allows AS/400 users to take advantage of the very latest capabilities in terms of internet application security. This capability is supported within standard AS/400 software with no extra charge involved. SSL is implemented in the transport layer (TCP/UDB) and only TCP/IP server and client applications, which have been written to SSL can use this protocol.
SSL should be used when you wish to provide confidentiality and server authentication in transactions over the internet. It is appropriate for web based applications when the remote client is a browser, and both client and server authentication and digital certificates can be used. SSL not only establishes secure communications but also protects the integrity of data that is transmitted.
In summary, I would say that the inherent security offered on the AS/400 is one its core strengths - and one that is becoming increasingly important as we go down the road of moving to a networked world. There are many capabilities that can be used on the AS/400 to extend this security even further. SSL is an important offering that can be used to establish secure communications over the web.
An excellent Redbook produced by IBM's International Technical Support Organisation has recently become available which addresses the subject on Internet Security in considerable detail. It is entitled AS/400 Internet Security Scenarios - A Practical Approach, SG24-5954.
This publication gives an overview of network security concepts, AS/400 network security features, Cisco router firewall features, and considerations when selecting an ISP. It then looks at connecting an AS/400 securely to the internet in a variety of scenarios. I would recommend that anyone interested further in this subject consult this publication. Another ITSO publication that may also be helpful is AS/400 Internet Security: Developing a Digital Certificate Infrastructure, SG24-5659.