The box that does it its way

The iSeries/400 is famed for its robust, secure environment, and apparent invincibility to hacking, but will that be challenged...

The iSeries/400 is famed for its robust, secure environment, and apparent invincibility to hacking, but will that be challenged in the e-biz/e-com era?

The iSeries, like its predecessor the AS/400, has an impressive reputation when it comes to security, having been designed by IBM from the ground up, with security in mind.

Of course, with these strengths also comes the risk of complacency. Jeremy Sharp, UK country manager for Seagull Software explained: "Traditional AS/400 operators and administrators are well versed in the traditional security measures, but new improvements in OS/400 bring new avenues to be exploited, and therefore new areas that must be secured."

Users have to be aware of all the latest security risks. It appears that IBM is rising to this challenge. While the recent launch of the new iSeries operating system (OS), OS/400 V5 R1, may have grabbed the headlines for Linux compatibility and partitioning, there were also significant enhancements to the system's security features.

According to the manufacturer, the latest OS offers "enhanced system integrity" with digital signature and object signing. A digital certificate is an electronic credential that you can use to establish proof of identity in an electronic transaction. This type of verification is becoming an increasingly important element of e-commerce, hence the presence of an easy to use Digital Certificate Manager (DCM) within V5R1.

DCM lets users manage applications certificates that can be obtained from any Certificate Authority (CA). It can also be used to create and operate your own CA to issue private certificates to applications and users within your organisation.
IBM executives claim that this is simply an extension to the security features that have been built into the AS/400 platform over the years.

Nigel Adams, iSeries product manager at IBM explained: "The fact that security is a fundamental part of the operating system means that it has not just been bolted on as an afterthought." He added: "It is an integral part of how the OS has been put together."

There has been a security toolkit on OS/400 dating back to version 3 release 1, comprising a set of tools to audit and manage security and users. These let users check profiles for default passwords and complete other critical processes such as security auditing.

Users, however, should not be daunted by the presence of the security toolkit. If you don't feel that there is enough technical expertise within your organisation to get the most out of it, then there are plenty of specialist companies that can help you exploit it. These could prove particularly useful if you are wrestling with the many demands of e-business.

In this way, organisations such as Quattro Consulting can undertake security healthchecks on the iSeries and AS/400 using the security toolkit, in addition to more specialised work. According to Glenn Robinson, managing director of Quattro Consulting, the security toolkit is a basic front-end to the security system, which can provide users with reports and user profiles.

He said: "The problem is that you can get reams and reams of reports, that is why it is sometimes better to use specialist products from companies like Pentasafe or SafeStone."

A number of companies are already turning to specialist consultancies such as Quattro Consulting to secure their iSeries and AS/400 servers. Robinson explained: "We don't have software to sell, we are basically techies that really know the AS/400."Moreover, the fact that the iSeries has become much more of an open system over the last few years is now presenting a number of security issues to users.

Robinson said: "Because of all the enhancements with the operating system, there are lots more ways into the box that people are not necessarily aware of." Not surprisingly, it is the exit points on the iSeries and AS/400 that users need to be most aware of when it comes to security. Exit points are effectively there to protect the system but, from a user's perspective, they are not that easy to actually code.

Robinson said: "This is one of the occasions where we would recommend third-party products, because they have built-in utilities to define rules against the exit points." Thus, there is no programming required and users can get on with running their business.

Gavin Massie of SafeStone Technologies agreed: "The exit points are the major challenge for users at the moment. Theoretically, these could allow access to the iSeries through the likes of FTP or ODBC, the database language, hence the need for specialist products.

"The iSeries is as secure as you want to make it but there are a number of applications out there to make it more secure." Wisely, IBM itself chooses not to publish all the exit points on the iSeries and AS/400. For its part, SafeStone provides a range of audit, monitoring and security software tools for the server range.

When you consider the degree of hype that has surrounded Linux on the iSeries and the changing nature of the system, security becomes of paramount importance. For its part, IBM does not see Linux as posing a massive security headache to users. Adams said: "Linux will not be a security problem, because it runs on a secondary partition." Users can essentially carve out disk space that is allocated on the Linux partition alone. Adams added: "If you want to go anywhere else on the iSeries you have to go through OS/400, where you are subject to all the usual constraints."

The simple fact is that people are often too busy to scrutinise every new release of the operating system, so it could be worthwhile taking expert advice. This is especially pertinent as data becomes increasingly mission-critical. Robinson said: "The biggest problem is that people don't know what to secure anymore, because there is literally so much to secure."

John Miles, UK business development manager at software specialist RSA Security explained: "Since AS/400 servers are commonly used as database servers, security is extremely important to keep customer information databases confidential."

This is where security needs to be present throughout your organisation. Miles said: "Passwords are a very weak form of authentication that can be easily compromised using hacker tools widely available on the internet, so for additional security it is advisable to implement a 'strong authentication' solution."

Certainly, users should spare some time to think about access. Ian Kilpatrick, managing director of Wick Hill Group explained:"Inappropriate access will be the main problem." He believes that access control is the security area most in need of attention, rather than the hacking of applications or the operating system.

With the iSeries apparently moving to a more open access environment, the potential security risks have increased. Kilpatrick advised, "One way of minimising Web threats is to not rewrite applications for the Web, but rather to Web enable existing killer applications."

This means that established application security can be employed rather than trying to bolt it into new web apps. Kilpatrick believes that this is also cheaper and easier than the process of rewriting.

Notably, the server is still one of the most secure boxes around, but that doesn't mean that users should adopt a laissez-faire approach to security. On the contrary, recent developments in the system, combined with the rigours of e-commerce mean that users need to be more aware of security than ever before.

Glenn Robinson, who acknowledges that security on the iSeries and AS/400 is "excellent" said: "In the future I think that people need to be more aware of what the machine can do, how it has opened up over the last few years, and how it has exposed the system."

Case study: Kleinwort Benson
A number of companies are turning to specialist software products in order to secure their mission-critical AS/400s and iSeries servers. One of these is offshore bank Kleinwort Benson Channel Islands, which is part of the Dresdner Private Banking organisation.

The St.Helier-based subsidiary uses two AS/400s, one of which runs Milvus, the company's standard banking and trust application. Not surprisingly, security is of paramount importance on the machine. Andre Gorvel, head of information security at Kleinwort Benson Channel Islands, explained: "Because we work as a private bank dealing with individuals in the offshore market we pay particular attention to security."

According to Gorvel, most AS/400 applications have traditionally supported applications security through the use of secure menus, something which is changing with the advent of more open systems. He said: "Obviously, this isn't the case when you move to a standard PC with standard network protocols." These include the likes of ODBC and FTP, which allow users to get directly into file systems.

The bank realised that a specialist software package was needed to cope with its stringent security needs. Gorvel said: "What we were looking for was an application to monitor and control what our users were doing. We also wanted to present this information in as logical and concise a way as possible."

The challenge for Gorvel was to effectively place the machine under full security audit, while at the same time meeting the demands of the parent company's IT security policy. He said: "We have a global IT requirement that is relatively stringent, and we needed to match this in terms of our auditing software."

Eventually, Kleinwort Benson Channel Islands opted for specialist audit software from one of the major mainland suppliers, which is already delivering significant results. Gorvel said: "We have reduced the amount of man hours needed to audit the AS/400 from one day, to effectively a few hours."

This is especially important, given that Kleinwort Benson Channel Islands is moving to 'the holy grail' of 'straight-through' transaction processing. Gorvel explained: "This requires greater levels of security than the AS/400 will natively allow, so we are using some of the modules from our software supplier to enhance the AS/400 user creation and amendment facilities within the operating system."

By doing this, Kleinwort Benson Channel Islands is effectively providing the same level of security that is found within the organisation's primary payment systems such as Swift. Gorvel commented: "As a bank we are dealing with large sums of money, so we really need to know what is going on."

Read more on Antivirus, firewall and IDS products