STL 2013 Best Security Practices

IBM i Security - Best Practices

Power Systems Technical Briefing – St Louis

Jeffrey Uehling

IBM i security development

[email protected]

Best Practices - Outline

Physical Security

System security levels

System value settings

Security audit journal

Resource security

Physical Security – a Necessity

•

Physical Security,

Server

• Front panel

• Power, cabling

• Racks/Storage devices

•

Physical Security,

Networking

• Firewalls, routers, switches, cabling, power

• Prevent configuration changes and sniffing equipment

• Wireless poses a challenge, secure networks are necessary

(WEP, WPA, etc)

•

Physical Security,

Peripherals

• Tape drives/cartridges, Printers/output, Fax, etc.

• SAN attached DASD

System Security Levels

System Value: QSECURITY

1.

Object Domain Checking

2.

Hardware storage protection

3.

Parameter validation

System security level 50... Good reasons to run there.

Security levels, why run at a high security level

•

System interfaces perform appropriate authority checks but

security exposures exist on this security level

(examples will follow)

•

*USE required by DSPDTAARA

•

*CHANGE required by CHGDTAARA

Security level 30 is NOT a secure security level!

User written programs, running at security level 30,

can gain

“write” access to objects with minimal authority

Program state is compared against object HSP to determine allowable

access. Every object has a HSP value.

•

Security level 30 ALLOWS access regardless of state/HSP combination

•

NOTE: Some HSP violations can occur on all security levels

•

Security level 40 and 50 enforce HSP checking

Object HSP attributes:

−

Allow access from any state

(no protection, *USRSPC, *USRQ, *USRIDX)

−

Read only in any state

(*PGM, *SRVPGM)

−

No access in user state

(Setting for most objects, 5.3 and prior)

−

Enhanced storage protection

(5.4 and beyond)

Encapsulated MI Object, available to LIC

Associated space, byte addressable area for use

by

above MI (user and OS) programs.

–

Object domain

(Most objects are *SYSTEM domain)

–

Object owner

–

Public authority

–

Hardware storage protection setting

–

Encapsulated object data

The associated space is used to store operating

system and user data for objects, i.e. *CMD,

*DTAARA, *JOBD, *USRSPC, *USRPRF, etc.

MI object overview

SPP

SYP

User written programs, running at security level 40 or 50,

MUST use system

interfaces (commands and APIs) to gain access to the objects.

–

Authority checking is enforced by the system interface

–

Parameter Validation is performed

–

Object Domain checking is performed

–

Object Hardware storage protection is performed

Direct access by user programs to system objects is not allowed at Security

level 40 and 50 due to domain and hardware storage protection attributes.

Authority checking and integrity support at level 40 & 50

This presentation contains programming examples ("Sample Code").

IBM grants you a nonexclusive copyright license to use the Sample Code to generate similar function

tailored to your own specific needs.

The Sample Code is provided by IBM for illustrative purposes only. The Sample Code has not been

thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability,

serviceability, or function of the Sample Code.

The Sample Code contained herein is provided to you "AS IS" without any warranties of any kind. THE

IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NON-INFRINGMENT ARE EXPRESSLY DISCLAIMED. SOME JURISDICTIONS DO NOT ALLOW

THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO

YOU. IN NO EVENT WILL IBM BE LIABLE TO ANY PARTY FOR ANY DIRECT, INDIRECT, SPECIAL

OR OTHER CONSEQUENTIAL DAMAGES FOR ANY USE OF THE SAMPLE CODE INCLUDING,

WITHOUT LIMITATION, ANY LOST PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS

OR OTHER DATA ON YOUR INFORMATION HANDLING SYSTEM OR OTHERWISE, EVEN IF WE

ARE EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Signon as a user with *ALLOBJ special authority

Create a job description object

•

CRTJOBD JOBD(QGPL\TEST)

USER(QUSER) AUT(*USE)

Display the job description object paying attention to the user.

•

DSPJOBD JOBD(QGPL/TEST)

Create and call the program using source on following slide.

•

CRTBNDC PGM(TESTLIB/TESTPGM1) SRCFILE(QCSRC)

Signon as a user without *ALLOBJ special authority.

Attempt to change the job description object.

CHGJOBD JOBD(QGPL/TEST)

USER(FRED)

Call the program – Source next slide

•

CALL PGM(TESTLIB/TESTPGM1)

Display the job description object paying attention to the user.

•

DSPJOBD JOBD(QGPL/TEST)

Example exposure at security level 30.

JOBD User

#include <mih/rslvsp.h>

#include <mih/setsppfp.h>

#include <string.h>

void main()

{

_SYSPTR jobd_sysptr;

char * space_ptr;

jobd_sysptr = rslvsp(WLI_JOBD, “TEST”, “QGPL”, _AUTH_NONE);

space_ptr = setsppfp(jobd_sysptr);

space_ptr=space_ptr +2;

memcpy(space_ptr, “QSECOFR “, strlen(“QSECOFR “));

return;

After running this program, display the job description object

paying attention to the user in the JOBD.

Note the *JOBD object was changed by a user with only *USE

authority, to allow jobs to run as QSECOFR.

Change the JOBD User

No authority errors!!!

NOTE: Lock down system values via SST after setting



QSECURITY

- Run at level 50



QALWOBJRST

- Consider value *ALWPTF



QFRCCVNRST

- Consider value 6 or 7



QVFYOBJRST

- Consider value 5

Altered programs are created by modifying a

program object in an unsupported way.

Program alterations include:



Using the system service tools to alter program



Save the program and modify it offline

Several methods available to alter a program:



Modifying the program to run in system state



Modifying the program instruction stream



Modifying the program validation value

A program altered to run system state can access system

objects and change data on security level 40 and 50.

They run with the same capabilities as OS programs.

Altered programs can:

–

Deliberately cause system crashes

–

Modify objects so they cannot be recognized by the OS

–

Bypass authority checking for objects

–

Bypass system audit record creation

1.

QVFYOBJRST

(Verify object restore)

2.

QFRCCVNRST

(Force conversion restore)

3.

QALWOBJRST

(Allow object restore)

When an attempt is made to restore an object onto the system, three

system values work together as filters to determine if the object is

allowed to be restored, or if it is converted during the restore.

• The "RST" interfaces are shipped as PUBLIC(*EXCLUDE).

• Only trusted users should be authorized to use the restore interfaces.

• Note: BRMS interfaces are PUBLIC(*USE) but call the system "RST" interfaces which

are PUBLIC(*EXCLUDE)

• Verify the list of users authorized to “SAVE” data

• Protect the use of the system service tools (SST/DST) and

Service related commands (DMPxxx, TRCxxx, etc).

NOTE: Lock down system values via SST after setting



QAUDCTL

- Audit on/off switch



QAUDLVL

and

QAUDLVL2

(new in 5.3)



QAUDENDACN

and

QAUDFRCLVL

- Use default values



QCRTOBJAUD

- Audit newly created objects



Create the QAUDJRN audit journal



Set

QAUDCTL

to *OBJAUD, *AUDLVL and *NOQTEMP



Set

QAUDLVL

to *AUDLVL2 (5.3)



Set auditing values in

QAUDLVL2

system value. Set

audit values in

QAUDLVL

prior to 5.3.

Turn on audit and save the audit journal receivers.

You may need the audit data in the future!



Security Audit provides who

accesses what

object



A combination of security audit and “data object” journaling

provides the complete

audit trail



IBM partners have great products for analyzing audit data



Turn on journaling for *FILE and IFS *STMF sensitive objects to

get the complete audit of changes, including data



CRTJRNRCV JRNRCV(MYLIB/MYRCV0001)



CRTJRN JRN(MYLIB/MYJRN) JRNRCV(MYLIB/MYRCV0001)



STRJRNPF FILE(MYLIB/MYFILE) JRN(MYLIB/MYJRN) IMAGES(*BOTH)



QSYS/STRJRN OBJ(('/mydir/dir1/stmf1' *INCLUDE))



WRKSYSVAL SYSVAL(

QPWD*

)



Set password composition rule system values



Min/Max length, required characters, etc



Consider using enhanced password support (

QPWDLVL)



Case sensitive long passwords (128 characters)



Use the

ANZDFTPWD command to check for default passwords



QALWUSRDMN

- Consider value QTEMP



QINACTITV

- Set to a reasonable number of minutes



QINACTMSGQ

- *ENDJOB/*DSCJOB



QMAXSIGN

- Consider setting to 3



QMAXSGNACN

- Set to disable device and profile

Resource Security - Protecting your objects



Keep the number of security officers and security

administrators to a minimum



*ALLOBJ, *SECADM, etc. special authority



Service tool userIDs



Audit the actions of the Powerful user



CHGUSRAUD CL command



*CMD action audit value, *SECURITY, etc.



Make sure the security officer understands,

Protecting your objects with resource security is necessary to protect

your data.

–

Run at a security level 50

–

Secure your confidential data with *EXCLUDE public authority

–

Objects that are not security sensitive (public objects) should be

protected with *USE public authority. This gives good performance

for read operations on the object.

–

Additional authority can be given to users who must change the data

but private auts should be used sparingly for best performance.

Resource Security - protecting your objects

EDTOBJAUT

Interface to

assign object

level authorities

Authority List

Public AUT

Owner

Private AUT



Don't rely on menu security



Exit programs, used to control system interfaces

such as FTP, are very useful but must be used in

combination with object authority. A combination

of a network security product and resource

security is required.



Secure your sensitive objects with the appropriate

level of authority at the object level!

–

New set of APIs delivered in 5.3 that provide support for encrypting

data in an application

–

New set of APIs delivered in 5.4 that provide support to create,

manage and protect encryption keys used to encrypt data in an

application

–

GUI and CL interfaces in 6.1 to manage encryption keys and keystore

files

–

DB2 Field Procedures in 7.1 to enable Column Level Encryption

–

Protect encryption keys. Encrypting data, without protecting the

encryption keys, does not protect the data

–

6.1 enhancements

–

SW Encrypted backup. Provides encryption support for tape/virtual tape

via BRMS and tape management APIs (OS option 44)

–

HW encrypted backup solutions via TS11x0 & LTO4 (HW available off

release)

–

Encrypted ASP. Provides disk level encryption support for all data written

to disk (OS option 45)

–

HW support for Disk level encryption (DS8000 and DS5000 series)

–

Encryption key management is required

(master keys and data encryption keys)

Firewall – Building a Secure Network

Install and maintain a firewall configuration

–

A firewall examines all network traffic and blocks those

Firewalls:

Intrusion Monitors:

Intrusion

Monitor

Internet

WWW

Mail

Development

system

H/R System

Corporate

Network

Firewall

Domino

Location:

Outside your internal company network

What Intrusion Monitors Do:



Perform "Signature Analysis" or "Pattern Matching"

ƒ

Patterns: Looking for known "bad patterns" in IP flow.

ƒ

Signature Analysis: Watch for "Trend Deviations" in network

usage.

ƒ

I.e. When someone successfully connects to a machine, packet

activity is quite different when somebody randomly searching for

open ports.



Reaction to suspected malicious behavior:

ƒ

Send e-mail or message to pager

ƒ

Shutdown network or routers

•

External facing network containing interfaces meant to

be available externally:



Web servers (supporting “external” applications)



Product information, Sales, etc.



E-mail servers



Limited access to the internal “corporate” intranet

DMZ - Protecting & Isolating your internal network

Internet

DMZ

firewall

Host Based Intrusion Detection/Prevention – 5.4 & 6.1

Enable Intrusion detection support on your host system.

–

Detect “internal” attacks on your systems

Real time notification enablement

–

E-mail, messages, etc. (i.e., pagers, ISV solutions) in addition to IM

records

Numerous intrusion events audited – well-known attacks such as

“Smurf”, “Fraggle”, ACK storms, Address Poisoning (both IPv4 ARP

poisoning, and IPv6 neighbor discovery poisoning), Ping-Of-Death and

many more….

“Extrusions” detected – attacks, scans, traffic regualtion anomalies

emanating from your host

IPv6 support

GUI – iNav

–

Management of IDS policies

IBM Security Partners – Many listed on the IBM i Security site



Products that enhance the native security features available in the

operating system



Many are network based



Apply additional “security” rules



Enforcement of the rules

IBM i Security website:

http://www-03.ibm.com/systems/power/software/i/security.html

http://www-03.ibm.com/systems/power/software/i/security/partner_showcase.html



For remote connections to your IBM i:

–

Use Virtual Private Network

–

Use SSL enabled versions of the client

connection applications (Telnet, FTP,

iNavigator, etc

)

IP Packet Filtering can be used to PERMIT or DENY based

on the packet characteristics



Source and Destination IP Address



Source and Destination IP Port



Protocol



Packet Direction



Packet Fragments

IP Network Address Translation (NAT)



Can be used to hide private network behind a single public IP Interface

(address)

How Do You Use It:



iNavigator:

(system)->network->IP Policies->Packet Rules

Select

Rules Editor

from context menu.



Wizards pull down has three selections.



Many other features...

Client Security

•

Most common “client” workstations today are:

• Microsoft Windows

• Windows XP

• Windows 7

• Apple

• Some flavor of LINUX

• SUSE, Redhat, and others

• Smart Phones

Client Security – What’s required

• Antivirus Software & Client “personal” Firewall

• Norton

• McAfee

• Panda

• Trendmicro

• Lot’s of others

• Plus many versions of “free-ware”

• Spyware & Adware prevention

Client Security – Antivirus and Client Firewall

• Antivirus Software & Client “personal” Firewall

• Antivirus Software

•

Analyze data files or email attachments looking for “known”

attacks

• “live update” of Antivirus Software loads the latest known

attack patterns

• Personal firewall

•

Prevents both unwanted inbound and outbound activity

(traffic) to/from the network

Client Security – Virtual Private Network Connection

• Many companies require a Virtual Private Network (VPN)

connection to access the internal corporate network from external

• VPN Client Software

• A VPN provides a secure connection over the internet

• Network traffic is encrypted (scrambled) to prevent the

ability for someone to view, thus steal, the data

• Two factor authentication

• To access the internal corporate network, often times a

company will setup and require another form, beyond

password, of authentication

• Time based keyfob, smartcards, biometrics (finger print

scan, etc)



For remote connections to/from your system:

–

Use SSL enabled versions of the client

connection applications (Telnet, FTP, etc)

–

What is SSL?

–

Similar to a VPN but implemented at the application

layer. Only the SSL enabled application flow will be

encrypted.

–

A mixture of SSL enabled and non-SSL enabled

applications can be run from the system



Run at security level 50



Set the security related System Values and lock them down



Use the Security Audit Journal



Protect your sensitive objects with object security



Use Firewalls and intrusion monitors

This document was developed for IBM offerings in the United States as of the date of publication. IBM may not make these offerings available in

other countries, and the information is subject to change without notice. Consult your local IBM business contact for information on the IBM

offerings available in your area.

Information in this document concerning non-IBM products was obtained from the suppliers of these products or other public sources. Questions

on the capabilities of non-IBM products should be addressed to the suppliers of those products.

IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give

you any license to these patents. Send license inquires, in writing, to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY

10504-1785 USA.

All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives

only.

The information contained in this document has not been submitted to any formal IBM test and is provided "AS IS" with no warranties or

guarantees either expressed or implied.

All examples cited or described in this document are presented as illustrations of the manner in which some IBM products can be used and the

results that may be achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations

and conditions.

IBM Global Financing offerings are provided through IBM Credit Corporation in the United States and other IBM subsidiaries and divisions

worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment

type and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal

without notice.

IBM is not responsible for printing errors in this document that result in pricing or information inaccuracies.

All prices shown are IBM's United States suggested list prices and are subject to change without notice; reseller prices may vary.

IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.

Any performance data contained in this document was determined in a controlled environment. Actual results may vary significantly and are

dependent on many factors including system hardware configuration and software design and configuration. Some measurements quoted in this

document may have been made on development-level systems. There is no guarantee these measurements will be the same on

generally-available systems. Some measurements quoted in this document may have been estimated through extrapolation. Users of this document

should verify the applicable data for their specific environment.

Revised September 26, 2006

IBM, the IBM logo, ibm.com AIX, AIX (logo), AIX 5L, AIX 6 (logo), AS/400, BladeCenter, Blue Gene, ClusterProven, DB2, ESCON, i5/OS, i5/OS (logo), IBM Business Partner (logo), IntelliStation, LoadLeveler, Lotus, Lotus Notes, Notes, Operating System/400, OS/400, PartnerLink, PartnerWorld, PowerPC, pSeries, Rational, RISC System/6000, RS/6000, THINK, Tivoli, Tivoli (logo), Tivoli Management Environment, WebSphere, xSeries, z/OS, zSeries, Active Memory, Balanced Warehouse, CacheFlow, Cool Blue, IBM Systems Director VMControl, pureScale, TurboCore, Chiphopper, Cloudscape, DB2 Universal Database, DS4000, DS6000, DS8000, EnergyScale, Enterprise Workload Manager, General Parallel File System, , GPFS, HACMP, HACMP/6000, HASM, IBM Systems Director Active Energy Manager, iSeries, Micro-Partitioning, POWER, PowerExecutive, PowerVM, PowerVM (logo), PowerHA, Power Architecture, Power Everywhere, Power Family, POWER

Hypervisor, Power Systems, Power Systems (logo), Power Systems Software, Power Systems Software (logo), POWER2, POWER3, POWER4, POWER4+, POWER5, POWER5+, POWER6, POWER6+, POWER7, System i, System p, System p5, System Storage, System z, TME 10, Workload Partitions Manager and X-Architecture are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries.

A full list of U.S. trademarks owned by IBM may be found at: http://www.ibm.com/legal/copytrade.shtml.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

AltiVec is a trademark of Freescale Semiconductor, Inc. AMD Opteron is a trademark of Advanced Micro Devices, Inc.

InfiniBand, InfiniBand Trade Association and the InfiniBand design marks are trademarks and/or service marks of the InfiniBand Trade Association.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.

Microsoft, Windows and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries or both. NetBench is a registered trademark of Ziff Davis Media in the United States, other countries or both.

SPECint, SPECfp, SPECjbb, SPECweb, SPECjAppServer, SPEC OMP, SPECviewperf, SPECapc, SPEChpc, SPECjvm, SPECmail, SPECimap and SPECsfs are trademarks of the Standard Performance Evaluation Corp (SPEC).

The Power Architecture and Power.org wordmarks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. TPC-C and TPC-H are trademarks of the Transaction Performance Processing Council (TPPC).

UNIX is a registered trademark of The Open Group in the United States, other countries or both.