Based on a Presentation by Patrick Botz
AS/400
e
Internet Security
Principles
COMMON Europe
December 2000
IBM
The Internet Security Threat
Establishing a Security Policy
Protecting a Public Server
ISP Security
Host Security
Network Security
Application Security
Protecting Internal Servers
The Role of a firewall
Agenda
IBM
Explosive growth of the Internet
$1.3T market forecast in 2003 Estimated $50B in 1998
Revised from $32B mid-1998 estimate
Makes the Internet...
Desirable place to do business Attractive place to steal from business
Yes - 64%
No/Unknown- 36%
Percent whose computer systems had unauthorized use within the year.
1 to 5 5 to 10 > 10 Don't know
Number of entry attempts
0 10 20 30 40 50
Percent of sites
... and not just once. (Computer Security Institute - March 98)
Serious Breaches Occuring
500 firms surveyed
32% sought help from law enforcement
Up 17% from last year
(Computer Security Institute - March 99)
Finacial losses
$124 million from all security breaches Down from $137 million in 1997
Losses from financial fraud and theft of data up sharply
Estimated real losses in $10s of billions
(IDC - March 99)
IBM
Internet user=jim pw=xl2rq user=jim pw=xl2rq Sniffing Internet Spoofing addr=192.168.67.3 addr=192.168.67.3 Internet Denial of service Internet Trusted hostsIBM
Security is a business function
It's all a matter of Risk Management
Open
System
Locked
Down Tight
Your
Business
SmartSuite OfficeIBM
Authorization
"Does this person have access to this data or application?"
Authenticity
"Is this person who he says he is?"
Privacy
"Is any personal information I give out being compromised?"
Integrity of Information
"Am I confident that the data I receive and send is not being tampered with?"
Non-repudiation
IBM
Authorization
OS/400 Object Level Authorities HTTP Server Protection Directives
Authenticity
Encryption using SSL, Certificates Hide Addresses w/ NAT, Proxy Passwords, Validation Lists
Privacy
Encryption using SSL
Integrity of Information
Integrity Checks with SSL
Digital Signatures with Domino
Block Unwanted Traffic with Firewalls, IP Filtering
Non-repudiation
Certificates, SSL, Signatures, Logs
IBM
What are your security policies?
Corporate SecurityI/T Security Networking Security
Access Vs. Security
What services are to be permitted (http, ftp, telnet...)? What Internet sites may be accessed?
What may be accessed from the Internet?
FTP access<-> PC virus introduction Mail exchange<-> mail flooding Web server <-> web graffiti
Internet Security Policies
Host Security
Appl Security
IBM
Secondary
defenses
Chokepoints
Untrusted
Internet
Educated
Users
Tested
Explicit
Authority
Internal
Network
Simplicity
IBM
Symmetric Key
Public Key
Digital Certificates
Secure Sockets Layer - SSL
Digital Signatures
Security
IBM
Encrypt Decrypt
Plaintext Plaintext
Cyphertext
Secret Key Secret Key Secret Key
Sandy
Dave
x9*hn7$FD#)gk Dave, here are the specs Dave, here are the specsIBM
Encrypt Decrypt Plaintext Plaintext Cyphertext Dave's public key Dave's private key Dave's Public Key Sandy Dave Dave, here are the specs Dave, here are the specs x9*hn7$FD#)gkIBM
Decrypt Plaintext Plaintext Cyphertext Dave's private key Dave's Public Key Sandy Dave Sandy's private key Encrypt Signed Message CyphertextSigned and encrypted Message Cyphertext Signed Message Sandy's public key Encrypt Decrypt Dave, here are the specs Dave, here are the specs mJ3#p%kl@4nv mJ3#p%kl@4nv x9*hn7$FD#)gk
Digital Signatures
IBM
Secure Hash
Message
Digest Digital
Sender's
Public Key
Certificate Secure Hash Message Digest Message Digest Message to be Sent Message to be Sent
Signature
Received MessageSignature
?Data Integrity
IBM
Digital document - a file, that validates identity of certificate's owner
Contains public key
Created by trusted 3rd parties called Certificate Authorities
Can be distributed freely
Digital signature prevents tampering Identifies a user or a system
Verisign CyberTrust Entrust Equifax IBM ...many others
Internet Certificate Authorities (CA)
Intranet Certificate Authorities (CA) AS/400 system can be intranet CA
Most corporations have their own Certificate Authority
Certificate
University of the Internet
Issue Date Distinguished Name
Public Key Expiration Date Digital Signature of CA
IBM
Internet
Server identity
Owner: John Doe Owner: IBM Server IBM Corp. Issuer: VerisignUses certificates for identification
Public/Private keys used to prove server identity Optional client-side authentication
Data privacy (encryption) Internet or intranet
Supports HTTP server (https) and LDAP for V4R3. Supports Client Access/400, TELNET, and DDM for V4R4. More to come.
Applications must be rewritten to use SSL SSL version 2.0 for Server and 3.0 for Client Authentication.
End-to-end encrypted communication session
web server
web browser
IBM
Client ServerClient Hello
Server Hello
Encryption OptionsEncrypted Application Data
Encryption Option OK Server certificate Client verifies
server certificate Client Generates a master session key which is used to generate client and server encryption
keys Master session key
encrypted by server's public key
Server decrypts pre master secret key with private key. It then uses it to generate a server key pair
Server write-key Server read-key Client write-key
Client read-key
Client pre master
secret key
Server verify
Client Hello encrypted by session key Server authenticatedClient write-key = Server read-key Client read-key = Server write-key
HTTPS
IBM
Internet
Layers of security
Internet Service Provider Host Communications (TCP/IP) TCP/IP application Internal Network
?
Public Server XYZ Co. Home PgPublic server must be secured even if it
is isolated or if you have a firewall.
Router
?
?
Firewall
?
IBM
Internet
Router
Block incoming telnet connections
Block finger, snmp, ...
Provide Domain Name Services
Public Server Internal Network XYZ Co. Home Pg Packet filter Domain Name Services
IBM
Enable Resource Security
Internet
Router
Public Server QPWDMINLEN = 6 ... QMAXSGN = 3 QMAXSGNACT = 3 QAUTOVRT = 0 QSECURITY >= 40Password attack prevention
Verify and Monitor
QLMTSECOFR = 1
Limit profiles with *ALLOBJ, *SECADM and *IOSYSCFG
Tightly control "high-powered" profiles
GO SECTOOLS or GO SECBATCH Check passwords (ANZDFTPWD)
Check security relevant values (PRTSYSSEC) Use QSYSMSG message queue
Use Object Security
The libraries/directories you create should be PUBLIC(*EXCLUDE)
IBM
Public
Server
*IOSYSCFG authority controls who can make changes
TCP/IP
HTTP Mail FTP Others
Only start TCP/IP applications you need
CHGTCPA IPDTAGFWG(*NO)
No IP forwarding
CHGCMDDFT CMD(STRTCPSVR) NEWDFT('SERVER(*HTTP)') CHGTELNA AUTOSTART(*NO) CHGWSGA AUTOSTART(*NO)...Don't define host name of internal systems
Define only one route (default)
IBM
Public Server
Lots of things to consider when securing
web servers and web applications!
Server directives
Protection directives
Secure data transmission (encryption
over the wire)
Secure Sockets Layer (SSL)
Digital Certificates
Managing digital certificates
CGI-BIN programs
TCP/IP
HTTP Mail FTP Others
IBM
Server directives control which directories can be accessed
PASS controls which files can be accessed
Use MAP and PASS to provide an alias for file locations EXEC controls which CGI programs can be run
Don't mix CGI programs with other programs
Don't put any sensitive data in directories accessible by URLs
Don't allow directories to be viewed http://www.yourserver.com/App1/Main.htm
http://www.yourserver.com/App1/Pgm/UPDATE Exec /App1/Pgm/*
/QSYS.LIB/APP1.LIB/*
Pass /App1/* /www/html/App1/* DirAccess OFF Libraries (QSYS.LIB) Directories APP1 QGPL WEBTOOLS /www /html /App1 /App2
requests from the Internet
IBM
Server PROTECTION directives control who can access data
Application #1 - public application
No userid or password requiredPrograms and data are accessed using a default profile (e.g. QTMHHTTP)
Application #2 - employees only
AS/400 user profile and password required (basic authentication) Programs and data are accessed using the user profile
Application #3 - limited set of Internet users only
"Internet userid" and password required (basic authentication) Userid are entries in a Validation List objectPrograms and data are accessed using a default profile (e.g. WEBAPP3)
Example Security Models
IBM
Internet
IBM HTTP Server for AS/400 Server Certificate SSL - encrypted sessionIBM HTTP Server for AS/400
Provides encryption support for HTTP Secure Sockets Layer (SSL)
Digital Certificate Manager
US/Canada and International versions
Internet users want secure communications (e.g. passwords)
Internet users want secure transactions (e.g. credit card numbers)
Securing the public server is not enough
IBM
Public Server
HTTP
FTP
Various other applications
TCP/IP FTP
Mail Others
IBM
Don't use passwords
from the Internet
Only support ANONYMOUS FTP
Provide exit program to select user profile (e.g. ANYFTPUSR) Provide exit program to determine allowed operations (e.g. GET only)
Strictly limit access of FTP user Don't rely on client's IP address
FTP client Libraries (QSYS.LIB) Directories DATALIB QGPL WEBTOOLS /www /html /App1 /App2
FTP Server
Server Logon Exit Point Exit Program User="ANYFTPUSR" *USE *EXCLUDE user=anonymous [email protected] Server Request Validation Exit PointExit Program "GET" -> OK
IBM
A public server should have limited or no mail support
Don't want to store mail on system accessible by the public
Not for general mail delivery
Set auxiliary storage threshold
No *ANY *ANY directory entry Directory entries - INFO YOURSYS - SUPPORT YOURSYS [email protected] SMTP mail
IBM
Firewall
Internet
Internal host names not visible from Internet
Internal addresses do not reach Internet
Router www.mycomp.com
192.168.5.23
Sensitive data kept behind a firewall
Private network accessed with encrypted sessions
What we haven't talked about
Internal systems
IBM
Proven operating system integrity Excellent host level security
Integrated communications security Secure HTTP serving
AS/400 security features make it a good Internet Server
The Internet can be a reasonably safe place to do business
Caution is advised, poor planning or mistakes could be disastrous Cryptography plays a major role
Internet security is still evolving
IBM
IBM SecureWay, AS/400 and the Internet, G325-6321
Tips and Tools for Securing Your AS/400, SC41-5300
AS/400 Internet Security: Securing Your AS/400 from HARM in the
Internet, SG24-4929 (Redbook)
Building Internet Firewalls; Chapman and Zwicky, O'Reilly and
Associates 1995, ISBN #1565921240
http://www.as400.ibm.com/techstudio AS/400 Security
AS/400 Firewall Solution
AS/400 Host Security Advisor
Operations Navigator Security Wizard
http://www.ibm.com/Security
http://www.ncsa.com/
IBM publications now available via the web!!!
http://as400bks.rochester.ibm.com/
IBM
cc:Mail, Lotus, Lotus Notes, Lotus Domino, Domino.Action, and Domino.Merchant are trademarks or registered trademarks of Lotus Development Corporation.
Microsoft, Windows, NT, and the Windows 95 logo are trademarks or registered trademarks of Microsoft Corporation. UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited.
Java and all Java-related trademarks or logos are trademarks or registered trademarks of Sun Microsystems, Inc in the United States and other countries.
IBM's VisualAge products and services are not associated with or sponsored by Visual Edge Software, Ltd. Pentium is a trademark of Intel Corporation.
Other company, product, and service names may be trademarks of their respected providers. Copyright International Business Machines Corporation 2000
References in this document to IBM products or services do not imply that IBM intends to make them available in every country.
The following terms are trademarks or registered trademarks of the IBM Corporation in the United States or other countries or both:
ADSTAR DataGuide NetFinity AIX IBM OS/2 AnyNet IBM Network Station OS/400 Application
Development Information Warehouse PowerPC APPN Integrated Language
Environment PowerPC AS AS/400 Intelligent Printer Data
Stream Print Services Facility
