The Networthy iseries

(1)

The Networthy iSeries

SG-001—REV2b —MARCH 2005 © Bytware, Inc. All Rights Reser ved.

(2)

w w w . b y t w a r e . c o m

R

ecent security studies show that ﬁ nancial losses

R

ecent security studies show that ﬁ nancial losses

R

due to computer system breaches have increased

R

due to computer system breaches have increased

R

dramatically in the past several years. In fact,

R

dramatically in the past several years. In fact,

R

nine out of ten large businesses and government

R

nine out of ten large businesses and government

R

agencies acknowledge system break-ins each year, resulting in losses exceeding $200,000 per organization. Two catego-ries—theft of proprietary information and ﬁ nancial fraud— are the most frequent and most damaging types of security failure. According to the studies, up to forty percent of the damage originates from the Internet, but surprisingly, about two-thirds of the attacks come from inside the ﬁ rewall—by trusted insiders—operating within the corporation.

The Borderless Network

One of the most dramatic challenges to enterprise security is the borderless corporate network.Th e rapid adoption of net-work services, telecommuting employees, contractors and consultants, and B2B and B2C e-commerce has eroded the once well-deﬁ ned borders of corporate networks. Today’s enterprises are oft en so interconnected

that when enterprises electronically in-teract with other companies, they may end up with virtual insiders.

Virtual insiders are the people connected to the corporate network that the enter-prise does not know are there. As illus-trated in Figure 1.1 below, these connec-tions are unintended and dynamic. Th ese connections are diﬃ cult to include in a traditional security policy, because they oft en occur when one enterprise grants access to another enterprise. Ubiqui-tous connectivity is driving fundamental changes in the approaches to enterprise security planning and implementation.

The iSeries Security Dilemma

OS/400 provides excellent security features, which enterprises may (and should) use to secure their corporate data and commands, regardless of how data is accessed (via terminal sessions or network services). A properly imple-mented exclusion-based, object-level security policy that includes event logging may reduce or eliminate the requirement for exit-point security.

Th e dilemma arises in the unintentional use of OS/400 pub-lic authority. Most iSeries sites have accumulated their cor-porate resources over time, propagating the default public settings that typically allow any user to read (and potentially alter) any ﬁ le, or execute any program.

Security was oft en implemented by using menu-based busi-ness applications, thus preventing users access to a command line and limiting access only to corporate data managed by each application.

Th e dilemma continues when OS/400 security is implement-ed without considering network services (FTP, ODBC, DDM and Telnet). As companies implement network services and desktop client applications to conduct business, menu-based applications are phased out or are bypassed, returning the enterprise to relying on its OS/400 security as its only means of defense. An additional source of risk occurs when sites install vendor-supplied soft ware, and do not have adequate control over the soft ware’s use of network services.

�� �� �� �� �� �� �� ��

ﬁ gure 1.1—Your iSeries operates in a

borderless network. Interconnection means

that you must also take into consideration

“virtual insiders.”

��

(3)

w w w . b y t w a r e . c o m It is usually not practical or cost-eﬀ ective to redesign a

system to implement an exclusion-based security policy using OS/400’s object-level security features.

Unless you have fully implemented an exclusion-based, object-level security policy, PC users have unlimited, un-traceable access to your iSeries ﬁ les and programs using their 5250 user ID and password in desktop applications. Additionally, no audit logging or time constraints may be enforced, thus allowing open access to your corporate data resources without monitoring of any kind.

Th e dilemma is resolved by im-plementing exclusion-based secu-rity, phased in over time to avoid business disruptions. StandGuard implements security by focusing on your users and groups (sourc-es), and their relationship to da-tabases, applications, and objects

(resources). StandGuard monitors each network service and command at the OS level, control-ling access to your corporate data. Th e result is

highly-eﬀ ective, low-maintenance, ﬂ exible security for your iSeries assets.

How StandGuard Enforces Security Policies

Exclusion-based security is conceptually simple—access that is not speciﬁ cally allowed is inherently rejected. StandGuard implements a phased, exclusion-based security approach to secure resources on your iSeries: objects (ﬁ les, databases and programs, for example) and network services (FTP, ODBC, DDM and Telnet) and CL commands. Th ese resources are accessed by sources—end users running client applications on your network. Th ese include common desktop products such as Microsoft Word, Excel, and Access, IBM Client Ac-cess, and others.

StandGuard uses the concept of rules to represent sources— entities in your iSeries that identify the speciﬁ c user, group or location of network service utilization and commands— user IDs, group proﬁ les, authorization lists, and IP address ranges, for example.

StandGuard uses the concept of ﬁ lters to represent re-sources—objects in the iSeries that identify paths, objects, libraries, etc.—resources on the iSeries that sources (users) can gain access to. Filters are organized by rule, and allow or reject access to the network services and resources that

you know are by business practice either permitted or pro-hibited.

Rules and ﬁ lters are the backbone of StandGuard—they identify your corporate assets—and control who may access them. You can specify levels of access, for example, grant-ing some users create and read authority, and others delete authority. Filters also can control who may execute com-mands.

Th e collective body of rules and ﬁ lters you create is your se-curity policy. StandGuard allows you to implement your security policies in an existing operating environment, with-out disrupting your normal network-based business transac-tions and activities.

To achieve this, StandGuard promotes a phased approach to implementation, beginning with an open trust-based poli-cy, and progressively strengthening security by securing or turning up network services on a service-by service basis. (See Figure 1.2, above).

As your policy is implemented, tested, and ﬁ ne tuned, the result is a lower risk, exclusion-based security policy, all ac-complished without operational disruption.

��

_{��}

��

�� �� �� ��� ��� �� �� �� �� ��� �� �� �� �� �� ��� ��� �� �� �� �� ��� �� ��

��

_{��}

��

�

��

�

��

�

��

�

��

�

��

�

��

ﬁ gure 1.2—StandGuard’s phased approach to exclusion-based

security allows you to unobtrusively implement security so that

there is no disruption to your daily business operations.

(4)

StandGuard’s Phased Implementation

When you fi rst install StandGuard, it silently monitors ac-cess to services in your system and logs these events for your review. You can review these events and create fi lters to spe-cifi cally allow or reject access to resources.

Over the course of a few days or weeks, you will create rules and ﬁ lters that shape your security policies to:

control access to speciﬁ c objects and services

control access to objects and services during scheduled times control access for speciﬁ c users, groups, and IP addresses reject access to objects and services that have’nt been granted provide an audit log of ongoing activity

reject access to objects and services that have’nt been granted.

Monitoring Phase

During the monitor phase, StandGuard allows network service access to continue unimpeded, so users of these services are not aﬀ ected in any way. In fact, users are com-pletely unaware that their utilization of network services is even being monitored and logged.

In this phase, StandGuard silently collects event records that describe who access what resource, what network ser-vice was employed, and when it happened. In and of itself, this has no material impact on reducing your security risk: it is at the same level as before StandGuard was installed. However, it provides the data you need to begin identifying sources and resources and legitimate connections between them. StandGuard provides you the ability to audit the events it generates, so that you develop knowledge of the actual risks you may experience.

Trust-based Security Phase

As you begin implementing your security policies, Stand-Guard is continuing to allow network services to function normally and record all events for your analysis. Your goal in this phase is to reduce your high risk events to a lower risk level as unobtrusively as possible. When you complete this phase of implementation, your security policy is trust-based.

A trust-based security policy identiﬁ es resources that should not be accessed by certain sources. Next, you create rules for the sources, and attach ﬁ lters that reject access to the re-sources known to be inappropriate for that source. In short, you create a security policy that rejects inappropriate access to resources. All other activities—via any network service— are allowed, or trusted.

In most cases, the development of the trust-based security policy is an ideal phased approach to a strong, exclusion-based policy, because it is the least intrusive method—one that if implemented correctly, causes no interruption to nor-mal business activity on your system.

Some iSeries servers are implemented in an en-vironment—or used in certain ways—that may permit you to maintain a trust-based security policy

••

StandGuard’s phased implementation

takes you from monitoring to trust-based to exclusion-based

policies, allowing you to build targeted access priveleges for

eﬀ ective yet ﬂ exible security.

(5)

w w w . b y t w a r e . c w w w . b y t w a r e . c w w w . b y t w a r e . c ooo mmm indeﬁ nitely. Th ese characteristics include an iSeries that:

is not connected to the Internet is used by a small corporation

has a small, stable set of individual users has a small, stable set of libraries and objects most or all access is via 5250 terminals

However, most iSeries servers operate in a borderless net-work. Th e borderless network becomes the primary source of security risk, requiring you to implement an exclusion-based policy to maintain the highest level of security for your corporate assets.

Exclusion-based Security Phase

Aft er a trust-based security policy has been implemented (and stabilized) in StandGuard, you are ready to implement an exclusion-based security policy, again without disrupting normal network services activity. Th is phase is the one that most signiﬁ cantly reduces your risk of security breaches. Implementing exclusion-based security involves two steps: 1. Identify all sources and their legitimate resources 2. Secure network services and commands

When you identify the sources, you match them with each legitimate resource they can access. Next, create a rule for each source, and attach fi lters that explicitly allow access to the legitimate resources you’ve identifi ed. Th is seems inef-fective at fi rst—since you are allowing access (to a resource they already have access to), it has no material eff ect on your existing policy—yet.

Next, you’ll secure each network service by changing the de-fault access from allow to reject. Immediately, requests for network services to access resources from unknown sourc-es—or access to unidentifi ed resources by known sources— are rejected. Unknown sources are those that do not exist as rules in StandGuard; unidentifi ed resources are those that are not identifi ed in StandGuard as fi lters. In short, your se-curity policy does not include them.

Th e events that are generated as a result of these two types of activity are recorded and listed in a warnings report, where you can review them and take action. You can make minor adjustments and implement new rule and ﬁ lters immedi-ately, ﬁ ne tuning your security policy over time to adjust to changes in the environment and usage patterns.

Upon completion of this phase, you have completed a strong, eﬀ ective, and manageable exclusion-based implementation phase without disrupting normal network activity, while shielding your system from network service activity from unknown sources, and from known sources accessing im-proper resources.

Beneﬁ ts of Using StandGuard

Complement External Firewall Security

A fi rewall protects your internal network from Internet access. However, it does not protect your system from internal ac-cess or provide any system audit trail. For example, fi rewalls cannot prevent a fi le from accidental or intentional deletion. StandGuard provides a complementary layer of security to your general-purpose fi rewall by monitoring and controlling access to specifi c network services and resources behind the fi rewall and within the corporation.

Improve System Availability

and Meet Service Level Expectations

StandGuard improves service levels and system availability by signiﬁ cantly reducing the risk of downtime caused by ac-cidental or intentional deletion of corporate data by unau-thorized personnel.

Simplify Administration and

Implementation of Your Security Policies

StandGuard reduces system administration and saves you money by simplifying security policy implementation and administration.

For example:

group ﬁ lter s by group proﬁ le and location

apply wildcards to a range of objects (all objects in a library)

Protect Corporate Assets from Unauthorized Viewing, Altering, Theft or Destruction

Two types of activity that may compromise the privacy of corporate data require signiﬁ cant proactive policies: unau-thorized viewing and theft , and inappropriate destruction. Data destruction is usually obvious: data has been deleted, altered or corrupted. Unauthorized data alteration is more diﬃ cult to identify than data that has been deleted, particu-larly if only selected records have been altered. Data privacy breaches involving unauthorized viewing of private informa-tion or theft do not leave evidence in the data itself—you must look elsewhere to determine if corporate data has been compromised.

••

•

(6)

StandGuard silently monitors and logs all requests for network services. Unauthor-ized transactions are rejected, based on your security policies. Allowed transac-tions are silently monitored, recording details about each ﬁ le access and each command executed.

In the unlikely event of damaging activ-ity, you’ll have an audit trail to assist you in re-constructing exactly who, how, and when the activity took place.

Track Authorized Data Access to Comply with Legal Requirements or Corporate Policies

Certain industries maintain public trust by closely monitoring and logging all ac-cess to certain classes of data. In the health

and medical

industry, for example, private data includes patient records, drug purchases, and other key hospital operational information. StandGuard can be confi gured to log each access to specifi c data fi les, databases and other objects, identifying the access by user ID, IP address, time of request, and activities per-formed.

Th ese logs can be recorded for speciﬁ c time periods, and ar-chived for permanent storage, which may help meet auditing requirements.

Monitoring, logging, and archiving in this manner can be a key step in complying with Sarbanes-Oxley and similar leg-islation.

Log Legitimate Activity as an Audit Trail

No security policy can prevent authorized users who exercise a corporate trust from accidentally or intentionally deleting

or damaging data to which they legitimately have access to. StandGuard allows you to log all network service activities, including those that track legitimate, normal access to data and transactions. Th ese event logs may help mitigate data damage, by clearly identifying the source that accessed the resource that was damaged, when it occurred, and via what network service.

Protect from Insider Malicious Intent

Most corporations focus on two general types of security to prevent unauthorized use or destruction of corporate data and resources: physical security (preventing unauthorized personnel from accessing personal computers or terminals), and network security (implementing ﬁ rewalls, VPNs and other electronic security measures). Both are intended to reduce unauthorized access from people who are not a le-gitimate part of a corporate community.

However, “inside” jobs are perpetrated by people who are authorized—employees, contractors, clients or consultants.

With StandGuard you can easily and quickly react to reports of an

employee who may have reason to compromise or destroy corporate

data by setting up policies to track there activity.

(7)

w w w . b y t w a r e . c o m Th ese security breaches are the most diﬃ cult to track and

prevent—and prosecute.

If you are alerted by a corporate oﬃ cer or security person-nel to an employee who may have reason to compromise or destroy corporate data, you can use StandGuard to quickly— and without notice—implement speciﬁ c security policies to track the individual’s activity.

You can set up rules that track the person’s user ID, and fi l-ters that monitor and control access to all commands, ob-jects, IFS fi le access and native fi le access. Th ese rules and fi lters log all activity for potential use in corporate or legal actions.

For additional information about StandGuard, please visit bytware.com/products/standguard.html.

••

•

Rules-based Security

Create rules for users, groups, locations

Create fi lters to allow or reject specifi c types of operations to fi les, programs, and IFS objects

Speciﬁ cally or generically identify sources and resources Perform actions when speciﬁ c events occur

Proactively monitor activity

Interface with Messenger products for event management, escalation and notiﬁ cation

Monitors and Secures

FTP ODBC/SQL Telnet DDM/DRDA

NetServer (Network Neighborhood) Integrated File System (IFS) CL Command Keywords

Services Monitoring and Security

Allow or reject requests for services from users, groups, and locations

Apply schedules to control when iSeries resources are available for speciﬁ c users, groups and locations Provide audit trail of service usage, such as Telnet logins

Audit Journal Monitoring

User-conﬁ gurable ﬁ ltering of events from the OS/400 Security Audit Journal

Perform actions when events are found, such as notifying administrators when system values are changed, or user proﬁ les are disabled

Provide audit trail of critical events

Command Monitoring

Monitor and secure usage of CL Command keywords, such as PWRDWNSYS RESTART(*NO)

Override keywords for speciﬁ c users and groups, such as RESTART(*YES) for QSYSOPR Reject speciﬁ c keywords for users and groups Provide audit trail of keyword usage

Reporting

Log events for selected users, groups, ﬁ les, operations Service and ﬁ lter usage

Search and print events Automatic cleanup

Actions

Send messages Run commands

Alerts via an interface with Bytware’s Messenger automated monitoring, notiﬁ cation, and consoling solutions.

Helps with Sarbanes-Oxley Compliance Helps meet the following COBIT Objectives Helps meet the following COBIT Objectives PO9.2: Risk Assessment Approach

AI3.7: Use and Monitoring of System Utilities DS5.1: Manage Security Measures

DS5.2: Identiﬁ cation, Authentication, and Access DS5.3: Security of Online Access to Data DS5.5: Management Review of User Accounts DS5.7: Security Surveillance

DS5.10: Violation and Security Activity Reports DS5.17: Protection of Security Functions

The Networthy iseries