IBM i Security – Best Practices - SANDIS · IBM i Security – Best Practices Jeffrey Uehling IBM...
Transcript of IBM i Security – Best Practices - SANDIS · IBM i Security – Best Practices Jeffrey Uehling IBM...
IBM i Security – Best Practices
Jeffrey UehlingIBM i security [email protected]
Session: 500050 Agenda Key: 24FG
© 2015 International Business Machines Corporation 1
2© 2015 International Business Machines Corporation
Best Practices - Outline
� Physical Security
� Staying Current on Fixes
� System security levels
� System value settings
� Security audit journal
� Resource security
� Network security
4© 2015 International Business Machines Corporation
Physical Security – a Necessity
• Physical Security, Server• Front panel• Power, cabling• Racks/Storage devices
• Physical Security, Networking • Firewalls, routers, switches, cabling, power• Prevent configuration changes and sniffing equipment• Wireless poses a challenge, secure networks are necessary (WEP, WPA, WPA2 etc)
• Physical Security, Peripherals• Tape drives/cartridges, Printers/output, Fax, etc. • SAN attached DASD
• Mobile Devices
� Numerous independent researchers
� Lots of open source so easy to review code and look for issues
� Common OS in many products (Linux, Unix, Windows)– So when a vulnerability is found, it’s likely to be everywhere
� Tools are available to exploit technology (look for holes)– Hacker tools, penetration testing tools, code scanners
� High use technology, like Java, SSL, OpenSSL, is scrutinized
� Vendors are doing more penetration testing thus finding bugs
Security Vulnerabilities
Many security vulnerabilities are being reported… Heartbleed, Bash/Shellshock, Poodle, Ghost, Freak, Bar Mitzvah plus
many, many more!
What’s happening and why so many?
© 2015 International Business Machines Corporation 6
� Java (quarterly updates, you need to stay current)
� OpenSSL
� Web and Application Servers
� Samba
� Networking technology and (infrequently) cryptographic algorithms
� IBM i OS
Security Vulnerabilities – IBM i
IBM i technology areas with multiple (recent) reported vulnerabilities
Typically, Apply the PTF/Fix/Product Update and the vulnerability is fixed,
But, not always as additional actions may be required
© 2015 International Business Machines Corporation 7
� IBM i OS, LIC and Products
� VIOS, IBM i, AIX, Linux partitions
� HMC & Firmware
� 3rd party (vendor) applications
� SAN/Storage, Tape, Printers
� Networking Switches, Firewalls & Routers
� Each and Every Server, Client (including mobile) and HW component
in your Enterprise– Nearly everything includes an OS and/or FW (where there is code, a vulnerability
is a possibility)
Security Vulnerabilities – Not just the OS
Staying Current on Fixes – not just a client and server problemThe vulnerabilities affect most everything in your enterprise
© 2015 International Business Machines Corporation 8
What are the Poodle/Bar Mitzvah Vulnerabilities
� SSLv3 contains a vulnerability that has been referred to as the
Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, which is a man-in-the-middle attack affecting Web
browsers/applications. Bar Mitzvah is similar in that it is present when
the RC4 Algorithm is used in SSL & TLS.
� There is NO fix for SSLv3 or for RC4. Customer must move to TLS and away from RC4
� Applications connecting via SSLv3 to servers are exposed to the
POODLE attack. As applications, servers, and browsers disable the
use of SSLv3, many applications will fail because they don’t support
the more secure and latest technology called TLS (Transaction Layer
Security) or the app is written directly to SSLv3. Same with RC4.
Poodle & Bar Mitzvah – Vulnerabilities with no fix
© 2015 International Business Machines Corporation 9
� Global IBM Core Team (including IBM i representatives)
� xForce (IBM Wide Security Team, vulnerability assessment)– CVSS (vulnerability Scoring)
� Industry Affiliations – Vulnerability Reporting� ICASI (Industry Consortium for Advancement of Security on the Internet)
� FIRST (Forum of Incident Response and Security Teams)
� IT-ISAC (Information Technology - Information Sharing and Analysis Center)
� FS-ISAC (Financial Services - Information Sharing and Analysis Center)
IBM Security Process - PSIRT
Product Security Incident Response Team
PSIRT Process Output:• PTFs/Fixes• Security Bulletin – customer notification of problem and fix
© 2015 International Business Machines Corporation 10
Security Fixes
� IBM i Security PTF Group
� Not all PTFs/Fixes can be added to the Security PTF Group
because of installation requirements!� Java updates� iAccess� Web and Application Servers� Lotus� etc.
� And fixes for areas such as HMC, FW, VIOS, Networking Equipment, Peripherals, Other Platforms, etc.
© 2015 International Business Machines Corporation 11
Customer Awareness of Security Issues
� The “Press”
� IBM Support Center � Typically after a public announcement of a vulnerability
� PSIRT publication of Security Bulletin URLs
� My Notifications (Customer Subscription)� Security Bulletins
� Technotes
� The support for IBM i subscription via “My Notifications” for security bulletins is available.
© 2015 International Business Machines Corporation 12
15© 2015 International Business Machines Corporation
1. Object Domain Checking
2. Hardware storage protection
3. Parameter validation
System security level 50... Good reasons to run there.
Security levels, why run at a high security level
NOTE: System security level controlled via QSECURITY system value
16© 2015 International Business Machines Corporation
• System interfaces perform appropriate authority checks but
security exposures exist on this security level (examples will follow)
• *USE required by DSPDTAARA
• *CHANGE required by CHGDTAARA
Security level 30 is NOT a secure security level!
User written programs, running at security level 30,
can gain “write” access to objects with minimal authority
Security Level 30 – Not a secure environment
17© 2015 International Business Machines Corporation
Program state is compared against object Domain
Programs running *SYSTEM state can access both *USER and *SYSTEM domain.
Programs running *USER state can only access *USER domain objects.
• Security level 30 ALLOWS access regardless of state/domain combination
• Security level 40 and 50 enforce domain checking
Program run state: *SYSTEM or *USER (DSPPGM/DSPSRVPGM)
Object Domain: *SYSTEM or *USER (DSPOBJD)
Object Domain attributes - Object integrity
Every object: *CMD, *FILE, *PGM, etc. has a “domain”Every program has a “state” (*SYSTEM or *USER)
18© 2015 International Business Machines Corporation
Object Domain, Program StateObject Domain
Program State
19© 2015 International Business Machines Corporation
Program state is compared against object HSP to determine allowable
access. Every object has a HSP value.
• Security level 30 ALLOWS access regardless of state/HSP combination
• NOTE: Some HSP violations can occur on all security levels
• Security level 40 and 50 enforce HSP checking
Object HSP attributes:
− Allow access from any state (no protection, *USRSPC, *USRQ, *USRIDX)
− Read only in any state (*PGM, *SRVPGM)
− No access in user state (Setting for most objects, 5.3 and prior)
− Enhanced storage protection (5.4 and beyond)
Hardware Storage Protection (HSP) - Object integrity
© 2015 International Business Machines Corporation
MI object overview
Object attributes – Integrity Protection required
20
Encapsulated MI Object header, available to LIC
Associated space, byte addressable area for useby above MI (user and OS) programs.
–Object domain (Most objects are *SYSTEM domain)
–Object owner
–Public authority
–Hardware storage protection setting
–Encapsulated object data
The associated space is used to store operating system and user data for objects, i.e. *CMD,*DTAARA, *JOBD, *USRSPC, *USRPRF, etc.
Encapsulated Data Segment, *FILE, *STMF, etc
John Smith 111-33-5555Jeff Uehling 222-44-6666
LIC Only
LIC Only
OS & LIC
21© 2015 International Business Machines Corporation
User written programs, running at security level 40 or 50, MUST use system interfaces (commands and APIs) to gain access to the objects.
– Authority checking is enforced by the system interface– Parameter Validation is performed– Object Domain checking is performed
– Object Hardware storage protection is performed
Direct access by user programs to system objects is not allowed at Security
level 40 and 50 due to domain and hardware storage protection attributes.
Authority checking and integrity support at level 40 & 50
22© 2015 International Business Machines Corporation
This presentation contains programming examples ("Sample Code").
IBM grants you a nonexclusive copyright license to use the Sample Code to generate similar function
tailored to your own specific needs.
The Sample Code is provided by IBM for illustrative purposes only. The Sample Code has not been
thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of the Sample Code.
The Sample Code contained herein is provided to you "AS IS" without any warranties of any kind. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGMENT ARE EXPRESSLY DISCLAIMED. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO YOU.
IN NO EVENT WILL IBM BE LIABLE TO ANY PARTY FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES FOR ANY USE OF THE SAMPLE CODE INCLUDING, WITHOUT LIMITATION, ANY LOST PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR OTHER DATA ON YOUR INFORMATION HANDLING SYSTEM OR OTHERWISE, EVEN IF WE
ARE EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Disclaimer
23© 2015 International Business Machines Corporation
Signon as a user with *ALLOBJ special authority
Create a job description object
• CRTJOBD JOBD(QGPL\TEST) USER(QUSER) AUT(*USE)
Display the job description object paying attention to the user.• DSPJOBD JOBD(QGPL/TEST)
Create and call the program using source on following slide.
• CRTBNDC PGM(TESTLIB/TESTPGM1) SRCFILE(QCSRC)
Signon as a user without *ALLOBJ special authority.
Attempt to change the job description object. CHGJOBD JOBD(QGPL/TEST) USER(FRED)
Call the program – Source next slide• CALL PGM(TESTLIB/TESTPGM1)
Display the job description object paying attention to the user.• DSPJOBD JOBD(QGPL/TEST)
Example exposure at security level 30.
JOBD User
“Not authorized to object error.”
24© 2015 International Business Machines Corporation
#include <mih/rslvsp.h>
#include <mih/setsppfp.h>
#include <string.h>
void main()
{
_SYSPTR jobd_sysptr;char * space_ptr;
jobd_sysptr = rslvsp(WLI_JOBD, “TEST”, “QGPL”, _AUTH_NONE);
space_ptr = setsppfp(jobd_sysptr);
space_ptr=space_ptr +2;
memcpy(space_ptr, “QSECOFR “, strlen(“QSECOFR “));return;
}
After running this program, display the job description object paying attention to the user in the JOBD.
Note the *JOBD object was changed by a user with only *USE authority, to allow jobs to run as QSECOFR.
Change the JOBD User
No authority errors!!!
25© 2015 International Business Machines Corporation
Signon as a user with *ALLOBJ special authority
Create a data area object
• CRTDTAARA DTAARA(QGPL/TEST) TYPE(*CHAR) VALUE('Test Data') AUT(*USE)
Display the data area object paying attention to the data area value.• DSPDTAARA DTAARA(QGPL/TEST)
Create and call the program using source on following slide.
• CRTBNDC PGM(TESTLIB/TESTPGM2) SRCFILE(QCSRC)
Signon as a user without *ALLOBJ special authority.
Attempt to change the data area object.
CHGDTAARA DTAARA(QGPL/TEST) VALUE(‘JUNK DATA’)
Call the program – Source next slide
• CALL PGM(TESTLIB/TESTPGM2)
Display the data area object paying attention to the data area value.• DSPDTAARA DTAARA(QGPL/TEST)
Example exposure at security level 30
Change DTAARA value
“Not authorized to object error.”
26© 2015 International Business Machines Corporation
#include <mih/rslvsp.h>
#include <mih/setsppfp.h>
#include <string.h>void main()
{
_SYSPTR dtaara_sysptr;
char * space_ptr;dtaara_sysptr = rslvsp(WLI_DTAARA, “TEST”, “QGPL”, _AUTH_NONE);
space_ptr = setsppfp(dtaara_sysptr);
space_ptr=space_ptr + 3;memcpy(space_ptr, “NEW DATA “, strlen(“NEW DATA “));
return;
}
After running this program, display the data area object paying attention to the data area value.
Note the *DTAARA object was changed by a user with only *USE authority, to a new “string” for the VALUE parameter.
Change the DTAARA value
No authority errors!!!
27© 2015 International Business Machines Corporation
NOTE: The previous two programs, running on security level 40 or 50, will result in an MCH6801 exception being signaled during the running of the program.
The object access, on 40 & 50, is denied due to Object Domain and Hardware Storage Protectionattributes of the JOBD and DTAARA objects!
28© 2015 International Business Machines Corporation
NOTE: Lock down system values via SST after setting
System Value Settings
29© 2015 International Business Machines Corporation
Altered programs are created by modifying a program object in an unsupported way.
Program alterations include:
• Using the system service tools to alter program
• Save the program and modify it offline
Several methods available to alter a program:
• Modifying the program to run in system state
• Modifying the program instruction stream
• Modifying the program validation value
Altered program description
30© 2015 International Business Machines Corporation
A program altered to run system state can access system
objects and change data on security level 40 and 50.
They run with the same capabilities as OS programs.
Altered programs can:
– Deliberately cause system crashes
– Modify objects so they cannot be recognized by the OS
– Bypass authority checking for objects
– Bypass system audit record creation
– Attack other aspects of system integrity
System state "user" programs, why they are a threat
31© 2015 International Business Machines Corporation
• QALWOBJRST - Consider value *NONE
• QFRCCVNRST - Consider value 6 or 7
• 6 – for executables without valid digital signatures, recreate the
instruction stream thus removing any patch
• 7 – for all executables, recreate the instruction stream thus
removing any patch (would also remove the digital signature)
• QVFYOBJRST - Consider value 5
• Only allow the restore of programs that are digitally signed
Integrity related system values
Set these system values on your production machine when NOT in the maintenance window – control the restore of a program
32© 2015 International Business Machines Corporation
• The "RST" interfaces are shipped as PUBLIC(*EXCLUDE). • Only trusted users should be authorized to use the restore interfaces.
• Note: BRMS interfaces are PUBLIC(*USE) but call the system "RST" interfaces which
are PUBLIC(*EXCLUDE)
• Verify the list of users authorized to “SAVE” data
• Protect the use of the system service tools (SST/DST) and
Service related commands (DMPxxx, TRCxxx, etc).
Controlling system interfaces
33© 2015 International Business Machines Corporation
NOTE: Lock down system values via SST after setting
System Value Settings continued
34© 2015 International Business Machines Corporation
• QAUDCTL - Audit on/off switch
• QAUDLVL and QAUDLVL2
• QAUDENDACN and QAUDFRCLVL - Use default values
• QCRTOBJAUD - Audit newly created objects
Auditing related system values
NOTE: See chapter 9 and appendix E&F of the security reference .pdf for audit doc
35© 2015 International Business Machines Corporation
• Create the QAUDJRN audit journal
• Set QAUDCTL to *OBJAUD, *AUDLVL and
*NOQTEMP
• Set QAUDLVL to *AUDLVL2
• Set auditing values in QAUDLVL2 system value.
• Audit sensitive objects via CHGOBJAUD
Turn on audit and save the audit journal receivers. You may need the audit data in the future!
Auditing continued
36© 2015 International Business Machines Corporation
• Security Audit provides who accesses what object
• A combination of security audit and “data object” journalingprovides the complete audit trail
• Turn on journaling for *FILE and IFS *STMF sensitive objects to get the complete audit of changes, including change to data
• CRTJRNRCV JRNRCV(MYLIB/MYRCV0001)
• CRTJRN JRN(MYLIB/MYJRN) JRNRCV(MYLIB/MYRCV0001)
• STRJRNPF FILE(MYLIB/MYFILE) JRN(MYLIB/MYJRN) IMAGES(*BOTH)
• QSYS/STRJRN OBJ(('/mydir/dir1/stmf1' *INCLUDE))
JRN('/qsys.lib/mylib.lib/myjrn.jrn')
Auditing continued – Data Objects
37© 2015 International Business Machines Corporation
• WRKSYSVAL SYSVAL(QPWD*)
• Set password composition rule system values
• Min/Max length, required characters, etc
• Consider using enhanced password support (QPWDLVL)
• Case sensitive long passwords (128 characters)
• Use the ANZDFTPWD command to check for default passwords
Password composition system values
38© 2015 International Business Machines Corporation
• QALWUSRDMN - Consider value QTEMP
• QINACTITV - Set to a reasonable number of minutes
• QINACTMSGQ - *ENDJOB/*DSCJOB
• QMAXSIGN - Consider setting to 3
• QMAXSGNACN - Set to disable device and profile
• QSSL* - Control system SSL parameters
Additional security related system values
WRKSYSVAL SYSVAL(*SEC) for the entire list
39© 2015 International Business Machines Corporation
Resource Security - Protecting your objects
Resource Security
40© 2015 International Business Machines Corporation
• Secure sensitive data (*FILE, *STMF, etc)
• Object level authority
• Encrypt “confidential” data
• DB2 field procedures, OS encryption interfaces, etc
• Audit sensitive objects
• CHGOBJAUD (see chapter 9 of security reference .pdf)
• Deploy a Network Security product
• Products built on exit programs available from business partners
• Products enabled “locking down” interfaces (FTP, Telnet, DRDA, etc)
• http://www-03.ibm.com/systems/power/software/i/security/partner_showcase.html
• Secure your sensitive objects with the appropriate level of authority at the object level!
Resource Security – A layered approach
41© 2015 International Business Machines Corporation
Resource Security - protecting your objects
EDTOBJAUT
Interface to assign objectlevel authorities
Authority List
Public AUT
Owner
Private AUT
42© 2015 International Business Machines Corporation
• Keep the number of security officers and security administrators to a minimum
• *ALLOBJ, *SECADM, etc. special authority
• Service tool userIDs
• Audit the actions of the Powerful user
• CHGUSRAUD CL command
• *CMD action audit value, *SECURITY, etc.
• Make sure the security officer understands, procedurally, that audit cannot be turned OFF!
Resource Security – Restrict Powerful Users
43© 2015 International Business Machines Corporation
Protecting your objects with resource security is necessary to protect your data.
– Run at a security level 50
– Secure your confidential data with *EXCLUDE public authority
– Objects that are not security sensitive (public objects) should be protected with *USE public authority. This gives good performance
for read operations on the object.
– Additional authority can be given to users who must change the data but private auts should be used sparingly for best performance.
Resource Security - protecting your objects
CREATE MASK SSN_MASK ON EMPLOYEEFOR COLUMN SSN RETURN
CASEWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)
THEN SSNWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)
THEN 'XXX-XX-' CONCAT SUBSTR(SSN,8,4)ELSE NULL
ENDENABLE;
ALTER TABLE EMPLOYEEACTIVATE COLUMN ACCESS CONTROL;
CREATE PERMISSION NETHMO.ROW_ACCESS ON HOSPITAL.PATIENTFOR ROWS WHERE(VERIFY_GROUP_FOR_USER(SESSION_USER,'PATIENT') = 1 AND
HOSPITAL.PATIENT.USERID = SESSION_USER) OR(VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1 ANDHOSPITAL.PATIENT.PCP_ID = SESSION_USER) OR
(VERIFY_GROUP_FOR_USER(SESSION_USER,‘ACCOUNTING') = 1 ORVERIFY_GROUP_FOR_USER(SESSION_USER,'DRUG_RSRCH') = 1) ENFORCED FOR ALL ACCESS
ENABLE;
ALTER TABLE HOSPITAL.PATIENTACTIVATE ROW ACCESS CONTROL;
– Provides the ability to further control data in a DB2 Table (*FILE object)– Control access at the Row (record) or COLUMN (field) level
Resource Security – Row and Column Access ControlNew in release 7.2
http://www.redbooks.ibm.com/redbooks.nsf/RedpieceAbstracts/redp5110.html?Open
45© 2015 International Business Machines Corporation
– Manage & secure the encryption keys
– Protect via Master Key support
– Encrypt security sensitive data– 7.1, DB2 Field Procedures to enable Column Level Encryption
– Several vendors have products– Enforcive, Linoma and Townsend Security
– Protect encryption keys. Encrypting data, without protecting the encryption keys, does not protect the data
– Protect encryption keys with a master key
Encrypt sensitive data
46© 2015 International Business Machines Corporation
– Encryption of data on tape & disk
– SW Encrypted backup. Provides encryption support for tape/virtual tape
via BRMS and tape management APIs (OS option 44)
– HW encrypted backup solutions via TS11x0 & LTO4/5
– SW Encrypted ASP. Provides disk level encryption support for all data
written to disk (OS option 45)
– HW support for Disk level encryption (DS8000 and DS5000 series)
– Encryption key management is required (master keys and data encryption keys)
Encryption of data at “Rest”
http://www.redbooks.ibm.com/abstracts/sg247320.htmlhttp://www.redbooks.ibm.com/redpapers/pdfs/redp4500.pdfhttp://www.redbooks.ibm.com/redbooks/pdfs/sg247977.pdf
47© 2015 International Business Machines Corporation
Controlling access to the Service Tools is necessary for a secure system.
• Create as few Service Tools User IDs as possible
• Create a Service Tool user with the same privileges as
• QSECOFR (QSECOFR can become disabled)
• Never use QSECOFR Service Tool USERID (save pwd
in a secure location)
Securing Service Tools
• DSPSSTUSR (Display Service Tool User CL command)
49© 2015 International Business Machines Corporation
Firewall – Building a Secure Network
� Install and maintain a firewall configuration
– A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
50© 2015 International Business Machines Corporation
Firewalls:
Intrusion Monitors:
Intrusion
Monitor
Internet
WWW Mail
Development system
H/R System
Corporate
Network
Firewall
Domino
Location: • Outside your internal company network• Makes sense to let firewall filter what it can.
Network-Based Intrusion Detection
51© 2015 International Business Machines Corporation
What Intrusion Monitors Do:
• Perform "Signature Analysis" or "Pattern Matching"
• Patterns: Looking for known "bad patterns" in IP flow.
• Signature Analysis: Watch for "Trend Deviations" in network usage.
• i.e. When someone successfully connects to a machine, packet activity is quite different when somebody randomly searching for open ports.
• Reaction to suspected malicious behavior:
• Send e-mail or message to pager
• Shutdown network or routers
Network-Based Intrusion Detection
52© 2015 International Business Machines Corporation
IBM Network Security Protection
• IBM division that produces network security HW & SW
• Network Security HW
• Firewall
• Intrusion Detection and Prevention
• Anti-Virus
• Web Content Filtering
• VPN
• Monitoring/Reporting
• Network Configuration
Network-Based Security Appliances
http://www-03.ibm.com/software/products/en/network-protection/
53© 2015 International Business Machines Corporation
• External facing network containing interfaces meant to
be available externally:
• Web servers (supporting “external” applications)
• Product information, Sales, etc.
• E-mail servers
• Limited access to the internal “corporate” intranet
What is a Demilitarized Zone (DMZ)?
54© 2015 International Business Machines Corporation
DMZ - Protecting & Isolating your internal network
Internet
DMZ
firewall
firewall
55© 2015 International Business Machines Corporation
Host Based Intrusion Detection/Prevention
� Enable Intrusion detection support on your host system.– Detect “internal” attacks on your systems
�Real time notification enablement– E-mail, messages, etc. (i.e., pagers, ISV solutions) in addition to IM
records�Numerous intrusion events audited – well-known attacks such as
“Smurf”, “Fraggle”, ACK storms, Address Poisoning (both IPv4 ARP poisoning, and IPv6 neighbor discovery poisoning), Ping-Of-Death and many more….
� “Extrusions” detected – attacks, scans, traffic regualtion anomalies emanating from your host
� IPv6 support�GUI – iNav
– Management of IDS policies– Display of intrusion events as an alternative to viewing the audit
journal
56© 2015 International Business Machines Corporation
IBM Security Partners – Many listed on the IBM i Security site
• Products that enhance the native security features available in the
operating system
• Many are network based
• Apply additional “security” rules
• Enforcement of the rules
IBM i Security website:http://www-03.ibm.com/systems/power/software/i/security.htmlhttp://www-03.ibm.com/systems/power/software/i/security/partner_showcase.html
IBM Partner Network Security Products
57© 2015 International Business Machines Corporation
• For remote connections to your IBM i:
• Use Virtual Private Network
• Use TLS/SSL enabled versions of the client
connection applications (Telnet, FTP, iNavigator, etc)
TLS/SSL/VPN connection
58© 2015 International Business Machines Corporation
• For remote connections to/from your system:
• Use TLS/SSL enabled versions of the client connection applications (Telnet, FTP, etc)
• What is TLS/SSL?
• Similar to a VPN but implemented at the application layer. Only the TLS/SSL enabled application flow
will be encrypted.• A mixture of TLS/SSL enabled and non-TLS/SSL
enabled applications can be run from the system
Secure Socket Layer (SSL) connection & Transaction Layer Security (TLS)
59© 2015 International Business Machines Corporation
• Only start TCP/IP servers that are needed
• Use secure encryption algorithms
• Prevent applications from using well-known ports
• Turn IP Source Routing off
• Allow IP Datagram Forwarding only when needed
• Don't leave PPP or SLIP lines waiting in answer state
General TCP/IP Security Tips
60© 2015 International Business Machines Corporation
IP Packet Filtering can be used to PERMIT or DENY based on the packet characteristics
• Source and Destination IP Address
• Source and Destination IP Port
• Protocol
• Packet Direction
• Packet Fragments
IP Network Address Translation (NAT)
• Can be used to hide private network behind a single public IP Interface (address)
IBM i Packet Security
61© 2015 International Business Machines Corporation
How Do You Use It:
• iNavigator:
• (system)->network->IP Policies->Packet Rules
• Select Rules Editor from context menu.
• Wizards pull down has three selections.
• Many other features...
IP filtering and network address translation...
63© 2015 International Business Machines Corporation
Client Security
• Most common “client” devices today are:
• Microsoft Windows• Windows XP• Windows 7
• Apple
• Some flavor of LINUX• SUSE, Redhat, and others
• Smart Phones / Mobile
64© 2015 International Business Machines Corporation
Client Security – What’s required
• Antivirus Software & Client “personal” Firewall
• Norton• McAfee• Panda• Trendmicro• Lot’s of others• Plus many versions of “free-ware”
• Spyware & Adware prevention
65© 2015 International Business Machines Corporation
Client Security – Antivirus and Client Firewall
• Antivirus Software & Client “personal” Firewall
• Antivirus Software
• Analyze data files or email attachments looking for “known” attacks• “live update” of Antivirus SW loads the latest known attack patterns
• Personal firewall
• Prevents both unwanted inbound and outbound activity (traffic) to/from the network• Most firewalls provide warnings when detected
66© 2015 International Business Machines Corporation
Client Security – Virtual Private Network Connection
• Many companies require a Virtual Private Network (VPN) connection to access the internal corporate network from external
• VPN Client Software • A VPN provides a secure connection over the internet• Network traffic is encrypted (scrambled) to prevent the ability for someone to view, thus steal, the data
• Two factor authentication • To access the internal corporate network, often times a company will setup and require another form, beyond password, of authentication• Time based keyfob, smartcards, biometrics (finger print scan, etc)
68© 2015 International Business Machines Corporation
• Many security reporting tools exist for the IBM i
• Run "GO SECTOOLS" from command entry • Run the report generation security tools
• Security tool commands produce reports that can be used to manage security and look for security holes
IBM i Security tools
69© 2015 International Business Machines Corporation
• Numerous IBM i partners provide additional tools
– Reporting & Monitoring– Security Configuration– Encryption
– Network Security– Authentication/Biometrics
IBM i Security website:http://www-03.ibm.com/systems/power/software/i/security.htmlhttp://www-03.ibm.com/systems/power/software/i/security/partner_showcase.html
IBM i Partners
70© 2015 International Business Machines Corporation
• Run at security level 50
• Set the security related System Values and lock them down
• Use the Security Audit Journal
• Protect your sensitive objects with object security
• Use Firewalls and intrusion monitors
Summary
71© 2015 International Business Machines Corporation
This document was developed for IBM offerings in the United States as of the date of publication. IBM may not make these offerings available in other countries, and the information is subject to change without notice. Consult your local IBM business contact for information on the IBM
offerings available in your area.
Information in this document concerning non-IBM products was obtained from the suppliers of these products or other public sources. Questions
on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. Send license inquires, in writing, to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY
10504-1785 USA.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives
only.
The information contained in this document has not been submitted to any formal IBM test and is provided "AS IS" with no warranties or guarantees either expressed or implied.
All examples cited or described in this document are presented as illustrations of the manner in which some IBM products can be used and the results that may be achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations
and conditions.
IBM Global Financing offerings are provided through IBM Credit Corporation in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment
type and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal without notice.
IBM is not responsible for printing errors in this document that result in pricing or information inaccuracies.
All prices shown are IBM's United States suggested list prices and are subject to change without notice; reseller prices may vary.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
Any performance data contained in this document was determined in a controlled environment. Actual results may vary significantly and are dependent on many factors including system hardware configuration and software design and configuration. Some measurements quoted in this document may have been made on development-level systems. There is no guarantee these measurements will be the same on generally-available systems. Some measurements quoted in this document may have been estimated through extrapolation. Users of this document should verify the applicable data for their specific environment.
Special notices
72© 2015 International Business Machines Corporation
IBM, the IBM logo, ibm.com AIX, AIX (logo), AIX 6 (logo), AS/400, BladeCenter, Blue Gene, ClusterProven, DB2, ESCON, i5/OS, i5/OS (logo), IBM Business Partner
(logo), IntelliStation, LoadLeveler, Lotus, Lotus Notes, Notes, Operating System/400, OS/400, PartnerLink, PartnerWorld, PowerPC, pSeries, Rational, RISC
System/6000, RS/6000, THINK, Tivoli, Tivoli (logo), Tivoli Management Environment, WebSphere, xSeries, z/OS, zSeries, AIX 5L, Chiphopper, Chipkill, Cloudscape,
DB2 Universal Database, DS4000, DS6000, DS8000, EnergyScale, Enterprise Workload Manager, General Purpose File System, , GPFS, HACMP, HACMP/6000,
HASM, IBM Systems Director Active Energy Manager, iSeries, Micro-Partitioning, POWER, PowerExecutive, PowerVM, PowerVM (logo), PowerHA, Power Architecture,
Power Everywhere, Power Family, POWER Hypervisor, Power Systems, Power Systems (logo), Power Systems Software, Power Systems Software (logo), POWER2,
POWER3, POWER4, POWER4+, POWER5, POWER5+, POWER6, POWER6+, System i, System p, System p5, System Storage, System z, Tivoli Enterprise, TME 10,
Workload Partitions Manager and X-Architecture are trademarks or registered trademarks of International Business Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols
indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law
trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml
The Power Architecture and Power.org wordmarks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org.
UNIX is a registered trademark of The Open Group in the United States, other countries or both.
Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.
Microsoft, Windows and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries or both.
Intel, Itanium, Pentium are registered trademarks and Xeon is a trademark of Intel Corporation or its subsidiaries in the United States, other countries or both.
AMD Opteron is a trademark of Advanced Micro Devices, Inc.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries or both.
TPC-C and TPC-H are trademarks of the Transaction Performance Processing Council (TPPC).
SPECint, SPECfp, SPECjbb, SPECweb, SPECjAppServer, SPEC OMP, SPECviewperf, SPECapc, SPEChpc, SPECjvm, SPECmail, SPECimap and SPECsfs are
trademarks of the Standard Performance Evaluation Corp (SPEC).
NetBench is a registered trademark of Ziff Davis Media in the United States, other countries or both.
AltiVec is a trademark of Freescale Semiconductor, Inc.
Cell Broadband Engine is a trademark of Sony Computer Entertainment Inc.
InfiniBand, InfiniBand Trade Association and the InfiniBand design marks are trademarks and/or service marks of the InfiniBand Trade Association.
Other company, product and service names may be trademarks or service marks of others.
Special notices (cont.)