Can you get viruses on your IBM i Server?

Posted in Other, Security on July 28th, 2010 by Robin – Be the first to comment

Hi everyone!

It’s interesting to talk to the IBM i community about the topic of anti-virus (AV) software. The subject comes up frequently during my travels, as I often include it as a remediation item that every enterprise should evaluate. When I do this, people seem to segregate into one of two groups: Either AV is seen as a pointless exercise due to what they have heard about the IBM i operating system, or they are completely onboard with the idea and are already running it on their systems.

Perhaps we should start with a definition of a virus. According to Wikipedia, a virus is a form of malware that can copy itself from one computer to another. There are many types of malware, including Trojan horses, worms, adware and spyware, and while most of us are (oh-too) familiar with most of these, I usually give my own definition as any unauthorized code—active or dormant—that is designed to perform a function that is not part of a company’s official application initiative.

While there is the possibility of operating system objects being tampered with, IBM i has long been touted as impermeable to viruses. This is due in part to a native object structure that prevents executable code being embedded inside non-executable objects, for example, hiding program code inside of a database file type object. While I have heard some reports of a virus being technically possible in the IBM i operating system, it is far from a prevalent issue, and one that gets dismissed quickly by most security officers.

However (and this is a very important distinction), while the traditional library and object structures might be nowhere near as susceptible to viruses as a Windows server, there are other structures that are. If you are currently providing users or applications with access to the Integrated File System (IFS), these folders can easily contain an infected file. Access is often provided for client-server type applications, such as Lotus Domino, WebSphere, and Navigator for i, or simply to enable users to use an IBM i disk as a shared network repository. Unfortunately, the presence of a virus in the IFS presents a significant threat as, during a viral outbreak, most IBM i servers remain connected to the network and can cause recurring infection—remember Wikipedia’s definition of a virus?

While some companies choose to scan IBM i network drives from another network server, this is not normally advised. With many systems housing hundreds of thousands of IFS objects to be scanned, remote scanning carries significant challenges. These challenges include the likelihood of poor scanning performance and a significant increase in network bandwidth utilization. This may also cause a corresponding degradation in other communications or applications as files are brought in to the scanning server’s memory. There is also an increased risk from the requirement of a read/write share, and the common use of a profile that has *ALLOBJ special authority.

Bytware is the only supplier of a native IBM i anti-virus solution powered by a commercial grade scan engine and, as PowerTech’s sister company, makes the following observations about viruses on IBM i:

  • The IBM i is not free from virus threats
  • The IBM i can host and spread viruses
  • Viruses can sit undetected on IBM i
  • The IFS is the perfect host
  • Viruses on IBM i can attack other systems
  • Undetected viruses can pass through IBM i mail

Fortunately, IBM has provided exit points to allow a program to perform scanning functions similar to those found on other platforms. The StandGuard Anti-Virus (SGAV) solution from Bytware is a comprehensive anti-virus solution, and its features include:

  • Designed from the ground up for IBM i, System p, AIX, Linux on x86, and Domino servers
  • Powered by McAfee commercial scanning engine
  • Can’t be disabled by viruses
  • Green screen and GUI interfaces
  • Uses IBM i scanning enablement for on-demand and open/close scanning
  • Object integrity scanning protects IBM digital signatures

So my advice is to look closely at how you are using your system’s file structures. If there is a possibility of any file being written or read from the IFS, then AV is an absolute must. If you are not sure if you are, give the folks at Bytware a call and they will be happy to help you. And, if you still haven’t seen enough of a reason to use this very cost-effective solution, you should also note that an anti-virus solution is sometimes required for compliance with certain regulations—such as requirement 5 of the Payment Card Industry’s PCI-DSS standards.

You should also consider other types of malicious code. Imagine a start up program that performs a PWRDWNSYS! Although this might not be considered a true virus, it would certainly be extremely disruptive to a production application environment. Or, perhaps, an unauthorized program that is registered as a password change validation program; one that illegally records user passwords as they are set. Monitoring and reporting changes to system values, such as QSTRUPPGM or QPWDVLDPGM, is one way to prevent these types of threats from affecting your run-time environment. You can make short work of all of these threats with SGAV, ideally in conjunction with PowerTech’s comprehensive Compliance Monitor reporting solution, and the Interact real-time alerting module.

Drop me a line at robin.tatam@powertech.com for more information AV or about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Best of the Best

Posted in Other, Security on July 21st, 2010 by Robin – Be the first to comment

Hi everyone!

A few days ago, I celebrated a summer weekend up in Duluth, Minnesota, on the shores of beautiful Lake Superior. While Minneapolis was being pounded by torrential rain and thunderstorms, I enjoyed my first visit to this area, camping “old school” with my family in tents and sleeping bags, and roasting hot dogs and S’mores over an open fire. I would offer up that it doesn’t get much better than that! We also spent time skipping rocks across this unbelievably immense body of water, walking through the gorgeous Duluth rose gardens, and taking a fun ride on the recently-opened alpine roller coaster.blog1

One of the main reasons for our travel north was to attend the exciting Duluth Airshow. I took my photo of two of the U.S. Air Force “Thunderbirds” during their awe-inspiring demonstration, and although it is hard to believe, it was edited ONLY for contrast! Witness the total faith that these pilots have in their equipment, their flight support crew, and their fellow airmen. This is a good analogy of the security of your IBM i data. It takes a combination of rock-solid hardware, quality software, competent technical support, and a parent organization that backs its solutions to ensure success. Failure of any of these critical “systems” could result in a security catastrophe, so make sure that you put your faith in “the best of the best.”

blog2

Back in the office, I am starting the wind-up for a post-summer event schedule that includes customer visits and security training workshops around the country. We will be posting information about these events as they become scheduled, both on www.powertech.com as well as in Power News, so make sure that you are signed up to receive this free monthly electronic newsletter.

As part of PowerTech’s ongoing commitment to IBM i security education, I will be presenting four security sessions at the COMMON Fall Conference and Expo in San Antonio, Texas, in early October. I am also booked to be at a couple of other regional events: ISACA’s Information Security and Risk Management conference in Las Vegas, Nevada in mid September and Optimum Solutions’ User Group conference in Nashville, Tennessee in late October.

It’s a good thing that I really love to travel, as tomorrow I am flying out to Nashville for the remainder of this week. I will be working with a large customer to discuss the deployment of our security suite to more than 100 of their IBM i systems—an exciting project to be involved in!

I mentioned in last week’s blog that we have a new Authority Broker e-training course in the works. This generated a lot of emails from customers who  are happy that we are providing another educational resource for them. I can now reveal the online class schedule, as well as announce the next iteration of our popular Network Security e-training:

Authority Broker                                                September 2

Network Security – The Basics                        September 23

Network Security – Advanced (Part 1)            September 28

Network Security – Advanced (Part 2)            September 30


blog3If you are new to Authority Broker or Network Security, or would simply like to brush up on your existing skills, sign up today as seats are limited!

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

-       rt

Using Authority Broker to Audit Yourself

Posted in Auditing, Other, Security on July 14th, 2010 by Robin – Be the first to comment

I had a customer ask me recently if you could audit yourself in PowerTech’s Authority Broker tool. I responded, “Of course!” It seems that the auditors within this particular company wanted to ensure that all the powerful profiles were audited, but the I.T. department was resisting. Their main concern was that they didn’t have a good way to deal with finding and deciphering all of the raw audit records that the operating system places into the audit journal when performing profile auditing.

Fortunately, this customer was already making extensive use of Authority Broker to handle elevation of authority for “break-glass” type emergency situations. In their shop, there were also certain functions that had to be run using specific profiles like QSECOFR, not just a profile running under the guise of QSECOFR. The solution was very simple: Install an Authority Broker PTF to enhance the base product, and permit the ability for a profile to switch to itself, thereby creating the audit and reporting environment that they were already familiar with when using normal profile switching.

We occasionally get notes about creative ways that customers wish to use one of our products—sometimes in ways that our development team never originally anticipated. While the base functionality of the products satisfies the vast majority of auditors’ requirements for regulatory compliance, we welcome “wish lists” and suggestions of how we can enhance any of our solutions. Simply send a note about your idea to support@powertech.com to get your idea added into an enhancement list database. In this particular case, we already had this little trick up our sleeve, but we love to get ideas from those of you who have found requirements to use the tool in ways outside of the original scope. Another suggestion that was turned into reality was the ability to invoke exit programs as part of an Authority Broker swap. What? You didn’t know about that capability either?  Well, check out the administrator’s guide, and the sample exit programs found on the PowerTech website.

If you are new to Authority Broker, or would simply like to brush up on your skills, we are in the process of putting together a product eTraining class that will be rolled out at the beginning of September.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Network Security 6 Adds Object Rule Support

Posted in Other, Security on July 8th, 2010 by Robin – Be the first to comment

Last week I made some comments about Network Security Version 6 and the updated online training we recently offered. I got several questions about the “hook” of the new version, so I thought that I would give everyone a quick overview.

Before I get into the new features, let me provide some background for those of you that might not be familiar with what Network Security does for an organization. If you are already comfortable with the concept of network access, exit points and exit programs, then you may skip the italicized text below.

Back in the early days of the AS/400, the only way to access data was via a 5250 (green screen) application. This meant that we could easily secure the application data using only simple menus and command line restrictions. In the early 90’s, IBM responded to customer demand and enhanced the operating system to enable open access through network interfaces such as ODBC, FTP, and remote command. This had the effect of opening the database without the control of the menus. IBM also enabled a facility called exit points that allow the specification of programs to determine if a request should be honored or denied. Network Security is a suite of exit programs that are designed to provide two critical security functions—auditing and access control—for these requests.

If you would like to learn more, check out the Network Security product page on the PowerTech website

One of the first visual indications of the new version is found in the installation process. Gone are the days of having to manually upload a save file, restore the objects, and then run an installation routine. Instead, there is a great new installation wizard. This runs on a Windows PC to streamline the unpacking, uploading, and installation of the product from beginning to end. As one of the folks who installs this product countless times a year, I want to personally thank the person behind this enhancement! The wizard even removes itself from the PC upon completion, leaving only the new product administration guide as a lasting footprint.

Once the product is installed, there is a brand new activation process. As before, it is designed to register Network Security’s exit programs to the IBM exit points, but now the activation can be totally selective. This means that you may optionally choose to not monitor all of the exit points from day 1. Make a second pass (or more) through the activation process if you wish to activate any of the remaining exit programs subsequently.

When pulling up the Network Security’s main menu, the first thing that you will notice is that the options have been better streamlined with less nesting of menus inside menus. The interface is clean, concise, and intuitive. Some additional options have been added to support the new object rules, but most of the existing option numbers have remained the same to help with the transition.

Network Security continues to lead by its ability to control access at multiple different levels. We can set rules for users and locations that pertain to all functions within a service. We can further define rules that only apply to a specific function within a service, such as remote commands in FTP. Lastly, we can set rules for very specific requests, such as allowing the FTP download of file MYFILE from library MYLIB. Naturally, auditing and messaging from of any of these transactions was one of Network Security’s most sought after features.

The newest addition to the access control functionality comes with the ability to define “object rules.” In scenarios where you might not know the specific request being made (perhaps it can come in a different “flavor” every time), Network Security supports the ability to create and secure using an object list. This list is simply a definition of which objects are being secured by the list. Once defined, the security administrator can set rules that control the access to both data (if applicable) as well as the object itself. Imagine being able to prevent a file from being updated through an ODBC connection, regardless of the SQL statement being issued. Or perhaps you would like to audit any change requests for those particular objects, but not the entire application. While it is recommended to use transaction level rules first (as they are specific to a request), object rules introduce a new era in the capabilities of an already powerful exit program solution.

Behind the scenes, there are some other changes you will want to be aware of. We have standardized the name of installation library, authorization lists, and user profiles used by the application. If you are an existing customer, the installation wizard handles most of the upgrade process, and we have created a migration process for copying the rules from a prior version. Updated documentation has been created to guide you, and help is always just an e-mail or a phone call away.

If you are new to Network Security, or would simply like to get a “refresher,” then keep an eye out for the next round of online training. Alternatively, drop me a line and I will be happy to help you.

Our summer Webinar schedule is now in effect, and next week we will be talking to you about the 2010 State of IBM i Security study.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Sarbanes-Oxley News; Network Security 6 Training

Posted in News, Other, Security on July 1st, 2010 by Robin – Be the first to comment

shuttle2Well, it was a tough to do, but I am back at work after spending last week in Deerfield Beach, Florida. Our trip started in Orlando with a visit to the Kennedy Space Center. We were able to see several launch pads, including ones being reconfigured for futuristic launch vehicles, as well as ride the new Shuttle Launch Experience, which was a “blast” (sorry, I couldn’t resist that). As a boy, I was obsessed with Space exploration; I remember spending countless hours working on a model of the 363-foot tall Saturn V rocket used for most of the Apollo and Skylab missions in the late ‘60s and early ‘70s. Being up-close and personal with one of these behemoth rockets was very humbling. I tell people that I work in a technology field, but that is technology at its finest!

shuttle1White sands and the sound of crashing ocean waves accompanied beautiful sunsets and the sun-kissed warmth of the Atlantic Ocean. If you have never been to this part of the world then I thoroughly recommend it, although be sure to pack your sunscreen as it is pretty hot and humid. I just hope that this side of the coast line remains unaffected by the environmental disaster that is happening on the gulf coast side.

Anyway, I am glad to be back in Minnesota now. (Did that sound at all convincing?)

In my absence, there was fevered discussion about the possible abolition of the Sarbanes-Oxley Act by the U.S. Supreme Court due to the challenge on a section of the law. But before you start cheering with delight that your complex reporting requirements are over, Monday saw the court give unanimous support to the section that could have caused the entire act to be thrown out due to the fact that the government did not build “severability” into the law. Severability allows a law to remain standing even if parts are discarded as being unconstitutional, so if this one section was ruled unconstitutional, the whole law would have been eliminated.

To add to the requirement of having good reporting practices in place, new laws are also currently being pushed through Congress, although some may actually reduce the reporting burden on smaller companies.

From the PowerTech corner, Network Security Version 6 has been extremely well-received in the market place. We recently updated and executed the first online training sessions to include Version 6 enhancements, and will be scheduling another class for next quarter. We are also preparing for a similar class on Authority Broker, so watch out for that announcement. If you are interested in any type of custom training (onsite or remote), then contact Nancy Berg, our services coordinator.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Help/Systems Hosts Midrange Mixer

Posted in Company News, Events, Other, Security on June 15th, 2010 by Robin – Be the first to comment

Hi everyone!

Visiting with customers is one of my favorite activities, so I was excited that last week’s Midrange Mixer in Rochester, MN brought in a lot of IBM i users. This time, the event was hosted at the famous Michael’s restaurant (as designated by the hundreds of celebrity photos hanging in the main hallway) in downtown Rochester. We welcomed a large number of customers and prospective customers for cocktails, hors d’oeuvres, and Jeopardy-style games. I must say, it’s amazing how much easier those questions are to answer when you are NOT sitting in the hot seat!

The evening’s table conversations were very stimulating, with numerous companies seeking assistance with their security projects. PowerTech’s recent introduction of Network Security Version 6 and other enhancement projects in the works were a topic of discussion, as was our great no-charge compliance assessment solution. I know Tom Huntington encountered a similar response regarding multi-platform scheduling, and other Help/Systems specialties. I must say, it’s good to hear about healthy business initiatives again.

robotsuitThanks must go to our own Heath Kath, Technical Sales Consultant for SEQUEL Software, for his willingness to don the (in)famous Robot suit, and stand out on the streets of Rochester to welcome everyone to the party! (Thanks also go to my over-six-feet tall parents for ensuring that the suit does not fit me!)

If you are also embarking on a new security project, drop me a line to find out how PowerTech can put our resources to work for you. With skilled security engineers, and our well-known security software solutions, we have the tools to get the job done right—regardless of your security or compliance objectives.

As part of summer, we are slowing our weekly Webinar schedule to approximately two per month. Look for our security workshops and Webinars to resume their normal schedule in September. As always, the PowerTech Website and PowerNews electronic newsletter are a great source of information, and both sources have the upcoming event schedule for June, July and August.

Speaking of summer, I am taking time off work next week to take my kids on a highly anticipated vacation to the southern climes of Boca Raton, Florida. Following my visit to Orlando for COMMON last month, I saw what a fabulous place this would be for a family trip to the beach. Thanks to my foreign exchange student “brother” for his hospitality at the beautiful ocean-front resort he manages in Deerfield Beach.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt