DMS - Securing AS/400s

Securing AS/400s

More and more AS/400 owners are exploring their options for linking their systems to the Internet. The first question they ask is usually, "How do I do it?" The second question is, "What about security?" This booklet attempts to answer the second question for AS/400 on the Internet: "What about security?"

Note: For answers to the first question, "How do I do it?," see "Where to Get More Information and Assistance". It lists publication and service offerings that are available to help you. In particular, see the new redbook, Cool Title About the AS/400 and the Internet, SG24-4815 and the TCDPIIP Configuration and Reference.

AS/400 Security Strengths: The simple answer to "What about security?" is that AS/400 has very strong security characteristics, which includes the following:

AS/400 integrated security is extremely difficult to circumvent compared to security offerings on other systems that are add-on software packages.
AS/400 object-based architecture makes it technically difficult to create and propagate a virus. On AS/400, a program cannot modify another program.
AS/400 object-based architecture requires you to use system-provided interfaces to access objects. You cannot access an object directly by its address in the system. You cannot manipulate the pointer for one object to make a point to another object. (Pointer manipulation is a popular technique for hackers on other system architectures.)
AS/400 flexibility lets you set up your system security to meet your requirements.

Your Security Policy and Needs: The long answer to "What about security?" starts with "It depends." Your definition of security might differ from someone else's. The appropriate security setup depends both on how you connect to the Internet and what Internet functions you want to use. Do you want to be a client or a read-only server? Or do you want to take the first steps toward electronic commerce?

Ultimately, the long answer is that security depends on you. AS/400 provides a strong set of security tools, but you must take the time to learn about the tools and to use them. You also need to learn about network security - both the exposures and the possible solutions.

If you have a security policy today, you probably need to revise it to address your plans for an Internet connection. If you do not have a security policy today, now is the time to develop one. When you extend your organization onto the Internet, a security policy provides a critical cornerstone for your planning.

The rest of this booklet provides examples of Internet connections, some of the security risks that are associated with them, and consideration to help you reduce those risks. The examples build on each other. Read through them and develop a combination that more closely fits your requirements.

A Change in Security Thinking

If you are thinking about linking your AS/400 business computer system to the Internet, you probably need to begin by revising some of your thinking about security. The typical AS/400 system exists in a friendly environment with a well-defined set of potential users. It provides a secured entrance (sign-on and password) and fairly open access once you are inside. Most files are available for viewing by any user who can sign on to the system (public authority is USE). A few confidential and sensitive files such as the payroll files, should be available only to a few users (public authority is EXCLUDE).

From a security perspective, the typical AS/400 resembles a building. The doors (and windows) are locked. Users need a key (password) to enter. Inside the building, most of the rooms have doors that are not locked. A few rooms, or file drawers within rooms, have locks that require keys (authorization).

When you provide access to your system through the Internet, you might be letting many strangers from all around the world enter your system, or at least browse documents that are on your system. The view of your system that is shown as a house might make you feel uncomfortable, and it should. You need to move to a need-to-know approach to security thinking. Decide what the Internet visitor needs to know, and prevent access to anything else. How you set up a need-to-know environment depends on the kind of Internet server that you want to provide.

In addition to taking a stricter, more rigorous look at a security on your own system, you need to expand your view. As your network grows, both internally with LANs, for example, and externally with the Internet, you need to consider both system security and network security.

Proceed with Caution

Right now, you need to take the important first step of becoming a more rigorous security thinker. Switch to a "need-to-know" and a "need-to-do" mentality. Whenever you want to make a new application available on the Internet, begin by asking the following questions:

What does the Internet user need to know and do?
How do we prevent the Internet user from seeing or doing anything else?
What access does your program or application give to the Internet user, either directly or indirectly?

TCP/IP and the Internet are designed for openness and interoperability so that Internet clients and Internet servers from many different providers can communicate and exchange information successfully. This openness makes it difficult to build in network security capabilities. First, the various providers must agree on security standards. For example, when you send encrypted passwords, both sides must use the same method for generating encryption keys and the same algorithms for encrypting and decrypting. Many groups are working to develop network security standards, but much work remains to be done.

In the past, with a limited, private network, you could equate security with system security. By using the strong security capabilities of AS/400, you could feel confident that your information was protected. Now, when you connect to the Internet, or provide dial-up access to your system, you need to think also about networks security, which is a primary focus of this booklet.

Very few Internet users are malicious. Most are simply seeking information and more efficient ways of doing business. But the hackers are out there, and you need to be prepared. AS/400 providers more integrated security capabilities than many Internet servers. However, because your current environment is more friendly than the Internet, you might not be using all of the AS/400 security capabilities that are available. For this reason, the examples later in this booklet take a step-by-step approach to connecting to the Internet. You start with the Internet side of your system locked up as tightly as possible, like the building described earlier. You open doors (new Internet applications or new TCP/IP servers) gradually, one at a time, after carefully evaluating your security exposures and precautions.

Security - A Definition

The topics that follow provide examples of how you might link your AS/400 business computing system to the Internet. Each example includes tips and considerations for ensuring security. But first, let’s define what we mean by "security."

A security policy
Defining what you want to protect and what you expect of your system users. A security policy defines the importance of the business assets that are on our system. It provides a basis for security planning when you either design new applications or expand your network. It describes user responsibilities, such as protecting confidential information and creating non-trivial passwords.

User authentication
Ensuring that only authorized individuals (or jobs) can enter your system. When you link your system to a public network like the Internet, user authentication takes on new dimensions. An important difference between the Internet and your Intranet is your ability to trust the identity of a user who signs on.

Resource protection
Ensuring that only authorized users can access objects on the system. The ability to secure all types of systems resources is an AS/400 strength. However, you might find that you do not use the full capabilities of AS/400 resource security, particularly if you rely primarily on menu access control. You might also find that connecting to the Internet forces you to change your definition of a "public" user on your system.

System integrity System integrity is your system’s ability to provide consistent, expected results with expected performance. For AS/400, system integrity is the most commonly overlooked component of security because system integrity is a fundamental part of AS/400 architecture. AS/400 architecture, for example, makes it extremely difficult for a mischief-maker to imitate or modify an operating system program (when you use security level 40 or 50).

When you think about connecting to the Internet, you need to think about your system’s integrity and how a hacker might try to assault it. A hacker can threaten your system’s integrity without ever succeeding in signing on to your system. A hacker can, for example, compromise your system’s ability to service user requests by flooding your system. Your disk storage can be flooded, for example, with unwanted mail or with printed output. Your processor can be overwhelmed for example, by error requests.

This is commonly called denial of service. Your legitimate users either cannot log on or they receive poor performance because your system is spending resources dealing with unauthorized requests.

Data integrity
Ensuring the reliability of data that enters your system. When data that enters your system comes from a public network, you might need several security protections:

Protect the data from being "sniffed" and interpreted, usually by encrypting it.

Ensure that the transmission has not been altered (data integrity).

Prove that the transmission occurred (non-repudiation). In the future, you might need the electronic equivalent of registered or certified mail.

Security auditing
Monitoring security-relevant events to provide a log of both successful and unsuccessful (denied) access. Successful accesses tell you who is doing what. Unsuccessful accesses tell you either that someone is attempting to break your security or that someone is having difficulty accessing your system. (for example, you might not have your Web page set up correctly.)

Minimum AS/400 Security

The topics that follow assume that you are starting with an AS/400 system that is basically secure. At a minimum, your system should meet the following security guidelines:

Set the security level (QSECURITY system value) to be at least 30. Level 40 or 50 is strongly recommended because they provide enhanced integrity protection
Set your security-relevant system values to be at least as restrictive as the recommended settings. You can use the Print System Security Attributes (PRTSYSSECA) command to compare your settings to the recommended settings.
Ensure that no user profiles, including IBM-Supplied user profiles, have default passwords. Use the Check Default Passwords (CDKDFTPWD) command or the Analyzed Default Passwords (ANZDFTPWD) command to check this.
Use object authority to protect your important system resources. Menu access control is meaningless for many of the tools that are used by Internet users. You must set up object authority on your system.
Use the security tools and Tips and Tools for Securing your AS/400 to help you manage and monitor security on your system.
NOTE: For releases earlier than V3R2, the security tools are available as the Security ToolKit PRPQ. The CHKDFTPWD or ANZDFTPWD command and the PRTSYSSECA command are part of the security tools.

A few comments about the examples:

The examples that follow provide typical options for connecting your system to the Internet. They discuss security risks and possible solutions. These are not the only options available, nor are they necessarily the most secure options.

A firewall that is properly configured and administered is almost always the most secure method for connecting your system to the outside world. By using a firewall, you are both limiting your points of exposure and hiding your network configuration from others. The need to consider a firewall when connecting your AS/400 server to the Internet is no different than when you connect other servers to the Internet.

As organizations expand their use of the Internet and provide Internet access to more and more information, firewalls are rapidly be coming an industry-standard in certain situations. Although a firewall might be in your future, it might be more than you either need or can afford today. Several of the following examples do not have firewalls. Most of the security considerations are valid with without a firewall.

These examples follow a typical progression of expanding Internet usage. They start with the assumption that you are not currently using TCP/IP to communicate with other systems in your own network.

Example 1 - Connecting Your Users to the Internet

Your first venture into the Internet might be to provide your users with access to the Internet. Both your AS/400 and your PCs are already on a LAN (local area network). Instead of putting a modem on every PC, you want to provide a central point of access to the Internet. Each PC will have Web browser software.

What the Configuration Looks Like

Figure 1 shows a common way to connect your LAN users to the Internet. Your PC users can go directly to the Internet through the router. They can also continue to access your AS/400 via the LAN by using AS/400 Client Access, for example.

Security Consideration for This Example

Following are some of the security risks for Example 1 and alternatives for dealing with the risks. This example assumes that you do not want anyone from outside your network to access your AS/400. The particular focus is on protecting your AS/400 and its data.

Note: Unless you use packet filtering on your router, your PCs in this configuration are more vulnerable to attack than they are with a dial-up connection. When a router is attached to the same LAN as your PCs, a potential intruder can attempt to access your PCs whenever they are powered on.

Risk 1 - Published IP Addresses:

Usually with this type of connection (LAN to router to Internet), every system (PC) that connects to the Internet must have an IP address. Having an IP address is similar to having a published telephone number. Whenever a user in your network sends an Internet request, the packet contains the IP address of the user’s PC. Any host on the Internet that a PC contacts knows the PS’s IP address. A potential intruder might be able to access that information and attempt to access the PC by using the IP address.

Security Solutions

Ensure that your AS/400 does not have an IP address. This protects your AS/400 from direct assaults, including denial-of-service assaults.

Educate your PC users about the need to protect their PCs from attempted intrusions. Their PCs should not, for example, be configured to start TCP/IP servers (such as TELNET or FTP).

Ensure that an outsider who successfully breaks into one PC cannot go beyond that PC into the network. This protection can be difficult, and it depends to some extent on the security practices of your PC users. An intruder will look on the PC for information, such as system names or communications start-up programs, that might help the intruder break into another system in the network. The intruder will also look for stored user IDs and passwords on the PC.

Your AS/400 is vulnerable both to the weakest link (PC with poor security practices) and to the most trivial password. Use AS/400 object authority to protect your critical data. Use system values to protect against repeated sigh-on attempts. Use security auditing detect unauthorized attempts to access both your system and objects on your system.

Make sure that no one starts any TCP/IP servers on your system. Hackers are typically more familiar with TCP/IP application (such as FTP and TELNET) than they are with AS/400 Client Access. If a hacker finds your AS/400 system name when browsing a PC, the hacker will probably try to use TELNET or FTP to access your AS/400 instead of trying AS/400 Client Access.

Control IOSYSCFG special authority to restrict who can configure TCP/IP. Restrict who has authority to use the STRTCP (Start TCP/IP) command.

If your router has packet filtering capabilities, set up the router to react TCP/IP sessions with an origin IP address that is outside your network.

Risk 2 - Downloading Viruses:

A virus is a program that can change other programs to include a copy of itself. The virus program usually performs operations that can take up system resources or destroy data. When your users connect to the Internet, they might unintentionally download a program with a virus. They might store the infected program in a shared folder or in the integrated file system on your AS/400. That virus might then be copied accidentally to other PCs in your network.

Security Solutions

On you AS/400, use object authority to control where PC users can create new objects. If your PC users use shared folders, use the authority to DLOs (document library objects) to limit them to creating new documents in specific folders. If your PC users use the integrated file system, use the authority to directories to control where they can place new objects.

Ensure that most users do not have authority to create authority of the root directory from RWX to RX.

Regularly run virus scan programs against the directories or folders where your PC users place new objects. (To run a virus-scan program, you probably need to sign on from a PC and link to the folder or directory that contains new programs.)

Install virus-scan software on all PCs and require PC users to run it regularly. Consider including the virus-scan program in every PCs startup routine.

Consider staging the movement of new objects from private PC drives to a shared environment. Move them to a temporary drive (shared folder or directory) first. Then have a system administrator move them to a shared environment after running a virus-scan program.

Educate your users both about viruses and about the risks of downloading programs from untrusted sources.

Example 2 - Providing E-Mail

Now that your users are connected, they want to exchange e-mail (electronic notes and messages) with the outside world.

What the Configuration Looks Like

Physically, the connection can still look like the example in Figure 1. Either you need to add e-mail software, or you can use software that you already have. Following are two possible software options. Many more options are available.

If you already use either OfficeVision or JustMail for OS/400, you can make changes to your configuration to be able to send and receive e-mail across the Internet. You need to start both ICP/IP and the SMTP (Simple Mail Transfer Protocol) server. You need to make changes to your system distribution directory so that it works correctly with SMTP. Both the TCP/IP Configuration and Reference and the Cool Title About the AS/400 and Internet book describe how to set up both SMTP and OfficeVision or JustMail for OS/400 for external e-mail.
You can install e-mail software, such as UltiMail Lite on your PCs. PC-based e-mail software provides the capability to upload and download mail. You connect your PC to a store-and forward mail server. AS/400 provides this capability with the Post Office Protocol (POP) server. Or, your PCs can use an outside store -and-forward mail service from a service provider.

Security Considerations for This Example

When you add e-mail, your security planning must be more specific. You can no longer simply configure a router to exclude all sessions whose origin is outside your network. Now can you assume that your AS/400 will not participate. AS/400 users who do not have Web-browser capability can still send and receive e-mail if you choose to allow it. Following are both security risks when you add e-mail to the example that is shown in Figure 1 and alternatives for dealing with the risks. This example assumes that you do not want anyone from outside your network to assess any system within your network, with the exception of sending e-mail to users on your network. The particular focus is on protecting your AS/400 and its data.

Risk 3 -Published AS/400 Address:

If you want your AS/400 to provide e-mail services to your users, you need to register your AS/400 on the Internet with an IP address. Your AS/400 now becomes visible to the outside world and subject to attempted intrusion.

Security Solution

Use AS/400 security capabilities to protect your system from unauthorized sign-on. This includes both setting sign-on and password system values and ensuring that no user profiles have default passwords. Chapter 2 in Tips and Tools for Securing Your AS/400 has suggestions for controlling interactive sign on.
Until you are ready for internal TCP/IP applications (by following the precautions in later examples), configure TCP/IP so that only the SMTP server and possibly the POP server start automatically. Use the appropriate Change xxx Attributes command to prevent other servers from starting automatically. For example, to prevent TELNET from starting automatically, type the following: CHGTELNA AUTOSTART (*NO)
Use the following commands to set AUTOSTART (*NO):
```
CHGTELNA                CHGHTTPA
CHGFYPA			CHGWSGA
CHGLPDA 		CHGSNMPA
```
The command for starting TCP/IP servers (STRTCPSVE) ships with the public authority set to EXCLUDE. Make sure that the authority has not been changed and review the list of users who are authorized to use the command.
Consider changing the default value for the SERVER parameter on the STRTCPSVR command. The default ships as *ALL Change it to start only the SMTP server (or the SMTP and POP servers).
If you run TCP/IP application (such as FTP) on your internal network, you must set up you router to reject all external packets that go to any port except the SMTP (mail) port. (Every TCP/IP application is associated with a special TCP/IP port. A port is like a doorway in you TCP/IP configuration.)

Risk 4 - Flooding:

One game that hackers play is to flood a system with unwanted mail. This can adversely affect system performance. The mail can also take so much space on your disk storage that your system stops running.

Security Solutions:

Following are suggestions for limiting the impact of attempts to flood your system.

If possible, avoid using an *ANY*ANY entry in your system distribution directory. This makes it more difficult for someone to flood your system with unwanted mail that is being routed through your system to another system. Without an *ANY*ANY entry, your system will reject mail that is not addressed to a valid user in your network.
Set an auxiliary storage threshold limit. This prevents unwanted objects from flooding your system to point where it cannot operate. (The Backup and recovery Advanced book describes how to set an auxiliary storage threshold limit.)

Risk 5 - Exploring Your Network

You may have done a good job of securing your AS/400 so that hackers cannot sign on. However, you might find that your AS/400 provides a path to get to other systems in your network. Because those systems are not directly connected to the Internet and they do not expect attempted intrusion, their security protection might be less rigorous than yours. (They live in a safe neighborhood and do not need double locks or a burglar alarm.)

Security Solutions

If you use SLIP (Serial Interface Line Protocol) in your network, use the Work with TCP/IP Point-to-Point (WRKTCPPTP) command to set up SLIP*ANS (answer) profiles to prevent IP datagram forwarding. This prevents someone who finds out about your system from dialing in and using your system to access another connected system (either a PC or an AS/400) that might have an active TCP/IP server.
If you have a LAN-router connection, set the attributes not to allow IP datagram forwarding. (You need to understand how this might affect other traffic in your network.)
If your AS/400 is part of an APPN network, use the new PPN filtering support. It provides firewall-type protection within your APPN network by allowing you to specify which location pairs can communicate. The APPX chapter in Tips and Tools for Securing Your AS/400 describes how to use APPN filtering support.

Risk 6 - Receiving Viruses via E-Mail

Incoming mail is a potential source for PC viruses. Someone can attach a program to a note. Or someone can send a program to a user on your system. Perhaps neither the sender nor the receiver realized that the seemingly harmless program is spreading a virus.

Security Solutions

Because of AS/400’s architecture, incoming mail is unlikely to infect AS/400 itself with a virus. An AS/400 program cannot arrive disguised as something else. However, PC viruses can arrive in the mail. Follow the same virus-protection practices that are described in "Risk 2-Downloading Viruses".
Educate your users about the possibility of receiving virus programs through e-mail, possibly from their friends and colleagues.

Risk 7 - Misdirected E-Mail

When your internal e-mail system is connected to the Internet, you have the possibility that a user will send confidential information to the outside world. This might happen accidentally, and perhaps even without the user’s knowledge, if your e-mail connection is not configured correctly.

Security Solutions

When you configure your e-mail connections, test what happens to mail that is addressed incorrectly. Does either an incorrect user ID or an incorrect system name (one that is not in your network) cause the mail to be sent across your Internet mail link?
If possible, set up your e-mail system to require confirmation from the user before e-mail is sent outside your network.
Educate your users about your policies for sending confidential information via e-mail.

Risk 8 - Exposure of Sensitive Information

As you expand your use of Internet and of networks in general, your users can explore different ways of working. Perhaps they can dial into your system from home or while traveling. They might use e-mail as a tool for collaborating with colleagues on a project. With current technology, information on the Internet is usually not encrypted. It is transmitted "in the clear," which means that it is vulnerable to sniffing. Sniffing on the Internet backbone itself is unlikely because the backbone consists of dedicated high-speed connections. However, the peripheral connections, such as the phone line from your employee’s home or the LAN at a colleague’s location, are not necessarily well-protected.

Security Solutions:

The primary solution for the possibility of sniffing confidential data is education. You need to update your security policy and educate your users. They should treat a public network just as they treat unprotected phone lines and public places.

If information is sensitive enough that you would not read it on a bus or plane, then you probably should not send it across the Internet.
If information is confidential enough that you would not repeat it on a cellular telephone, then you probably should not send it across the Internet.
If you would not send it through the normal mail, except perhaps with a double envelope, then you probably should not send it across the Internet.
Consider providing separate user profiles for Internet and e-mail usage, at least for users with powerful profiles. That way, if someone sees an e-mail that an employee sends, the eavesdropper will not have the name of a powerful profile on your system.

Providing a Home Page

Your users have been surfing the Web and exchanging e-mail with their colleagues in other organizations. It won’t be long before someone suggests: "We should have our own home page." Others will join in: "The Web is a great way to get visibility with very little expense. Having a home page makes our company look modern and leading-edge."

Example 3 - Home Page without Internal TCP/IP

This example assumes the following:

You do not use TCP/IP internally within your own network. For security planing, you can assume that all attempts to access TCP/IP servers come from outside your network. Your PCs are connected to your AS/400 with AS/400 Client Access, which uses a protocol other than TCP/IP.
Your Internet server will only provide information, not update any data on your system (a read-only server).
You are using the IBM-supplied HTTP server that is part of V3R2. If you are using a different security precautions.

What the Configuration Looks Like

Physically, your connection can still look like the example in Figure 1 . You use the HTTP server to serve your home page and other hyperlinked pages to Internet visitors. You need to work with your ISP to get an IP address and domain name. (You may already have an IP address if your AS/400 system has an e-mail connection to the Internet.)

Security Considerations for This Example

Following are new security exposures when you use a configuration like the one in Figure 1 and provide a home page on the Internet. This example assumes that you do not use TCP/IP server for internal users or applications.

Risk 9 - Visibility of your AS/400 Address:

If you have been providing e-mail, your AS/400 might already have an IP address. However, when you create a home page and publicize it, you are making a conscious effort to inform people of your presence on the Internet. Hackers are more likely to become aware of your system’s existence and to try to break into it.

Security Solution

Follow the same suggestions that you find in "Risk 3-Published AS/400." Just be aware that your chances of being a target are higher and that you need to become even more security conscious. Often, when an intrusion occurs, it is because of errors or omissions in security implementation, not because of flaws in the system itself.

Use Tips and Tools for Securing Your AS/400 as a guide for reviewing your security policies and practices.
Use security auditing to help you detect attempts to enter your system.
Start only the TCP/IP servers that you need: probably SMTL, POP, and HTTP. You need to ensure that you do not start any TCP/IP servers that allow sign-on (such as FTP, TELNET, or Workstation Gateway).

Risk 10 - Developer Ingenuity:

Now that you have set up a home page, you might find that your users and developers intent was to provide "more service" to your internet visitors. Your users and developers might not fully analyze the potential security exposures of the service that they want to provide.

Security solutions

Raise the level of security awareness and concern in your organization. Include security reviews as part of application design. Consider hiring an outside organization to perform a security audit of your systems.
Regularly monitor the private authorities that the QTMHHTPP user profile and the QTMHHTPP! user profile have. (Use the DSPUSRPRF TYPE(*OBJAUT) command.) A client who uses the HTTP server never signs on your system. The visitor runs your system. The vistor runs under the QTMHHTTP users the HTTP server never signs on your system. The visitor runs under the QTMHHTTP user profile and can access only what the QTMHHTTP profile or the public can access. CGI programs use the QTMHHTP user profile.
Note: HTTP on AS/400 is designed so that "putting" objects from a Web browser is not allowed. Therefore, a Web-browser user cannot, for example, put a CGI program on your system.
Carefully control *IOSYSCFG special authority and monitor the contents of the HTTP directives. The HTTP client (home-page visitor) can perform only functions that are explicitly defined in the directives for the HTTP server. You use the Work with HTTP Configuration (WRKHTTP) command to define these directives. The WRKHTTP command required *IOSYSCFG special authority.
Do not set up CGI (Common Gateway Interface) programs or enable DB2WWW without both understanding the functions that they perform and evaluating the potential security exposures.
If you do not define any CGI programs and you do not enable the DB2WWWQ program, the HTTP user cannot do anything on your system except view hypertext documents that you have specified. (The topic Tips for Controlling HTTP Access in Tips and Tools for Securing your AS/400 and the HTTP chapter in the TCP/IP Configuration and Reference book provide more in formation about controlling HTTP.) When you are ready to expand your home page to more than document-viewing, review the information in "Example 6- Providing Additional applications."
Ensure that any internal Web pages that you create are not visible outside your internal network.

Example 4- Home Page with Internal TCP/IP

While exploring the Internet, your users have discovered that they like to use TCP/IP applications. For example, you might now have the FTP server running on your AS/400 to allow users to download files.

What the Configuration looks like without a firewall

Clearly, the use of a firewall provides the best protection for your production system in this scenario. However, if you choose not to use a firewall, your configuration might continue to look the example in Figure 1.

Security Considerations for this Example

Your network has reached the point where you cannot easily distinguish between requests from internal users and requests from the outside. When you have a server like FTP or TELNET active on your system, you have opened a door for outsiders to try to sign on. Although your configuration might continue to look like Figure 1 ( no firewall and no dedicated Internet server), your risks are greater. Following are additional risks and possible solutions.

Risk 11 - Unauthorized Sign-on:

To try to prevent outsiders from successfully signing on to your system, consider adopting the following strategies:

Security Solutions

Configure your router to reject TCP/IP sessions for specific ports (such as TELENET ports) if the session originates from an outside IP address.
Be sure that you are using all of the AS/400 tools to prevent unauthorized sign-on. See Chapter 2 in Tips and Tools for securing Your AS/400. In particular, use the following:
Use FTP exit programs (available beginning with V3R2) to authorize or deny FTP requests, including FTP logon. If you want to provide FTP services to outsiders, use anonymous FTP and severely limit the capabilities that your exit program provides.
If possible, stop TCP/IP servers, such as FTP and TELNET, during off hours. Hackers tend to attack more often outside of normal business hours.
Use the inactivity time-out capabilities of AS/400 and the FTP servers. When you automatically end sessions that have been inactive for an extended period, you reduce the chances that an intruder can piggyback on a session. Piggy-backing is attaching an illegitimate session to another active session to the same host.
Use the Schedule Profile Activation (SCDPRFACT) command to make powerful user profiles, like your security officer profiles, unavailable for sign-on during offhours. (ADDACTSCDE command for V3R2.)
Use the limit security officer (QLKTSECOFR) system value to prevent powerful profiles from signing on at virtual devices.

What the Configuration Looks Like with a Firewall

You might feel the risks of an intrusion have grown too high and that you need a firewall. The firewall provides a single point of exposure to outsiders, which reduces your areas of concern. "Firewalls-Overview" provides an overview of the functions that a firewall performs.

Example 5-Home Page with Dedicated AS/400 Internet Server

Your AS/400 system is critical to your business. You suspect that a home page is only the beginning. Your communications and customer-service tool is likely to grow rapidly. You decide to separate your Internet sever from your production system by installing a dedicated AS/400 system as your Internet server.

What the Configurations Looks Like without a Firewall

If your AS/400 server needs little or no information from your production system, you might not need a firewall because your Internet server is not connected to your network. Or, if you need to connect your Internet server to your AS/400 to download information periodically, you carefully control both the communications configuration and the time frame for the connection. (You connect for very short periods, and you carefully monitor activity while you are connected.)

Security Considerations for This Example without a Firewall

Following are additional security considerations and possible solutions when you choose to have a dedicated Internet server without a firewall.

Risk 12-Disruption of Service:

When your Internet server is physically separated from your production network, your production systems are protected from hacking. However, your Internet server itself can be a target. The impact might be less severe, but it can affect your ability to provide services to your Internet clients.

Security Solutions

Do not neglect security on your Internet server:
Protect against unauthorized sign-ons.
Make sure that no user profiles have default passwords. (Use the CHKDFTPWD command or the ANZDFTPWD command.)
Limit the number of user profiles that you have on your Internet server. They should not have that same names as the user profiles that you have on your production system.
Set up object authority to make sure that unauthorized users cannot change the information that your are presenting to your Internet clients.
Start only the TCP/IP servers that you need for the Internet services that you are providing. If your server does not need TELENET, do not start it on the Internet server.
If you use FTP to provide services to outsiders (such as downloading files or programs), consider using anonymous FTP and exit programs (available beginning with V3R2). This gives you more control over what the FTP visitor does.
Strictly limit the amount of confidential information that you store on your Internet server. This includes the source programs for applications that you consider to be important intellectual property.

Risk 13-Network Penetration:

If you choose to connect your Internet server to your production network, a hacker can try to get from your server to your production systems.

Security Solutions

Activate the connection only when you need it. Or, consider using tape to transfer data and never connecting the two systems. If you download data periodically instead of accessing "live" data, you do not need a link that is active all the time.
Use an APPN connection and APPN filtering support (firewall-type function) between your Internet AS/400 and your production AS/400.
Ensure that IP datagram forwarding is not active on your Internet server.
Use a unique set of user profiles on your Internet server. Do not copy the user profiles from your production system to your Internet system.
Strictly limit and control user profiles that have special authorities.

What the Configuration looks like with a Firewall

You might need to connect your Internet server to your production network, if for example, your Internet applications need to access to database files to determine product availability. Your configuration might look like Figure 2. Your Internet server is outside the firewall. It becomes an untrusted system.

Security Considerations for This Example with a Firewall

Following are some of the security considerations and possible solutions when you have a dedicated Internet server and a firewall.

Note: You have the same potential for disruption of your Internet server as you have without a firewall. See " Risk 12-Disruption of Service."

Risk 14 - Trusting the Server:

Treating your own AS/400 Internet server like an outsider might be difficult. When you are planning the flow of information between the Internet server and your network, it is easy to fall into the trap of trusting the server. Your developers might assume incorrectly, for example, that certain transactions from certain user Ids are safe.

Security Solutions

Use your firewall to limit the kind of interaction that occurs between your trusted network and your Internet server.
If possible, prevent Internet visitors from signing on to your Internet server. (Do not start TELENET. Use only anonymous FTP.) This prevents knowledge of user Ids and passwords and limits the IP traffic that will have your Internet server’s address as the origin address.
Use a unique set of user profiles on your Internet server. Do not copy the user profiles from your production system to your Internet system. This prevents any applications that look for user profiles from confusing an internal user with someone trying to access your system through a loophole on your Internet server.
Make sure that your Internet server does not help hackers to penetrate your network. The applications that link your server to your secure network should have public authority of EXCLUDE.
Use the inactivity time-out capabilities of AS/400 and the FTP servers. When you automatically end sessions that have been inactive for an extended period, you reduce the chances that an intruder can piggyback on a session.

Example 6 - Providing Additional Applications

You decide to go beyond providing a read-only home page and hyperlinked documents. You want to use the Internet to provide real applications to your customers and business partners. You might do some or all of the following:

Use the HTML gateway (workstation gateway server) to make some of your current 5250 applications available to Internet clients.
Provide TELENET to allow Internet clients to sign on to your AS/400 Internet server.
Create CGI (Common Gateway Interface) programs that clients can launch (run) by selecting hot spots on your home page.
Use DB2WWW to provide access to database information.

What the Configuration Looks Like

For both performance and security reasons, you will probably have a dedicated AS/400 Internet server that is either disconnected from your production network or separated from your production network by a firewall.

Security Considerations for This Example

Following are new security risks and possible solutions when you expand your Internet server to provide applications beyond e-mail and read only documents.

Risk 15 - Disruption of Service:

Your server is subject to denial of service attacks from hackers who simply want to cause problems with your system’s ability to perform.

Security Solutions

Follow the suggestions in "Risk 4- Flooding" and risk12-disruption of service.

On your server system, set storage limits (MAXSTG parameter) for user profiles, including both any guest profiles and the OTSTROS user profile. This prevents someone who signs on to your system with one of these profiles from using up a large amount of auxiliary storage.

Ensure that your server system is set up to limit the number of virtual devices that the system creates automatically. This prevents a mischief-maker from starting many different sessions just to tie up system resources.

Risk 16 - Exploring Your Server:

Some Internet visitors will try to break out of the applications that you provide so that they can explore your system and your network. Your challenge is to provide them with appropriate services without giving them free rein.

Security Solutions

Set up your WSG (workstation gateway) server to use the Workstation Gateway Server Sign-on Validation Exit point interface. Also configure the WSG to not display a sign-on screen. This allows the WSG administrator to control both what user profiles are used and what applications can be run via the WSG. It also eliminated sending user profile names and passwords over the Internet.

Restrict the authority of the user profiles that the system uses for TCP/IP applications. For example, CGI programs use the OTMHHTP1 user profile.
Use the directives and scripts that the TCP/IP servers provide to control what applications can do. This applies to HTTP,WSG, and DB2WWW.
Carefully design and control the capabilities of CGI programs. When you use V3R2 support for CGI programs, you specify which libraries CGI programs can run from.Consider restricting CGI on your system to a single library, such as CGILIB. Then you can carefully monitor the contents of that library and control who can place new objects in the library. (Be sure that the public authority to the library is USE or less.)
Use the Print Adopting Objects (PRTADPOBJ) command to monitor for new programs that adopt authority and are available to Internet clients. Carefully evaluate the functions that those programs provide. (PRTADPINF command in the Security Toolkit PRDPQ.)
If you allow TELENET, limit the capabilities of the user profiles that you make available. For example, set either an initial program or an initial menu to restrict what the user can do. Use the limit capabilities parameter of the user profile to prevent the user from issuing all but the most harmless control language (CL) commands. The limit capabilities parameter also prevents the user from changing the initial program and the initial menu.
Be aware that TELNET sign-on information is not encrypted. A would-be intruder might "sniff" the user ID and password for a TELNET session. You need to severely limit what TELNET users can do by how you set up the user profiles that you "publish" for TELNET use.
Use FTP exit programs. The limit capabilities parameter does not apply to commands that the FTP user submits.
Review Chapter 4 of Tips and Tools for Securing your AS/400 for other TCP/IP security tips.

Firewalls - Overview

A firewall controls the access and flow of information between a secure (trusted) network and an unsecured (untrusted) network. Usually, a combination of hardware and software provides firewall function. A firewall might be combined in the same hardware with a router, or it might be a separate system. Depending on the firewall functions that you need, you might find that a router provides enough firewall-type function for your needs.

Firewall can provide the following benefits when your network is connected to the Internet:

Controlled access to internal systems.
Concentrated security administration.
Enhanced privacy and secrecy of your network configuration.
Enforcement of your security policy.
Protection of vulnerable services, such as network file systems.
Improved system availability by blocking denial-of service attacks.
Statistics of network use and misuse.
Protection of your organization’s reputation as secure and reliable.

Following are brief descriptions of some common firewall functions. Firewalls are varied in the function that they provide. Both technology and standards for firewall-type services are expanding rapidly.

Traffic Blocking

One function of a firewall is to block unwanted traffic between the secure and unsecured networks. Traffic-blocking can be either general -no FTP traffic is allowed) or specific (no FTP traffic is allowed from a certain range of IP addresses to a certain IP address). Routers are also capable of performing traffic-blocking. However, as your rules become more complex, configuration of a router becomes very difficult. The firewalls’s gateway approach is easier to configure and manage.

Network Gateway

Logically, a firewall provides a gateway between your network and the Internet. Traffic both into and out of your network passes through the gateway, which may consist of one or more firewall systems (hardware and software). To the Internet, the IP address and the domain name of the firewall represent your network. The firewall can hide both the IP addresses and the domain names of your internal network.

The firewall’s application gateway provides a set of servers to link users on the secure network with Internet services. These servers are called proxy servers. The FTP user connects to the FTP proxy server which then connects to the Internet FTP server that the user has requested. The Internet FTP server knows about the proxy server, but the user’s actual IP address is replaced with the proxy’s address.

Proxy servers are application-specific. They are commonly available for FTP,HTTP, and TELNET. Mail relays are another specialized form of a proxy server.

A socket server (SOCKS server) provides similar function to proxy servers. SOCKS servers have the advantage of being general, rather than application-specific. If your users want Internet applications that are not available in a proxy server, a SOCKS server requires some configuration of the clients that connect to it.

Domain Name Serving

The firewall protects or hides the intranet domains and addresses. All outbound traffic has the appearance that the address is that of a firewall. Therefore, all inbound traffic knows only of the firewalls’s address. The firewall has enough information to assign correct address information to traffic for your internal network.

When you configure your firewall, you need to ensure that other domain name servers cannot use it to resolve your intranet domain names. Your firewall should not be defined to the internet as a domain name server.

AS/400 and the Future

You have undoubtedly read that network computing is important to IBM’s future and to the future of AS/400. IBM believes that network computing is critical to the future of our customers’ organizations.

You have already seen important AS/400 enhancements to support network computing, such as both the new TCP/IP servers that support Internet connection and session-level encryption capability for LU6.2 connections. You can expect to see more AS/400 enhancements in the areas of network computing and security in the future, such as the following:

Secure sockets (encrypted TCP/IP connections)
Closely integrated firewall functions
Network data integrity functions

As you extend your enterprise, expand your network, and venture into the Internet, you can expect IBM and AS/.400 Advanced Series to be right behind you with the functions and services that you need.

Where to Get More Information and Assistance

Many resources are available if you need more information about security and the Internet, or if you need assistance.

Service Offerings

Following are descriptions or several offerings that are available from IBM to help you either with AS/400 security or with connecting to the Internet. For more information, please contact your IBM representative. In the U.S., you can contact your local Express Services marketing office, or you can call 1-800-IBM-4YOU.

Security Review for AS/400: Security Review for AS/400 is available from IBM Availability Services. The review includes the following:

Use of security tools
A customer questionnaire
An interview to gather information about security practices.

The result of the review is a report that summarizes your potential security exposures and makes preliminary recommendations for corrective action.

Security planning, implementation, and consulting services are also available from IBM Availability Services.

SmoothStart for Web Server/400 from I/Net**.

An IBM services specialist will install, configure, and tailor Web Server/400 from I/Net, to allow your business to have a presence on the World Wide Web.

At the completion of this service, you will have a prototype Web home page, Web Server/400 installed and operational, and AS/400 TCP/IP configured and ready to be connected to the Internet or your own internal intranet.

Planning for Internet Connection for AS/400: This service offering provides you with the information and guidance that you need to determine what AS/400 functions to offer to Internet users. The planning session will cover the functions of Internet Connection for AS/400 (V3R2) and compare it to Web Server/400 from I/Net. At the completion of this service, you will be able to assess the applicability of Internet Connection for AS/400 to your environment.

SmoothStart for Internet Connection for AS/400-Anonymous FTP V3R2: With V3R2 of OS/400, you can now use anonymous as a valid user ID for users of file transfer protocol (FTP). With anonymous FTP, you can offer users on the Internet, or your own internal Intranet, access to files on your AS/400 without the need to distribute unique user Ids and passwords to the users.

The SmoothStart for Internet Connection for AS/400-Anonymous FTP service will provide you with a services specialist to help you do the following:

Plan the use of anonymous FTP for your environment
Set up an FTP user exit that will allow your users both to get files from one AS/400 library and to put files to one specific library.
At the completion of this service, your AS/400 will be configured both to allow users to access files by using anonymous FTP and to prevent them from accessing files that you restrict. FTP users will also be able to upload files to one specific library.

SmoothStart for Internet Connection for AS/400-POP Mail Server V3R2: V3R2 of OS/400 allows AS/400 to be a Post Office Protocol R3 (POP3) mail server and hold mail in mailboxes for users running a POP3 client. The users can pick up their mail whenever they are ready.

The SmoothStart for Internet Connection for AS/400-POP Mail Server V3R2 offering provides you with a services specialist to configure the necessary objects to allow your AS/400 to be a POP3 mail server for your clients who are using mail programs like Eudora, Ultimail, and other POP3 clients running on AIX, Windows, OS/2, and Macintosh**.

At the completion of the service, your AS/400 will be configured as a POP3 mail server, with mailboxes created for ten mail clients to use for their mail. In addition, five non-AS/400 mail users will be defined on the AS/400 to allow you to send mail to them.

Security Analysis Lab: With the security analysis lab offering, IBM consultants attempt to infiltrate customers networks. They assess network vulnerability and recommend security improvements.

Emergency Response Service: The emergency response service for commercial businesses provides swift, expert incident management skills during and after an electronic security emergency. In the event of a break-in, the emergency response team helps customers detect, isolate, contain, and recover from the unauthorized network infiltration.

Related Publications

Following are publications that provide more information about AS/400 security:

AS/400 Wireless LAN Installation Planning Guide, G571-0303, provides information about planning and installing a spread spectrum network. In addition to an overview of spread spectrum radio technology, this book also describes how to prepare for a site survey and ensure that antenna and cabling requirements are met for the areas to be covered.

Backup and Recovery- Advanced, SC41-3305, provides information about setting up and managing:
Journaling, access path protection, and commitment control.

User auxiliary storage pools (ASPs), including setting storage thresholds

Disk protection (device parity, mirrored, and checksum)

Cool Title About the AS/400 and Internet, SG24-4815, can help you access and then use the Internet (or your own intranet) from your AS/400 system. It helps you to understand how to use the functions and features available with V3R1 and V3R6 and new functions available with Internet Connection for AS/400 (V3R2). This book helps you to get started quickly using e-mail, file transfer, terminal emulation, gopher, HTTP, and 5250 to HTML Gateway.

DB2 for OS/400 Datebase Programming, SC41-3701, Provides a detailed discussion of the AS/400 database organization, including information on how to create, describe, and update database files on the system. It also describes how to define files to the system using OS/400 data description specifications (DDS0 keywords.

An Implementation Guide for AS/400 Security and Auditing: Including C2, Cryptography, Communications, and PC Connectivity, GC24-4200, provides practical suggestions and examples for many areas of AS/400 security.

Implementing AS/400 Security, by Wayne Madden.
Loveland, Colorado:
Duke Press, a division of Duke Communications International, 1995. Provides guidance and practical suggestions for planning, setting up, and managing AS/400 security.

OS/400 Server Concepts and Administration.
SC41-3740, provides information for the system administrator working with AS/400 server functions. The book includes server concepts, sever functions, and exit program information.

Publications Reference, SC41-3003, identifies and describes the printed and online information in the AS/400 library, and also lists other publications about the AS/400 system. It includes cross-reference information between the current library and the previous version library.

Security - Basic, SC41-3301, explains why security is necessary, defines major concepts, and provides information on planning, setting up, and monitoring basic security on the AS/400 system.

Security - Enabling for C2, SC41-3303, describes how to customize your system to meet the requirements for C2 Security, as described in the Department of Defense Trusted Computer Evaluation Criteria.

Security - Reference, SC41-3302, provides complete information about security system values, user profiles, resource security, and security auditing. This manual does not describe security for specific licensed programs, languages, and utilities.

TCP/IP Configuration and Reference, SC41-3420, provides information for configuring and using AS/400 TCP/IP support. The applications included are Network Status (NETSTAT), Packet Internet Grouper (PNG), TELNET, File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP) line printer requester (LPR), and line printer daemon (LPD), Hypertext Transport Protocol (HTTP), and Workstation Gateway (WSG). The TCP and UDP Pascal application program interface (API) is also discussed.

TCP/IP File Server Support for OS/400 Installation and User’s Guide, SC41-0125, provides introductory information, installation instructions, and setup procedures for the File Server Support licensed program offering. It explains the functions available with the product and includes examples and hints for using it with other systems.

Tip and Tools for Securing your AS/400 describes how to use the security tools (available before V3R2 as Security ToolKit for OS/400). It includes many AS/400 security tips, including the following:

Protecting interactive sign-on
Controlling APPC, TCP/IP and AS/400 Client Access
Preventing curious users from causing damage
Preventing devious users from causing damage or stealing information

V3R2 Order Number . . . SC41-3300
PRPQ Order Number . . . GC41-0615

Trusted Computer Systems Evaluation Criteria,
DoD 5200.28.STD, describes the criteria for levels of trust for computer systems. The TCSEC is a publication of the United States government. Copies may be obtained from:

Office of Standards and Products
National Computer Security Center
Fort Meade, Maryland 20755-6000 USA
Attention: Chief, Computer Security Standards

The Whole Internet User’s Guide and Catalog by Ed Krol, O’Reilly & Associates, Inc., 1994, is a comprehensive introduction to the Internet. It includes a listing of information resources and an index of useful sites to visit.