More and more AS/400 owners are exploring their options for linking their
systems to the Internet. The first question they ask is usually, "How do I
do it?" The second question is, "What about security?" This booklet
attempts to answer the second question for AS/400 on the Internet: "What
Note: For answers to the first question, "How do I do it?," see
"Where to Get More Information and Assistance". It lists
publication and service offerings that are available to help you. In
particular, see the new redbook, Cool Title About the AS/400 and the
Internet, SG24-4815 and the TCDPIIP Configuration and Reference.
AS/400 Security Strengths: The simple answer to "What about
security?" is that AS/400 has very strong security characteristics, which
includes the following:
Your Security Policy and Needs: The long answer to "What about
security?" starts with "It depends." Your definition of security might
differ from someone else's. The appropriate security setup depends both on
how you connect to the Internet and what Internet functions you want to use.
Do you want to be a client or a read-only server? Or do you want to take
the first steps toward electronic commerce?
- AS/400 integrated security is extremely difficult to circumvent compared
to security offerings on other systems that are add-on software packages.
- AS/400 object-based architecture makes it technically difficult to
create and propagate a virus. On AS/400, a program cannot modify another
- AS/400 object-based architecture requires you to use system-provided
interfaces to access objects. You cannot access an object directly by its
address in the system. You cannot manipulate the pointer for one object to
make a point to another object. (Pointer manipulation is a popular
technique for hackers on other system architectures.)
- AS/400 flexibility lets you set up your system security to meet your
Ultimately, the long answer is that security depends on you. AS/400 provides
a strong set of security tools, but you must take the time to learn about
the tools and to use them. You also need to learn about network security -
both the exposures and the possible solutions.
If you have a security policy today, you probably need to revise it to
address your plans for an Internet connection. If you do not have a
security policy today, now is the time to develop one. When you extend your
organization onto the Internet, a security policy provides a critical
cornerstone for your planning.
The rest of this booklet provides examples of Internet connections, some of
the security risks that are associated with them, and consideration to help
you reduce those risks. The examples build on each other. Read through
them and develop a combination that more closely fits your requirements.
A Change in Security Thinking
If you are thinking about linking your AS/400 business computer system to
the Internet, you probably need to begin by revising some of your thinking
about security. The typical AS/400 system exists in a friendly environment
with a well-defined set of potential users. It provides a secured entrance
(sign-on and password) and fairly open access once you are inside. Most
files are available for viewing by any user who can sign on to the system
(public authority is USE). A few confidential and sensitive files such as
the payroll files, should be available only to a few users (public authority
From a security perspective, the typical AS/400 resembles a building. The
doors (and windows) are locked. Users need a key (password)
to enter. Inside the building, most of the rooms have doors that are not
locked. A few rooms, or file drawers within rooms, have locks that require
When you provide access to your system through the Internet, you might be
letting many strangers from all around the world enter your system, or at
least browse documents that are on your system. The view of your system
that is shown as a house might make you feel uncomfortable, and it should.
You need to move to a need-to-know approach to security thinking. Decide
what the Internet visitor needs to know, and prevent access to anything else.
How you set up a need-to-know environment depends on the kind of Internet
server that you want to provide.
In addition to taking a stricter, more rigorous look at a security on your
own system, you need to expand your view. As your network grows, both
internally with LANs, for example, and externally with the Internet, you
need to consider both system security and network security.
Proceed with Caution
Right now, you need to take the important first step of becoming a more
rigorous security thinker. Switch to a "need-to-know" and a "need-to-do"
mentality. Whenever you want to make a new application available on the
Internet, begin by asking the following questions:
TCP/IP and the Internet are designed for openness and interoperability so
that Internet clients and Internet servers from many different providers can
communicate and exchange information successfully. This openness makes it
difficult to build in network security capabilities. First, the various
providers must agree on security standards. For example, when you send
encrypted passwords, both sides must use the same method for generating
encryption keys and the same algorithms for encrypting and decrypting. Many
groups are working to develop network security standards, but much work
remains to be done.
- What does the Internet user need to know and do?
- How do we prevent the Internet user from seeing or doing anything else?
- What access does your program or application give to the Internet user,
either directly or indirectly?
In the past, with a limited, private network, you could equate security with
system security. By using the strong security capabilities of AS/400, you
could feel confident that your information was protected. Now, when you
connect to the Internet, or provide dial-up access to your system, you need
to think also about networks security, which is a primary focus of this
Very few Internet users are malicious. Most are simply seeking information
and more efficient ways of doing business. But the hackers are out there,
and you need to be prepared. AS/400 providers more integrated security
capabilities than many Internet servers. However, because your current
environment is more friendly than the Internet, you might not be using all
of the AS/400 security capabilities that are available. For this reason,
the examples later in this booklet take a step-by-step approach to
connecting to the Internet. You start with the Internet side of your system
locked up as tightly as possible, like the building described earlier. You
open doors (new Internet applications or new TCP/IP servers) gradually,
one at a
time, after carefully evaluating your security exposures and precautions.
Security - A Definition
The topics that follow provide examples of how you might link your AS/400
business computing system to the Internet. Each example includes tips and
considerations for ensuring security. But first, letís define what we mean
A security policy
Defining what you want to protect and what you expect of your system users.
A security policy defines the importance of the business assets that are on
our system. It provides a basis for security planning when you either
design new applications or expand your network. It describes user
responsibilities, such as protecting confidential information and creating
Ensuring that only authorized individuals (or jobs) can enter your system.
When you link your system to a public network like the Internet, user
authentication takes on new dimensions. An important difference between the
Internet and your Intranet is your ability to trust the identity of a user
who signs on.
Ensuring that only authorized users can access objects on the system. The
ability to secure all types of systems resources is an AS/400 strength.
However, you might find that you do not use the full capabilities of AS/400
resource security, particularly if you rely primarily on menu access control.
You might also find that connecting to the Internet forces you to change
your definition of a "public" user on your system.
System integrity is your systemís ability to provide consistent, expected
results with expected performance. For AS/400, system integrity is the most
commonly overlooked component of security because system integrity is a
fundamental part of AS/400 architecture. AS/400 architecture, for example,
makes it extremely difficult for a mischief-maker to imitate or modify an
operating system program (when you use security level 40 or 50).
When you think about connecting to the Internet, you need to think about
your systemís integrity and how a hacker might try to assault it. A hacker
can threaten your systemís integrity without ever succeeding in signing on
to your system. A hacker can, for example, compromise your systemís ability
to service user requests by flooding your system. Your disk storage can be
flooded, for example, with unwanted mail or with printed output. Your
processor can be overwhelmed for example, by error requests.
This is commonly called denial of service. Your legitimate users either
cannot log on or they receive poor performance because your system is
spending resources dealing with unauthorized requests.
Ensuring the reliability of data that enters your system. When data that
enters your system comes from a public network, you might need several
Protect the data from being "sniffed" and interpreted, usually by encrypting
Ensure that the transmission has not been altered (data integrity).
Prove that the transmission occurred (non-repudiation). In the future, you
might need the electronic equivalent of registered or certified mail.
Monitoring security-relevant events to provide a log of both successful and
unsuccessful (denied) access. Successful accesses tell you who is doing
what. Unsuccessful accesses tell you either that someone is attempting to
break your security or that someone is having difficulty accessing your
system. (for example, you might not have your Web page set up correctly.)
Minimum AS/400 Security
The topics that follow assume that you are starting with an AS/400 system
that is basically secure. At a minimum, your system should meet the
following security guidelines:
A few comments about the examples:
The examples that follow provide typical options for connecting your system
to the Internet. They discuss security risks and possible solutions. These
are not the only options available, nor are they necessarily the most secure
A firewall that is properly configured and administered is almost always the
most secure method for connecting your system to the outside world. By
using a firewall, you are both limiting your points of exposure and hiding
your network configuration from others. The need to consider a firewall
when connecting your AS/400 server to the Internet is no different than when
you connect other servers to the Internet.
As organizations expand their use of the Internet and provide Internet
access to more and more information, firewalls are rapidly be coming an
industry-standard in certain situations. Although a firewall might be in
your future, it might be more than you either need or can afford today.
Several of the following examples do not have firewalls. Most of the
security considerations are valid with without a firewall.
These examples follow a typical progression of expanding Internet usage.
They start with the assumption that you are not currently using TCP/IP to
communicate with other systems in your own network.
Example 1 - Connecting Your Users to the Internet
Your first venture into the Internet might be to provide your users with
access to the Internet. Both your AS/400 and your PCs are already on a
LAN (local area network). Instead of putting a modem on every PC, you want
to provide a central point of access to the Internet. Each PC will have Web
What the Configuration Looks Like
Figure 1 shows a common way to connect your LAN users to the Internet. Your
PC users can go directly to the Internet through the router. They can also
continue to access your AS/400 via the LAN by using AS/400 Client Access,
Security Consideration for This Example
Following are some of the security risks for Example 1 and alternatives for
dealing with the risks. This example assumes that you do not want anyone
from outside your network to access your AS/400. The particular focus is on
protecting your AS/400 and its data.
Note: Unless you use packet filtering on your router, your
PCs in this configuration are more vulnerable to attack than they
are with a dial-up connection. When a router is attached to the
same LAN as your PCs, a potential intruder can attempt to access
your PCs whenever they are powered on.
Risk 1 - Published IP Addresses:
Usually with this type of
connection (LAN to router to Internet), every system (PC) that connects to
the Internet must have an IP address. Having an IP address is similar to
having a published telephone number. Whenever a user in your network sends
an Internet request, the packet contains the IP address of the userís PC.
Any host on the Internet that a PC contacts knows the PSís IP address. A
potential intruder might be able to access that information and attempt to
access the PC by using the IP address.
Ensure that your AS/400 does not have an IP address. This protects your
AS/400 from direct assaults, including denial-of-service assaults.
Educate your PC users about the need to protect their PCs from attempted
intrusions. Their PCs should not, for example, be configured to start
TCP/IP servers (such as TELNET or FTP).
Ensure that an outsider who successfully breaks into one PC cannot go beyond
that PC into the network. This protection can be difficult, and it depends
to some extent on the security practices of your PC users. An intruder will
look on the PC for information, such as system names or communications
start-up programs, that might help the intruder break into another system in
the network. The intruder will also look for stored user IDs and passwords
on the PC.
Your AS/400 is vulnerable both to the weakest link (PC with poor security
practices) and to the most trivial password. Use AS/400 object authority to
protect your critical data. Use system values to protect against repeated
sigh-on attempts. Use security auditing detect unauthorized attempts to
access both your system and objects on your system.
Make sure that no one starts any TCP/IP servers on your system. Hackers are
typically more familiar with TCP/IP application (such as FTP and TELNET)
than they are with AS/400 Client Access. If a hacker finds your AS/400
system name when browsing a PC, the hacker will probably try to use TELNET
or FTP to access your AS/400 instead of trying AS/400 Client Access.
Control IOSYSCFG special authority to restrict who can configure TCP/IP.
Restrict who has authority to use the STRTCP (Start TCP/IP) command.
If your router has packet filtering capabilities, set up the router to react
TCP/IP sessions with an origin IP address that is outside your network.
Risk 2 - Downloading Viruses:
A virus is a program that can change other programs to include a copy of
itself. The virus program usually performs operations that can take up
system resources or destroy data. When your users connect to the Internet,
they might unintentionally download a program with a virus. They might
store the infected program in a shared folder or in the integrated file
system on your AS/400. That virus might then be copied accidentally to
other PCs in your network.
On you AS/400, use object authority to control where PC users can create new
objects. If your PC users use shared folders, use the authority to DLOs
(document library objects) to limit them to creating new documents in
specific folders. If your PC users use the integrated file system, use the
authority to directories to control where they can place new objects.
Ensure that most users do not have authority to create authority of the root
directory from RWX to RX.
Regularly run virus scan programs against the directories or folders where
your PC users place new objects. (To run a virus-scan program, you probably
need to sign on from a PC and link to the folder or directory that contains
Install virus-scan software on all PCs and require PC users to run it
regularly. Consider including the virus-scan program in every PCs startup
Consider staging the movement of new objects from private PC drives to a
shared environment. Move them to a temporary drive (shared folder or
directory) first. Then have a system administrator move them to a shared
environment after running a virus-scan program.
Educate your users both about viruses and about the risks of downloading
programs from untrusted sources.
Example 2 - Providing E-Mail
Now that your users are connected, they want to exchange e-mail
(electronic notes and messages) with the outside world.
What the Configuration Looks Like
Physically, the connection can still look like the example in Figure 1. Either you need to add e-mail software, or you can use software
that you already have. Following are two possible software options. Many
more options are available.
- If you already use either OfficeVision or JustMail for OS/400, you can
make changes to your configuration to be able to send and receive e-mail
across the Internet. You need to start both ICP/IP and the SMTP (Simple
Mail Transfer Protocol) server. You need to make changes to your system
distribution directory so that it works correctly with SMTP. Both the
TCP/IP Configuration and Reference and the Cool Title About the AS/400 and
Internet book describe how to set up both SMTP and OfficeVision or JustMail
for OS/400 for external e-mail.
You can install e-mail software, such as UltiMail Lite on your PCs.
PC-based e-mail software provides the capability to upload and download
mail. You connect your PC to a store-and forward mail server. AS/400
provides this capability with the Post Office Protocol (POP) server. Or,
your PCs can use an outside store -and-forward mail service from a service
Security Considerations for This Example
When you add e-mail, your security planning must be more specific. You can
no longer simply configure a router to exclude all sessions whose origin is
outside your network. Now can you assume that your AS/400 will not
participate. AS/400 users who do not have Web-browser capability can still
send and receive e-mail if you choose to allow it. Following are both
security risks when you add e-mail to the example that is shown in Figure 1
and alternatives for dealing with the risks. This example assumes
that you do not want anyone from outside your network to assess any system
within your network, with the exception of sending e-mail to users on your
network. The particular focus is on protecting your AS/400 and its data.
Risk 3 -Published AS/400 Address:
If you want your AS/400 to provide e-mail services to your users, you need
to register your AS/400 on the Internet with an IP address. Your AS/400 now
becomes visible to the outside world and subject to attempted intrusion.
Risk 4 - Flooding:
One game that hackers play is to flood a system with unwanted mail. This
can adversely affect system performance. The mail can also take so much
space on your disk storage that your system stops running.
Following are suggestions for limiting the impact of attempts to flood your
- If possible, avoid using an *ANY*ANY entry in your system distribution
directory. This makes it more difficult for someone to flood your system
with unwanted mail that is being routed through your system to another
system. Without an *ANY*ANY entry, your system will reject mail that is
not addressed to a valid user in your network.
- Set an auxiliary storage threshold limit. This prevents unwanted
objects from flooding your system to point where it cannot operate. (The
Backup and recovery Advanced book describes how to set an auxiliary storage
Risk 5 - Exploring Your Network
You may have done a good job of securing your AS/400 so that hackers cannot
sign on. However, you might find that your AS/400 provides a path to get to
other systems in your network. Because those systems are not directly
connected to the Internet and they do not expect attempted intrusion, their
security protection might be less rigorous than yours. (They live in a safe
neighborhood and do not need double locks or a burglar alarm.)
- If you use SLIP (Serial Interface Line Protocol) in your network, use
the Work with TCP/IP Point-to-Point (WRKTCPPTP) command to set up SLIP*ANS
(answer) profiles to prevent IP datagram forwarding. This prevents someone
who finds out about your system from dialing in and using your system to
access another connected system (either a PC or an AS/400) that might have
an active TCP/IP server.
- If you have a LAN-router connection, set the attributes not to allow IP
datagram forwarding. (You need to understand how this might affect other
traffic in your network.)
- If your AS/400 is part of an APPN network, use the new PPN filtering
support. It provides firewall-type protection within your APPN network by
allowing you to specify which location pairs can communicate. The APPX
chapter in Tips and Tools for Securing Your AS/400 describes how to use APPN
Risk 6 - Receiving Viruses via E-Mail
Incoming mail is a potential source for PC viruses. Someone can attach a
program to a note. Or someone can send a program to a user on your system.
Perhaps neither the sender nor the receiver realized that the seemingly
harmless program is spreading a virus.
- Because of AS/400ís architecture, incoming mail is unlikely to infect
AS/400 itself with a virus. An AS/400 program cannot arrive disguised as
something else. However, PC viruses can arrive in the mail. Follow the
same virus-protection practices that are described in "Risk 2-Downloading
- Educate your users about the possibility of receiving virus programs
through e-mail, possibly from their friends and colleagues.
Risk 7 - Misdirected E-Mail
When your internal e-mail system is connected to the Internet, you have the
possibility that a user will send confidential information to the outside
world. This might happen accidentally, and perhaps even without the userís
knowledge, if your e-mail connection is not configured correctly.
- When you configure your e-mail connections, test what happens to mail
that is addressed incorrectly. Does either an incorrect user ID or an
incorrect system name (one that is not in your network) cause the mail to be
sent across your Internet mail link?
- If possible, set up your e-mail system to require confirmation from the
user before e-mail is sent outside your network.
- Educate your users about your policies for sending confidential
information via e-mail.
Risk 8 - Exposure of Sensitive Information
As you expand your use of Internet and of networks in general, your users
can explore different ways of working. Perhaps they can dial into your
system from home or while traveling. They might use e-mail as a tool for
collaborating with colleagues on a project. With current technology,
information on the Internet is usually not encrypted. It is transmitted "in
the clear," which means that it is vulnerable to sniffing. Sniffing on the
Internet backbone itself is unlikely because the backbone consists of
dedicated high-speed connections. However, the peripheral connections, such
as the phone line from your employeeís home or the LAN at a colleagueís
location, are not necessarily well-protected.
The primary solution for the possibility of sniffing confidential data is
education. You need to update your security policy and educate your users.
They should treat a public network just as they treat unprotected phone
lines and public places.
- If information is sensitive enough that you would not read it on a bus
or plane, then you probably should not send it across the Internet.
- If information is confidential enough that you would not repeat it on a
cellular telephone, then you probably should not send it across the
- If you would not send it through the normal mail, except perhaps with a
double envelope, then you probably should not send it across the Internet.
- Consider providing separate user profiles for Internet and e-mail usage,
at least for users with powerful profiles. That way, if someone sees an
e-mail that an employee sends, the eavesdropper will not have the name of a
powerful profile on your system.
Providing a Home Page
Your users have been surfing the Web and exchanging e-mail with their
colleagues in other organizations. It wonít be long before someone
suggests: "We should have our own home page." Others will join in: "The
Web is a great way to get visibility with very little expense. Having a
home page makes our company look modern and leading-edge."
Example 3 - Home Page without Internal TCP/IP
This example assumes the following:
- You do not use TCP/IP internally within your own network. For security
planing, you can assume that all attempts to access TCP/IP servers come
from outside your network. Your PCs are connected to your AS/400 with
AS/400 Client Access, which uses a protocol other than TCP/IP.
- Your Internet server will only provide information, not update any data
on your system (a read-only server).
- You are using the IBM-supplied HTTP server that is part of V3R2. If
you are using a different security precautions.
What the Configuration Looks Like
Physically, your connection can still look like the example in Figure 1 .
You use the HTTP server to serve your home page and other
hyperlinked pages to Internet visitors. You need to work with your ISP to
get an IP address and domain name. (You may already have an IP address if
your AS/400 system has an e-mail connection to the Internet.)
Security Considerations for This Example
Following are new security exposures when you use a configuration like the
one in Figure 1 and provide a home page on the Internet. This
example assumes that you do not use TCP/IP server for internal users or
Risk 9 - Visibility of your AS/400 Address:
If you have been providing e-mail, your AS/400 might already have an IP
address. However, when you create a home page and publicize it, you are
making a conscious effort to inform people of your presence on the Internet.
Hackers are more likely to become aware of your systemís existence and to
try to break into it.
Follow the same suggestions that you find in "Risk 3-Published AS/400."
Just be aware that your chances of being a target are higher and
that you need to become even more security conscious. Often, when an
intrusion occurs, it is because of errors or omissions in security
implementation, not because of flaws in the system itself.
- Use Tips and Tools for Securing Your AS/400 as a guide for reviewing
your security policies and practices.
- Use security auditing to help you detect attempts to enter your system.
- Start only the TCP/IP servers that you need: probably SMTL, POP, and
HTTP. You need to ensure that you do not start any TCP/IP servers that
allow sign-on (such as FTP, TELNET, or Workstation Gateway).
Risk 10 - Developer Ingenuity:
Now that you have set up a home page,
you might find that your users and developers intent was to provide "more
service" to your internet visitors. Your users and developers might not
fully analyze the potential security exposures of the service that they
want to provide.
- Raise the level of security awareness and concern in your organization.
Include security reviews as part of application design. Consider hiring an
outside organization to perform a security audit of your systems.
- Regularly monitor the private authorities that the QTMHHTPP user
profile and the QTMHHTPP! user profile have. (Use the DSPUSRPRF
TYPE(*OBJAUT) command.) A client who uses the HTTP server never signs on
your system. The visitor runs your system. The vistor runs under the
QTMHHTTP users the HTTP server never signs on your system. The visitor
runs under the QTMHHTTP user profile and can access only what the QTMHHTTP
profile or the public can access. CGI programs use the QTMHHTP user
- Note: HTTP on AS/400 is designed so that "putting" objects from
a Web browser is not allowed. Therefore, a Web-browser user cannot, for
example, put a CGI program on your system.
- Carefully control *IOSYSCFG special authority and monitor the contents
of the HTTP directives. The HTTP client (home-page visitor) can perform
only functions that are explicitly defined in the directives for the HTTP
server. You use the Work with HTTP Configuration (WRKHTTP) command to
define these directives. The WRKHTTP command required *IOSYSCFG special
- Do not set up CGI (Common Gateway Interface) programs or enable DB2WWW
without both understanding the functions that they perform and evaluating
the potential security exposures.
If you do not define any CGI programs and you do not enable the DB2WWWQ
program, the HTTP user cannot do anything on your system except view
hypertext documents that you have specified. (The topic Tips for
Controlling HTTP Access in Tips and Tools for Securing your AS/400 and the
HTTP chapter in the TCP/IP Configuration and Reference book provide more in
formation about controlling HTTP.) When you are ready to expand your home
page to more than document-viewing, review the information in "Example 6-
Providing Additional applications."
- Ensure that any internal Web pages that you create are not visible
outside your internal network.
Example 4- Home Page with Internal TCP/IP
While exploring the Internet, your users have discovered that they like to
use TCP/IP applications. For example, you might now have the FTP server
running on your AS/400 to allow users to download files.
What the Configuration looks like without a firewall
Clearly, the use of a firewall provides the best protection for your
production system in this scenario. However, if you choose not to use a
firewall, your configuration might continue to look the example in Figure 1.
Security Considerations for this Example
Your network has reached the point where you cannot easily distinguish
between requests from internal users and requests from the outside. When
you have a server like FTP or TELNET active on your system, you have opened
a door for outsiders to try to sign on. Although your configuration might
continue to look like Figure 1 ( no firewall and no dedicated
Internet server), your risks are greater. Following are additional risks
and possible solutions.
Risk 11 - Unauthorized Sign-on:
To try to prevent outsiders from successfully signing on to your system,
consider adopting the following strategies:
- Configure your router to reject TCP/IP sessions for specific ports
(such as TELENET ports) if the session originates from an outside IP
- Be sure that you are using all of the AS/400 tools to prevent
unauthorized sign-on. See Chapter 2 in Tips and Tools for securing
Your AS/400. In particular, use the following:
- Use FTP exit programs (available beginning with V3R2) to authorize or
deny FTP requests, including FTP logon. If you want to provide FTP
services to outsiders, use anonymous FTP and severely limit the
capabilities that your exit program provides.
- If possible, stop TCP/IP servers, such as FTP and TELNET, during off
hours. Hackers tend to attack more often outside of normal business
- Use the inactivity time-out capabilities of AS/400 and the FTP
servers. When you automatically end sessions that have been inactive for
an extended period, you reduce the chances that an intruder can piggyback
on a session. Piggy-backing is attaching an illegitimate session to another
active session to the same host.
- Use the Schedule Profile Activation (SCDPRFACT) command to make
powerful user profiles, like your security officer profiles, unavailable
for sign-on during offhours. (ADDACTSCDE command for V3R2.)
- Use the limit security officer (QLKTSECOFR) system value to prevent
powerful profiles from signing on at virtual devices.
What the Configuration Looks Like with a Firewall
You might feel the risks of an intrusion have grown too high and that you
need a firewall. The firewall provides a single point of exposure to
outsiders, which reduces
your areas of concern. "Firewalls-Overview" provides an
overview of the functions that a firewall performs.
Example 5-Home Page with Dedicated AS/400 Internet Server
Your AS/400 system is critical to your business. You suspect that a home
page is only the beginning. Your communications and customer-service tool
is likely to grow rapidly. You decide to separate your Internet sever from
your production system by installing a dedicated AS/400 system as your
What the Configurations Looks Like without a Firewall
If your AS/400 server needs little or no information from your production
system, you might not need a firewall because your Internet server is not
connected to your network. Or, if you need to connect your Internet server
to your AS/400 to download information periodically, you carefully control
both the communications configuration and the time frame for the connection.
(You connect for very short periods, and you carefully monitor activity
while you are connected.)
Security Considerations for This Example without a Firewall
Following are additional security considerations and possible solutions
when you choose to have a dedicated Internet server without a firewall.
Risk 12-Disruption of Service:
When your Internet server is physically separated from your production
network, your production systems are protected from hacking. However,
your Internet server itself can be a target. The impact might be less
severe, but it can affect your ability to provide services to your Internet
- Do not neglect security on your Internet server:
Protect against unauthorized sign-ons.
Make sure that no user profiles have default passwords. (Use the
CHKDFTPWD command or the ANZDFTPWD command.)
Limit the number of user profiles that you have on your Internet server.
They should not have that same names as the user profiles that you have on
your production system.
Set up object authority to make sure that unauthorized users cannot change
the information that your are presenting to your Internet clients.
- Start only the TCP/IP servers that you need for the Internet services
that you are providing. If your server does not need TELENET, do not start
it on the Internet server.
- If you use FTP to provide services to outsiders (such as downloading
files or programs), consider using anonymous FTP and exit programs
(available beginning with V3R2). This gives you more control over what the
FTP visitor does.
- Strictly limit the amount of confidential information that you store on
your Internet server. This includes the source programs for applications
that you consider to be important intellectual property.
Risk 13-Network Penetration:
If you choose to connect your Internet server to your production network,
a hacker can try to get from your server to your production systems.
- Activate the connection only when you need it. Or, consider using tape
to transfer data and never connecting the two systems. If you download data
periodically instead of accessing "live" data, you do not need a link that
is active all the time.
- Use an APPN connection and APPN filtering support (firewall-type
function) between your Internet AS/400 and your production AS/400.
- Ensure that IP datagram forwarding is not active on your Internet
- Use a unique set of user profiles on your Internet server. Do not copy
the user profiles from your production system to your Internet system.
- Strictly limit and control user profiles that have special authorities.
What the Configuration looks like with a Firewall
You might need to connect your Internet server to your production network,
if for example, your Internet applications need to access to database files
to determine product availability. Your configuration might look like
Figure 2. Your Internet server is outside the firewall. It becomes an
Security Considerations for This Example with a Firewall
Following are some of the security considerations and possible solutions
when you have a dedicated Internet server and a firewall.
Note: You have the same potential for disruption of your Internet
server as you have without a firewall. See " Risk 12-Disruption of
Risk 14 - Trusting the Server:
Treating your own AS/400 Internet server like an outsider might be
difficult. When you are planning the flow of information between the
Internet server and your network, it is easy to fall into the trap of
trusting the server. Your developers might assume incorrectly, for
example, that certain transactions from certain user Ids are safe.
- Use your firewall to limit the kind of interaction that occurs between
your trusted network and your Internet server.
- If possible, prevent Internet visitors from signing on to your Internet
server. (Do not start TELENET. Use only anonymous FTP.) This prevents
knowledge of user Ids and passwords and limits the IP traffic that will
have your Internet serverís address as the origin address.
- Use a unique set of user profiles on your Internet server. Do not copy
the user profiles from your production system to your Internet system.
This prevents any applications that look for user profiles from confusing
an internal user with someone trying to access your system through a
loophole on your Internet server.
- Make sure that your Internet server does not help hackers to penetrate
your network. The applications that link your server to your secure
network should have public authority of EXCLUDE.
- Use the inactivity time-out capabilities of AS/400 and the FTP servers.
When you automatically end sessions that have been inactive for an extended
period, you reduce the chances that an intruder can piggyback on a session.
Example 6 - Providing Additional Applications
You decide to go beyond providing a read-only home page and hyperlinked
documents. You want to use the Internet to provide real applications to
your customers and business partners. You might do some or all of the
- Use the HTML gateway (workstation gateway server) to make some of your
current 5250 applications available to Internet clients.
- Provide TELENET to allow Internet clients to sign on to your AS/400
- Create CGI (Common Gateway Interface) programs that clients can launch
(run) by selecting hot spots on your home page.
- Use DB2WWW to provide access to database information.
What the Configuration Looks Like
For both performance and security reasons, you will probably have a
dedicated AS/400 Internet server that is either disconnected from your
production network or separated from your production
network by a firewall.
Security Considerations for This Example
Following are new security risks and possible solutions when you expand
your Internet server to provide applications beyond e-mail and read only
Risk 15 - Disruption of Service:
Your server is subject to denial of service attacks from hackers who simply
want to cause problems with your systemís ability to perform.
Follow the suggestions in "Risk 4- Flooding" and risk12-disruption
On your server system, set storage limits (MAXSTG parameter) for user
profiles, including both any guest profiles and the OTSTROS user profile.
This prevents someone who signs on to your system with one of these
profiles from using up a large amount of auxiliary storage.
Ensure that your server system is set up to limit the number of virtual
devices that the system creates automatically. This prevents a
mischief-maker from starting many different sessions just to tie up system
Risk 16 - Exploring Your Server:
Some Internet visitors will try to break out of the applications that you
provide so that they can explore your system and your network. Your
challenge is to provide them with appropriate services without giving
them free rein.
Set up your WSG (workstation gateway) server to use the Workstation Gateway
Server Sign-on Validation Exit point interface. Also configure the WSG to
not display a sign-on screen. This allows the WSG administrator to control
both what user profiles are used and what applications can be run via the
WSG. It also eliminated sending user profile names and passwords over the
- Restrict the authority of the user profiles that the system uses for
TCP/IP applications. For example, CGI programs use the OTMHHTP1 user
- Use the directives and scripts that the TCP/IP servers provide to
control what applications can do. This applies to HTTP,WSG, and DB2WWW.
- Carefully design and control the capabilities of CGI programs. When
you use V3R2 support for CGI programs, you specify which libraries CGI
programs can run from.Consider restricting CGI on your system to a single
library, such as CGILIB. Then you can carefully monitor the contents of
that library and control who can place new objects in the library. (Be
sure that the public authority to the library is USE or less.)
- Use the Print Adopting Objects (PRTADPOBJ) command to monitor for new
programs that adopt authority and are available to Internet clients.
Carefully evaluate the functions that those programs provide. (PRTADPINF
command in the Security Toolkit PRDPQ.)
- If you allow TELENET, limit the capabilities of the user profiles that
you make available. For example, set either an initial program or an
initial menu to restrict what the user can do. Use the limit capabilities
parameter of the user profile to prevent the user from issuing all but the
most harmless control language (CL) commands. The limit capabilities
parameter also prevents the user from changing the initial program and
the initial menu.
- Be aware that TELNET sign-on information is not encrypted. A would-be
intruder might "sniff" the user ID and password for a TELNET session. You
need to severely limit what TELNET users can do by how you set up the user
profiles that you "publish" for TELNET use.
- Use FTP exit programs. The limit capabilities parameter does not apply
to commands that the FTP user submits.
- Review Chapter 4 of Tips and Tools for Securing your AS/400 for other
TCP/IP security tips.
Firewalls - Overview
A firewall controls the access and flow of information between a secure
(trusted) network and an unsecured (untrusted) network. Usually, a
combination of hardware and software provides firewall function. A
firewall might be combined in the same hardware with a router, or it might
be a separate system. Depending on the firewall functions that you need,
you might find that a router provides enough firewall-type function for
Firewall can provide the following benefits when your network is connected
to the Internet:
Following are brief descriptions of some common firewall functions.
Firewalls are varied in the function that they provide. Both technology
and standards for firewall-type services are expanding rapidly.
- Controlled access to internal systems.
- Concentrated security administration.
- Enhanced privacy and secrecy of your network configuration.
- Enforcement of your security policy.
- Protection of vulnerable services, such as network file systems.
- Improved system availability by blocking denial-of service attacks.
- Statistics of network use and misuse.
- Protection of your organizationís reputation as secure and reliable.
One function of a firewall is to block unwanted traffic between the secure
and unsecured networks. Traffic-blocking can be either general -no FTP
traffic is allowed) or specific (no FTP traffic is allowed from a certain
range of IP addresses to a certain IP address). Routers are also capable
of performing traffic-blocking. However, as your rules become more
complex, configuration of a router becomes very difficult. The firewallsís
gateway approach is easier to configure and manage.
Logically, a firewall provides a gateway between your network and the
Internet. Traffic both into and out of your network passes through the
gateway, which may consist of one or more firewall systems (hardware and
software). To the Internet, the IP address and the domain name of the
firewall represent your network. The firewall can hide both the IP
addresses and the domain names of your internal network.
The firewallís application gateway provides a set of servers to link users
on the secure network with Internet services. These servers are called
proxy servers. The FTP user connects to the FTP proxy server which then
connects to the Internet FTP server that the user has requested. The
Internet FTP server knows about the proxy server, but the userís actual IP
address is replaced with the proxyís address.
Proxy servers are application-specific. They are commonly available for
FTP,HTTP, and TELNET. Mail relays are another specialized form of a proxy
A socket server (SOCKS server) provides similar function to proxy servers.
SOCKS servers have the advantage of being general, rather than
application-specific. If your users want Internet applications that are
not available in a proxy server, a SOCKS server requires some configuration
of the clients that connect to it.
Domain Name Serving
The firewall protects or hides the intranet domains and addresses. All
outbound traffic has the appearance that the address is that of a firewall.
Therefore, all inbound traffic knows only of the firewallsís address. The
firewall has enough information to assign correct address information to
traffic for your internal network.
When you configure your firewall, you need to ensure that other domain name
servers cannot use it to resolve your intranet domain names. Your firewall
should not be defined to the internet as a domain name server.
AS/400 and the Future
You have undoubtedly read that network computing is important to IBMís
future and to the future of AS/400. IBM believes that network computing is
critical to the future of our customersí organizations.
You have already seen important AS/400 enhancements to support network
computing, such as both the new TCP/IP servers that support Internet
connection and session-level encryption capability for LU6.2 connections.
You can expect to see more AS/400 enhancements in the areas of network
computing and security in the future, such as the following:
As you extend your enterprise, expand your network, and venture into the
Internet, you can expect IBM and AS/.400 Advanced Series to be right behind
you with the functions and services that you need.
- Secure sockets (encrypted TCP/IP connections)
- Closely integrated firewall functions
- Network data integrity functions
Where to Get More Information and Assistance
Many resources are available if you need more information about security
and the Internet, or if you need assistance.
Following are descriptions or several offerings that are available from IBM
to help you either with AS/400 security or with connecting to the Internet.
For more information, please contact your IBM representative. In the U.S.,
you can contact your local Express Services marketing office, or you can
Security Review for AS/400: Security Review for AS/400 is available
from IBM Availability Services. The review includes the following:
The result of the review is a report that summarizes your potential
security exposures and makes preliminary recommendations for corrective
- Use of security tools
- A customer questionnaire
- An interview to gather information about security practices.
Security planning, implementation, and consulting services are also
available from IBM Availability Services.
SmoothStart for Web Server/400 from I/Net**.
An IBM services specialist will install, configure, and tailor Web
Server/400 from I/Net, to allow your business to have a presence on the
World Wide Web.
At the completion of this service, you will have a prototype Web home page,
Web Server/400 installed and operational, and AS/400 TCP/IP configured and
ready to be connected to the Internet or your own internal intranet.
Planning for Internet Connection for AS/400: This service offering
provides you with the information and guidance that you need to determine
what AS/400 functions to offer to Internet users. The planning session
will cover the functions of Internet Connection for AS/400 (V3R2) and
compare it to Web Server/400 from I/Net. At the completion of this service,
you will be able to assess the applicability of Internet Connection for
AS/400 to your environment.
SmoothStart for Internet Connection for AS/400-Anonymous FTP V3R2:
With V3R2 of OS/400, you can now use anonymous as a valid user ID for users
of file transfer protocol (FTP). With anonymous FTP, you can offer users
on the Internet, or your own internal Intranet, access to files on your
AS/400 without the need to distribute unique user Ids and passwords to the
The SmoothStart for Internet Connection for AS/400-Anonymous FTP service
will provide you with a services specialist to help you do the following:
SmoothStart for Internet Connection for AS/400-POP Mail Server V3R2:
V3R2 of OS/400 allows AS/400 to be a Post Office Protocol R3 (POP3) mail
server and hold mail in mailboxes for users running a POP3 client. The
users can pick up their mail whenever they are ready.
- Plan the use of anonymous FTP for your environment
- Set up an FTP user exit that will allow your users both to get files
from one AS/400 library and to put files to one specific library.
- At the completion of this service, your AS/400 will be configured both
to allow users to access files by using anonymous FTP and to prevent them
from accessing files that you restrict. FTP users will also be able to
upload files to one specific library.
The SmoothStart for Internet Connection for AS/400-POP Mail Server V3R2
offering provides you with a services specialist to configure the necessary
objects to allow your AS/400 to be a POP3 mail server for your clients who
are using mail programs like Eudora, Ultimail, and other POP3 clients
running on AIX, Windows, OS/2, and Macintosh**.
At the completion of the service, your AS/400 will be configured as a POP3
mail server, with mailboxes created for ten mail clients to use for their
mail. In addition, five non-AS/400 mail users will be defined on the
AS/400 to allow you to send mail to them.
Security Analysis Lab: With the security analysis lab offering,
IBM consultants attempt to infiltrate customers networks. They assess
network vulnerability and recommend security improvements.
Emergency Response Service: The emergency response service for
commercial businesses provides swift, expert incident management skills
during and after an electronic security emergency. In the event of a
break-in, the emergency response team helps customers detect, isolate,
contain, and recover from the unauthorized network infiltration.
Following are publications that provide more information about AS/400
AS/400 Wireless LAN Installation Planning Guide, G571-0303, provides
information about planning and installing a spread spectrum network. In
addition to an overview of spread spectrum radio technology, this book also
describes how to prepare for a site survey and ensure that antenna and
cabling requirements are met for the areas to be covered.
Backup and Recovery- Advanced, SC41-3305, provides information about
setting up and managing:
Journaling, access path protection, and commitment control.
User auxiliary storage pools (ASPs), including setting storage thresholds
Disk protection (device parity, mirrored, and checksum)
Cool Title About the AS/400 and Internet, SG24-4815, can help you
access and then use the Internet (or your own intranet) from your AS/400
system. It helps you to understand how to use the functions and features
available with V3R1 and V3R6 and new functions available with Internet
Connection for AS/400 (V3R2). This book helps you to get started quickly
using e-mail, file transfer, terminal emulation, gopher, HTTP, and 5250 to
DB2 for OS/400 Datebase Programming, SC41-3701, Provides a detailed
discussion of the AS/400 database organization, including information on
how to create, describe, and update database files on the system. It also
describes how to define files to the system using OS/400 data description
specifications (DDS0 keywords.
An Implementation Guide for AS/400 Security and Auditing: Including
C2, Cryptography, Communications, and PC Connectivity, GC24-4200, provides
practical suggestions and examples for many areas of AS/400 security.
Implementing AS/400 Security, by Wayne Madden.
Duke Press, a division of Duke Communications International, 1995. Provides
guidance and practical suggestions for planning, setting up, and managing
OS/400 Server Concepts and Administration.
SC41-3740, provides information for the system administrator working with
AS/400 server functions. The book includes server concepts, sever
functions, and exit program information.
Publications Reference, SC41-3003, identifies and describes the printed
and online information in the AS/400 library, and also lists other
publications about the AS/400 system. It includes cross-reference
information between the current library and the previous version library.
Security - Basic, SC41-3301, explains why security is necessary,
defines major concepts, and provides information on planning, setting up,
and monitoring basic security on the AS/400 system.
Security - Enabling for C2, SC41-3303, describes how to customize
your system to meet the requirements for C2 Security, as described in the
Department of Defense Trusted Computer Evaluation Criteria.
Security - Reference, SC41-3302, provides complete information about
security system values, user profiles, resource security, and security
auditing. This manual does not describe security for specific licensed
programs, languages, and utilities.
TCP/IP Configuration and Reference, SC41-3420, provides information
for configuring and using AS/400 TCP/IP support. The applications included
are Network Status (NETSTAT), Packet Internet Grouper (PNG), TELNET, File
Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office
Protocol (POP) line printer requester (LPR), and line printer daemon (LPD),
Hypertext Transport Protocol (HTTP), and Workstation Gateway (WSG). The
TCP and UDP Pascal application program interface (API) is also discussed.
TCP/IP File Server Support for OS/400 Installation and Userís Guide,
SC41-0125, provides introductory information, installation instructions,
and setup procedures for the File Server Support licensed program offering.
It explains the functions available with the product and includes examples
and hints for using it with other systems.
Tip and Tools for Securing your AS/400 describes how to use the
security tools (available before V3R2 as Security ToolKit for OS/400). It
includes many AS/400 security tips, including the following:
V3R2 Order Number . . . SC41-3300
- Protecting interactive sign-on
- Controlling APPC, TCP/IP and AS/400 Client Access
- Preventing curious users from causing damage
- Preventing devious users from causing damage or stealing information
PRPQ Order Number . . . GC41-0615
Trusted Computer Systems Evaluation Criteria,
DoD 5200.28.STD, describes the criteria for levels of trust for computer
systems. The TCSEC is a publication of the United States government.
Copies may be obtained from:
Office of Standards and Products
The Whole Internet Userís Guide and Catalog by Ed Krol, OíReilly &
Associates, Inc., 1994, is a comprehensive introduction to the Internet.
It includes a listing of information resources and an index of useful sites
National Computer Security Center
Fort Meade, Maryland 20755-6000 USA
Attention: Chief, Computer Security Standards