DMS - Securing AS/400s
Securing AS/400s

More and more AS/400 owners are exploring their options for linking their systems to the Internet. The first question they ask is usually, "How do I do it?" The second question is, "What about security?" This booklet attempts to answer the second question for AS/400 on the Internet: "What about security?"
Note: For answers to the first question, "How do I do it?," see "Where to Get More Information and Assistance". It lists publication and service offerings that are available to help you. In particular, see the new redbook, Cool Title About the AS/400 and the Internet, SG24-4815 and the TCDPIIP Configuration and Reference.

AS/400 Security Strengths: The simple answer to "What about security?" is that AS/400 has very strong security characteristics, which includes the following:

Your Security Policy and Needs: The long answer to "What about security?" starts with "It depends." Your definition of security might differ from someone else's. The appropriate security setup depends both on how you connect to the Internet and what Internet functions you want to use. Do you want to be a client or a read-only server? Or do you want to take the first steps toward electronic commerce?

Ultimately, the long answer is that security depends on you. AS/400 provides a strong set of security tools, but you must take the time to learn about the tools and to use them. You also need to learn about network security - both the exposures and the possible solutions.

If you have a security policy today, you probably need to revise it to address your plans for an Internet connection. If you do not have a security policy today, now is the time to develop one. When you extend your organization onto the Internet, a security policy provides a critical cornerstone for your planning.

The rest of this booklet provides examples of Internet connections, some of the security risks that are associated with them, and consideration to help you reduce those risks. The examples build on each other. Read through them and develop a combination that more closely fits your requirements.

A Change in Security Thinking

If you are thinking about linking your AS/400 business computer system to the Internet, you probably need to begin by revising some of your thinking about security. The typical AS/400 system exists in a friendly environment with a well-defined set of potential users. It provides a secured entrance (sign-on and password) and fairly open access once you are inside. Most files are available for viewing by any user who can sign on to the system (public authority is USE). A few confidential and sensitive files such as the payroll files, should be available only to a few users (public authority is EXCLUDE).

From a security perspective, the typical AS/400 resembles a building. The doors (and windows) are locked. Users need a key (password) to enter. Inside the building, most of the rooms have doors that are not locked. A few rooms, or file drawers within rooms, have locks that require keys (authorization).

When you provide access to your system through the Internet, you might be letting many strangers from all around the world enter your system, or at least browse documents that are on your system. The view of your system that is shown as a house might make you feel uncomfortable, and it should. You need to move to a need-to-know approach to security thinking. Decide what the Internet visitor needs to know, and prevent access to anything else. How you set up a need-to-know environment depends on the kind of Internet server that you want to provide.

In addition to taking a stricter, more rigorous look at a security on your own system, you need to expand your view. As your network grows, both internally with LANs, for example, and externally with the Internet, you need to consider both system security and network security.

Proceed with Caution

Right now, you need to take the important first step of becoming a more rigorous security thinker. Switch to a "need-to-know" and a "need-to-do" mentality. Whenever you want to make a new application available on the Internet, begin by asking the following questions: TCP/IP and the Internet are designed for openness and interoperability so that Internet clients and Internet servers from many different providers can communicate and exchange information successfully. This openness makes it difficult to build in network security capabilities. First, the various providers must agree on security standards. For example, when you send encrypted passwords, both sides must use the same method for generating encryption keys and the same algorithms for encrypting and decrypting. Many groups are working to develop network security standards, but much work remains to be done.

In the past, with a limited, private network, you could equate security with system security. By using the strong security capabilities of AS/400, you could feel confident that your information was protected. Now, when you connect to the Internet, or provide dial-up access to your system, you need to think also about networks security, which is a primary focus of this booklet.

Very few Internet users are malicious. Most are simply seeking information and more efficient ways of doing business. But the hackers are out there, and you need to be prepared. AS/400 providers more integrated security capabilities than many Internet servers. However, because your current environment is more friendly than the Internet, you might not be using all of the AS/400 security capabilities that are available. For this reason, the examples later in this booklet take a step-by-step approach to connecting to the Internet. You start with the Internet side of your system locked up as tightly as possible, like the building described earlier. You open doors (new Internet applications or new TCP/IP servers) gradually, one at a time, after carefully evaluating your security exposures and precautions.

Security - A Definition

The topics that follow provide examples of how you might link your AS/400 business computing system to the Internet. Each example includes tips and considerations for ensuring security. But first, letís define what we mean by "security."

A security policy
Defining what you want to protect and what you expect of your system users. A security policy defines the importance of the business assets that are on our system. It provides a basis for security planning when you either design new applications or expand your network. It describes user responsibilities, such as protecting confidential information and creating non-trivial passwords.

User authentication
Ensuring that only authorized individuals (or jobs) can enter your system. When you link your system to a public network like the Internet, user authentication takes on new dimensions. An important difference between the Internet and your Intranet is your ability to trust the identity of a user who signs on.

Resource protection
Ensuring that only authorized users can access objects on the system. The ability to secure all types of systems resources is an AS/400 strength. However, you might find that you do not use the full capabilities of AS/400 resource security, particularly if you rely primarily on menu access control. You might also find that connecting to the Internet forces you to change your definition of a "public" user on your system.

System integrity System integrity is your systemís ability to provide consistent, expected results with expected performance. For AS/400, system integrity is the most commonly overlooked component of security because system integrity is a fundamental part of AS/400 architecture. AS/400 architecture, for example, makes it extremely difficult for a mischief-maker to imitate or modify an operating system program (when you use security level 40 or 50).

When you think about connecting to the Internet, you need to think about your systemís integrity and how a hacker might try to assault it. A hacker can threaten your systemís integrity without ever succeeding in signing on to your system. A hacker can, for example, compromise your systemís ability to service user requests by flooding your system. Your disk storage can be flooded, for example, with unwanted mail or with printed output. Your processor can be overwhelmed for example, by error requests.

This is commonly called denial of service. Your legitimate users either cannot log on or they receive poor performance because your system is spending resources dealing with unauthorized requests.

Data integrity
Ensuring the reliability of data that enters your system. When data that enters your system comes from a public network, you might need several security protections:

Protect the data from being "sniffed" and interpreted, usually by encrypting it.

Ensure that the transmission has not been altered (data integrity).

Prove that the transmission occurred (non-repudiation). In the future, you might need the electronic equivalent of registered or certified mail.

Security auditing
Monitoring security-relevant events to provide a log of both successful and unsuccessful (denied) access. Successful accesses tell you who is doing what. Unsuccessful accesses tell you either that someone is attempting to break your security or that someone is having difficulty accessing your system. (for example, you might not have your Web page set up correctly.)

Minimum AS/400 Security

The topics that follow assume that you are starting with an AS/400 system that is basically secure. At a minimum, your system should meet the following security guidelines:

A few comments about the examples:

The examples that follow provide typical options for connecting your system to the Internet. They discuss security risks and possible solutions. These are not the only options available, nor are they necessarily the most secure options.

A firewall that is properly configured and administered is almost always the most secure method for connecting your system to the outside world. By using a firewall, you are both limiting your points of exposure and hiding your network configuration from others. The need to consider a firewall when connecting your AS/400 server to the Internet is no different than when you connect other servers to the Internet.

As organizations expand their use of the Internet and provide Internet access to more and more information, firewalls are rapidly be coming an industry-standard in certain situations. Although a firewall might be in your future, it might be more than you either need or can afford today. Several of the following examples do not have firewalls. Most of the security considerations are valid with without a firewall.

These examples follow a typical progression of expanding Internet usage. They start with the assumption that you are not currently using TCP/IP to communicate with other systems in your own network.

Example 1 - Connecting Your Users to the Internet

Your first venture into the Internet might be to provide your users with access to the Internet. Both your AS/400 and your PCs are already on a LAN (local area network). Instead of putting a modem on every PC, you want to provide a central point of access to the Internet. Each PC will have Web browser software.

What the Configuration Looks Like

Figure 1 shows a common way to connect your LAN users to the Internet. Your PC users can go directly to the Internet through the router. They can also continue to access your AS/400 via the LAN by using AS/400 Client Access, for example.

Security Consideration for This Example

Following are some of the security risks for Example 1 and alternatives for dealing with the risks. This example assumes that you do not want anyone from outside your network to access your AS/400. The particular focus is on protecting your AS/400 and its data.
Note: Unless you use packet filtering on your router, your PCs in this configuration are more vulnerable to attack than they are with a dial-up connection. When a router is attached to the same LAN as your PCs, a potential intruder can attempt to access your PCs whenever they are powered on.

Risk 1 - Published IP Addresses:

Usually with this type of connection (LAN to router to Internet), every system (PC) that connects to the Internet must have an IP address. Having an IP address is similar to having a published telephone number. Whenever a user in your network sends an Internet request, the packet contains the IP address of the userís PC. Any host on the Internet that a PC contacts knows the PSís IP address. A potential intruder might be able to access that information and attempt to access the PC by using the IP address.

Security Solutions

Ensure that your AS/400 does not have an IP address. This protects your AS/400 from direct assaults, including denial-of-service assaults.

Educate your PC users about the need to protect their PCs from attempted intrusions. Their PCs should not, for example, be configured to start TCP/IP servers (such as TELNET or FTP).

Ensure that an outsider who successfully breaks into one PC cannot go beyond that PC into the network. This protection can be difficult, and it depends to some extent on the security practices of your PC users. An intruder will look on the PC for information, such as system names or communications start-up programs, that might help the intruder break into another system in the network. The intruder will also look for stored user IDs and passwords on the PC.

Your AS/400 is vulnerable both to the weakest link (PC with poor security practices) and to the most trivial password. Use AS/400 object authority to protect your critical data. Use system values to protect against repeated sigh-on attempts. Use security auditing detect unauthorized attempts to access both your system and objects on your system.

Make sure that no one starts any TCP/IP servers on your system. Hackers are typically more familiar with TCP/IP application (such as FTP and TELNET) than they are with AS/400 Client Access. If a hacker finds your AS/400 system name when browsing a PC, the hacker will probably try to use TELNET or FTP to access your AS/400 instead of trying AS/400 Client Access.

Control IOSYSCFG special authority to restrict who can configure TCP/IP. Restrict who has authority to use the STRTCP (Start TCP/IP) command.

If your router has packet filtering capabilities, set up the router to react TCP/IP sessions with an origin IP address that is outside your network.

Risk 2 - Downloading Viruses:

A virus is a program that can change other programs to include a copy of itself. The virus program usually performs operations that can take up system resources or destroy data. When your users connect to the Internet, they might unintentionally download a program with a virus. They might store the infected program in a shared folder or in the integrated file system on your AS/400. That virus might then be copied accidentally to other PCs in your network.

Security Solutions

On you AS/400, use object authority to control where PC users can create new objects. If your PC users use shared folders, use the authority to DLOs (document library objects) to limit them to creating new documents in specific folders. If your PC users use the integrated file system, use the authority to directories to control where they can place new objects.

Ensure that most users do not have authority to create authority of the root directory from RWX to RX.

Regularly run virus scan programs against the directories or folders where your PC users place new objects. (To run a virus-scan program, you probably need to sign on from a PC and link to the folder or directory that contains new programs.)

Install virus-scan software on all PCs and require PC users to run it regularly. Consider including the virus-scan program in every PCs startup routine.

Consider staging the movement of new objects from private PC drives to a shared environment. Move them to a temporary drive (shared folder or directory) first. Then have a system administrator move them to a shared environment after running a virus-scan program.

Educate your users both about viruses and about the risks of downloading programs from untrusted sources.

Example 2 - Providing E-Mail

Now that your users are connected, they want to exchange e-mail (electronic notes and messages) with the outside world.

What the Configuration Looks Like

Physically, the connection can still look like the example in Figure 1. Either you need to add e-mail software, or you can use software that you already have. Following are two possible software options. Many more options are available.

Security Considerations for This Example

When you add e-mail, your security planning must be more specific. You can no longer simply configure a router to exclude all sessions whose origin is outside your network. Now can you assume that your AS/400 will not participate. AS/400 users who do not have Web-browser capability can still send and receive e-mail if you choose to allow it. Following are both security risks when you add e-mail to the example that is shown in Figure 1 and alternatives for dealing with the risks. This example assumes that you do not want anyone from outside your network to assess any system within your network, with the exception of sending e-mail to users on your network. The particular focus is on protecting your AS/400 and its data.

Risk 3 -Published AS/400 Address:

If you want your AS/400 to provide e-mail services to your users, you need to register your AS/400 on the Internet with an IP address. Your AS/400 now becomes visible to the outside world and subject to attempted intrusion.

Security Solution

Risk 4 - Flooding:

One game that hackers play is to flood a system with unwanted mail. This can adversely affect system performance. The mail can also take so much space on your disk storage that your system stops running.

Security Solutions:

Following are suggestions for limiting the impact of attempts to flood your system.

Risk 5 - Exploring Your Network

You may have done a good job of securing your AS/400 so that hackers cannot sign on. However, you might find that your AS/400 provides a path to get to other systems in your network. Because those systems are not directly connected to the Internet and they do not expect attempted intrusion, their security protection might be less rigorous than yours. (They live in a safe neighborhood and do not need double locks or a burglar alarm.)

Security Solutions

Risk 6 - Receiving Viruses via E-Mail

Incoming mail is a potential source for PC viruses. Someone can attach a program to a note. Or someone can send a program to a user on your system. Perhaps neither the sender nor the receiver realized that the seemingly harmless program is spreading a virus.

Security Solutions

Risk 7 - Misdirected E-Mail

When your internal e-mail system is connected to the Internet, you have the possibility that a user will send confidential information to the outside world. This might happen accidentally, and perhaps even without the userís knowledge, if your e-mail connection is not configured correctly.

Security Solutions

Risk 8 - Exposure of Sensitive Information

As you expand your use of Internet and of networks in general, your users can explore different ways of working. Perhaps they can dial into your system from home or while traveling. They might use e-mail as a tool for collaborating with colleagues on a project. With current technology, information on the Internet is usually not encrypted. It is transmitted "in the clear," which means that it is vulnerable to sniffing. Sniffing on the Internet backbone itself is unlikely because the backbone consists of dedicated high-speed connections. However, the peripheral connections, such as the phone line from your employeeís home or the LAN at a colleagueís location, are not necessarily well-protected.

Security Solutions:

The primary solution for the possibility of sniffing confidential data is education. You need to update your security policy and educate your users. They should treat a public network just as they treat unprotected phone lines and public places.

Providing a Home Page

Your users have been surfing the Web and exchanging e-mail with their colleagues in other organizations. It wonít be long before someone suggests: "We should have our own home page." Others will join in: "The Web is a great way to get visibility with very little expense. Having a home page makes our company look modern and leading-edge."

Example 3 - Home Page without Internal TCP/IP

This example assumes the following:

What the Configuration Looks Like

Physically, your connection can still look like the example in Figure 1 . You use the HTTP server to serve your home page and other hyperlinked pages to Internet visitors. You need to work with your ISP to get an IP address and domain name. (You may already have an IP address if your AS/400 system has an e-mail connection to the Internet.)

Security Considerations for This Example

Following are new security exposures when you use a configuration like the one in Figure 1 and provide a home page on the Internet. This example assumes that you do not use TCP/IP server for internal users or applications.

Risk 9 - Visibility of your AS/400 Address:

If you have been providing e-mail, your AS/400 might already have an IP address. However, when you create a home page and publicize it, you are making a conscious effort to inform people of your presence on the Internet. Hackers are more likely to become aware of your systemís existence and to try to break into it.

Security Solution

Follow the same suggestions that you find in "Risk 3-Published AS/400." Just be aware that your chances of being a target are higher and that you need to become even more security conscious. Often, when an intrusion occurs, it is because of errors or omissions in security implementation, not because of flaws in the system itself.

Risk 10 - Developer Ingenuity:

Now that you have set up a home page, you might find that your users and developers intent was to provide "more service" to your internet visitors. Your users and developers might not fully analyze the potential security exposures of the service that they want to provide.

Security solutions

Example 4- Home Page with Internal TCP/IP

While exploring the Internet, your users have discovered that they like to use TCP/IP applications. For example, you might now have the FTP server running on your AS/400 to allow users to download files.

What the Configuration looks like without a firewall

Clearly, the use of a firewall provides the best protection for your production system in this scenario. However, if you choose not to use a firewall, your configuration might continue to look the example in Figure 1.

Security Considerations for this Example

Your network has reached the point where you cannot easily distinguish between requests from internal users and requests from the outside. When you have a server like FTP or TELNET active on your system, you have opened a door for outsiders to try to sign on. Although your configuration might continue to look like Figure 1 ( no firewall and no dedicated Internet server), your risks are greater. Following are additional risks and possible solutions.

Risk 11 - Unauthorized Sign-on:

To try to prevent outsiders from successfully signing on to your system, consider adopting the following strategies:

Security Solutions

What the Configuration Looks Like with a Firewall

You might feel the risks of an intrusion have grown too high and that you need a firewall. The firewall provides a single point of exposure to outsiders, which reduces your areas of concern. "Firewalls-Overview" provides an overview of the functions that a firewall performs.

Example 5-Home Page with Dedicated AS/400 Internet Server

Your AS/400 system is critical to your business. You suspect that a home page is only the beginning. Your communications and customer-service tool is likely to grow rapidly. You decide to separate your Internet sever from your production system by installing a dedicated AS/400 system as your Internet server.

What the Configurations Looks Like without a Firewall

If your AS/400 server needs little or no information from your production system, you might not need a firewall because your Internet server is not connected to your network. Or, if you need to connect your Internet server to your AS/400 to download information periodically, you carefully control both the communications configuration and the time frame for the connection. (You connect for very short periods, and you carefully monitor activity while you are connected.)

Security Considerations for This Example without a Firewall

Following are additional security considerations and possible solutions when you choose to have a dedicated Internet server without a firewall.

Risk 12-Disruption of Service:

When your Internet server is physically separated from your production network, your production systems are protected from hacking. However, your Internet server itself can be a target. The impact might be less severe, but it can affect your ability to provide services to your Internet clients.

Security Solutions

Risk 13-Network Penetration:

If you choose to connect your Internet server to your production network, a hacker can try to get from your server to your production systems.

Security Solutions

What the Configuration looks like with a Firewall

You might need to connect your Internet server to your production network, if for example, your Internet applications need to access to database files to determine product availability. Your configuration might look like Figure 2. Your Internet server is outside the firewall. It becomes an untrusted system.

Security Considerations for This Example with a Firewall

Following are some of the security considerations and possible solutions when you have a dedicated Internet server and a firewall.

Note: You have the same potential for disruption of your Internet server as you have without a firewall. See " Risk 12-Disruption of Service."

Risk 14 - Trusting the Server:

Treating your own AS/400 Internet server like an outsider might be difficult. When you are planning the flow of information between the Internet server and your network, it is easy to fall into the trap of trusting the server. Your developers might assume incorrectly, for example, that certain transactions from certain user Ids are safe.

Security Solutions

Example 6 - Providing Additional Applications

You decide to go beyond providing a read-only home page and hyperlinked documents. You want to use the Internet to provide real applications to your customers and business partners. You might do some or all of the following:

What the Configuration Looks Like

For both performance and security reasons, you will probably have a dedicated AS/400 Internet server that is either disconnected from your production network or separated from your production network by a firewall.

Security Considerations for This Example

Following are new security risks and possible solutions when you expand your Internet server to provide applications beyond e-mail and read only documents.

Risk 15 - Disruption of Service:

Your server is subject to denial of service attacks from hackers who simply want to cause problems with your systemís ability to perform.

Security Solutions

Follow the suggestions in "Risk 4- Flooding" and risk12-disruption of service.

On your server system, set storage limits (MAXSTG parameter) for user profiles, including both any guest profiles and the OTSTROS user profile. This prevents someone who signs on to your system with one of these profiles from using up a large amount of auxiliary storage.

Ensure that your server system is set up to limit the number of virtual devices that the system creates automatically. This prevents a mischief-maker from starting many different sessions just to tie up system resources.

Risk 16 - Exploring Your Server:

Some Internet visitors will try to break out of the applications that you provide so that they can explore your system and your network. Your challenge is to provide them with appropriate services without giving them free rein.

Security Solutions

Set up your WSG (workstation gateway) server to use the Workstation Gateway Server Sign-on Validation Exit point interface. Also configure the WSG to not display a sign-on screen. This allows the WSG administrator to control both what user profiles are used and what applications can be run via the WSG. It also eliminated sending user profile names and passwords over the Internet.

Firewalls - Overview

A firewall controls the access and flow of information between a secure (trusted) network and an unsecured (untrusted) network. Usually, a combination of hardware and software provides firewall function. A firewall might be combined in the same hardware with a router, or it might be a separate system. Depending on the firewall functions that you need, you might find that a router provides enough firewall-type function for your needs.

Firewall can provide the following benefits when your network is connected to the Internet:

Following are brief descriptions of some common firewall functions. Firewalls are varied in the function that they provide. Both technology and standards for firewall-type services are expanding rapidly.

Traffic Blocking

One function of a firewall is to block unwanted traffic between the secure and unsecured networks. Traffic-blocking can be either general -no FTP traffic is allowed) or specific (no FTP traffic is allowed from a certain range of IP addresses to a certain IP address). Routers are also capable of performing traffic-blocking. However, as your rules become more complex, configuration of a router becomes very difficult. The firewallsís gateway approach is easier to configure and manage.

Network Gateway

Logically, a firewall provides a gateway between your network and the Internet. Traffic both into and out of your network passes through the gateway, which may consist of one or more firewall systems (hardware and software). To the Internet, the IP address and the domain name of the firewall represent your network. The firewall can hide both the IP addresses and the domain names of your internal network.

The firewallís application gateway provides a set of servers to link users on the secure network with Internet services. These servers are called proxy servers. The FTP user connects to the FTP proxy server which then connects to the Internet FTP server that the user has requested. The Internet FTP server knows about the proxy server, but the userís actual IP address is replaced with the proxyís address.

Proxy servers are application-specific. They are commonly available for FTP,HTTP, and TELNET. Mail relays are another specialized form of a proxy server.

A socket server (SOCKS server) provides similar function to proxy servers. SOCKS servers have the advantage of being general, rather than application-specific. If your users want Internet applications that are not available in a proxy server, a SOCKS server requires some configuration of the clients that connect to it.

Domain Name Serving

The firewall protects or hides the intranet domains and addresses. All outbound traffic has the appearance that the address is that of a firewall. Therefore, all inbound traffic knows only of the firewallsís address. The firewall has enough information to assign correct address information to traffic for your internal network.

When you configure your firewall, you need to ensure that other domain name servers cannot use it to resolve your intranet domain names. Your firewall should not be defined to the internet as a domain name server.

AS/400 and the Future

You have undoubtedly read that network computing is important to IBMís future and to the future of AS/400. IBM believes that network computing is critical to the future of our customersí organizations.

You have already seen important AS/400 enhancements to support network computing, such as both the new TCP/IP servers that support Internet connection and session-level encryption capability for LU6.2 connections. You can expect to see more AS/400 enhancements in the areas of network computing and security in the future, such as the following:

As you extend your enterprise, expand your network, and venture into the Internet, you can expect IBM and AS/.400 Advanced Series to be right behind you with the functions and services that you need.

Where to Get More Information and Assistance

Many resources are available if you need more information about security and the Internet, or if you need assistance.

Service Offerings

Following are descriptions or several offerings that are available from IBM to help you either with AS/400 security or with connecting to the Internet. For more information, please contact your IBM representative. In the U.S., you can contact your local Express Services marketing office, or you can call 1-800-IBM-4YOU.

Security Review for AS/400: Security Review for AS/400 is available from IBM Availability Services. The review includes the following:

The result of the review is a report that summarizes your potential security exposures and makes preliminary recommendations for corrective action.

Security planning, implementation, and consulting services are also available from IBM Availability Services.

SmoothStart for Web Server/400 from I/Net**.

An IBM services specialist will install, configure, and tailor Web Server/400 from I/Net, to allow your business to have a presence on the World Wide Web.

At the completion of this service, you will have a prototype Web home page, Web Server/400 installed and operational, and AS/400 TCP/IP configured and ready to be connected to the Internet or your own internal intranet.

Planning for Internet Connection for AS/400: This service offering provides you with the information and guidance that you need to determine what AS/400 functions to offer to Internet users. The planning session will cover the functions of Internet Connection for AS/400 (V3R2) and compare it to Web Server/400 from I/Net. At the completion of this service, you will be able to assess the applicability of Internet Connection for AS/400 to your environment.

SmoothStart for Internet Connection for AS/400-Anonymous FTP V3R2: With V3R2 of OS/400, you can now use anonymous as a valid user ID for users of file transfer protocol (FTP). With anonymous FTP, you can offer users on the Internet, or your own internal Intranet, access to files on your AS/400 without the need to distribute unique user Ids and passwords to the users.

The SmoothStart for Internet Connection for AS/400-Anonymous FTP service will provide you with a services specialist to help you do the following:

SmoothStart for Internet Connection for AS/400-POP Mail Server V3R2: V3R2 of OS/400 allows AS/400 to be a Post Office Protocol R3 (POP3) mail server and hold mail in mailboxes for users running a POP3 client. The users can pick up their mail whenever they are ready.

The SmoothStart for Internet Connection for AS/400-POP Mail Server V3R2 offering provides you with a services specialist to configure the necessary objects to allow your AS/400 to be a POP3 mail server for your clients who are using mail programs like Eudora, Ultimail, and other POP3 clients running on AIX, Windows, OS/2, and Macintosh**.

At the completion of the service, your AS/400 will be configured as a POP3 mail server, with mailboxes created for ten mail clients to use for their mail. In addition, five non-AS/400 mail users will be defined on the AS/400 to allow you to send mail to them.

Security Analysis Lab: With the security analysis lab offering, IBM consultants attempt to infiltrate customers networks. They assess network vulnerability and recommend security improvements.

Emergency Response Service: The emergency response service for commercial businesses provides swift, expert incident management skills during and after an electronic security emergency. In the event of a break-in, the emergency response team helps customers detect, isolate, contain, and recover from the unauthorized network infiltration.

Related Publications

Following are publications that provide more information about AS/400 security:

AS/400 Wireless LAN Installation Planning Guide, G571-0303, provides information about planning and installing a spread spectrum network. In addition to an overview of spread spectrum radio technology, this book also describes how to prepare for a site survey and ensure that antenna and cabling requirements are met for the areas to be covered.

Backup and Recovery- Advanced, SC41-3305, provides information about setting up and managing:
Journaling, access path protection, and commitment control.

User auxiliary storage pools (ASPs), including setting storage thresholds

Disk protection (device parity, mirrored, and checksum)

Cool Title About the AS/400 and Internet, SG24-4815, can help you access and then use the Internet (or your own intranet) from your AS/400 system. It helps you to understand how to use the functions and features available with V3R1 and V3R6 and new functions available with Internet Connection for AS/400 (V3R2). This book helps you to get started quickly using e-mail, file transfer, terminal emulation, gopher, HTTP, and 5250 to HTML Gateway.

DB2 for OS/400 Datebase Programming, SC41-3701, Provides a detailed discussion of the AS/400 database organization, including information on how to create, describe, and update database files on the system. It also describes how to define files to the system using OS/400 data description specifications (DDS0 keywords.

An Implementation Guide for AS/400 Security and Auditing: Including C2, Cryptography, Communications, and PC Connectivity, GC24-4200, provides practical suggestions and examples for many areas of AS/400 security.

Implementing AS/400 Security, by Wayne Madden.
Loveland, Colorado:
Duke Press, a division of Duke Communications International, 1995. Provides guidance and practical suggestions for planning, setting up, and managing AS/400 security.

OS/400 Server Concepts and Administration.
SC41-3740, provides information for the system administrator working with AS/400 server functions. The book includes server concepts, sever functions, and exit program information.

Publications Reference, SC41-3003, identifies and describes the printed and online information in the AS/400 library, and also lists other publications about the AS/400 system. It includes cross-reference information between the current library and the previous version library.

Security - Basic, SC41-3301, explains why security is necessary, defines major concepts, and provides information on planning, setting up, and monitoring basic security on the AS/400 system.

Security - Enabling for C2, SC41-3303, describes how to customize your system to meet the requirements for C2 Security, as described in the Department of Defense Trusted Computer Evaluation Criteria.

Security - Reference, SC41-3302, provides complete information about security system values, user profiles, resource security, and security auditing. This manual does not describe security for specific licensed programs, languages, and utilities.

TCP/IP Configuration and Reference, SC41-3420, provides information for configuring and using AS/400 TCP/IP support. The applications included are Network Status (NETSTAT), Packet Internet Grouper (PNG), TELNET, File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP) line printer requester (LPR), and line printer daemon (LPD), Hypertext Transport Protocol (HTTP), and Workstation Gateway (WSG). The TCP and UDP Pascal application program interface (API) is also discussed.

TCP/IP File Server Support for OS/400 Installation and Userís Guide, SC41-0125, provides introductory information, installation instructions, and setup procedures for the File Server Support licensed program offering. It explains the functions available with the product and includes examples and hints for using it with other systems.

Tip and Tools for Securing your AS/400 describes how to use the security tools (available before V3R2 as Security ToolKit for OS/400). It includes many AS/400 security tips, including the following:

V3R2 Order Number . . . SC41-3300
PRPQ Order Number . . . GC41-0615

Trusted Computer Systems Evaluation Criteria,
DoD 5200.28.STD, describes the criteria for levels of trust for computer systems. The TCSEC is a publication of the United States government. Copies may be obtained from:

Office of Standards and Products
National Computer Security Center
Fort Meade, Maryland 20755-6000 USA
Attention: Chief, Computer Security Standards
The Whole Internet Userís Guide and Catalog by Ed Krol, OíReilly & Associates, Inc., 1994, is a comprehensive introduction to the Internet. It includes a listing of information resources and an index of useful sites to visit.