focus on: AS/400 Security: Within You and Without You

"We Have Met the Enemy, and He Is Us," said Pogo in Walt Kelly's 50's and 60's eponymous comic strip.

In the public eye, the object of computer security is the nefarious hacker, the brilliant misfit whoin lieu of a social lifegets thrills from breaking into computer systems to maliciously steal or destroy data. The goal may be mere diversion, or it may be profit--as in stealing credit card numbers or company secrets with value to competitors.

This threat is real and needs to be addressed. However in the world of AS/400 computing, the danger is more likely to come from within. Studies conclude, and experts agree, that more frequent dangers come from disgruntled employees and operator error.

"Protecting your system from competent people who make mistakes is very important, because everyone makes mistakes," warns Vincent LeVeque, an independent AS/400 security authority whose experience includes the COMMON Security Task Force. "When you protect yourself from hackers, you also protect yourself from human error. Now, hackers are more interested in the AS/400 than before, but there is still not a major threat from the outside.

"However, a bigger threat is from within your own company: disgruntled, dishonest and careless employees," he continues. "Programmers with the authority to change production data are very dangerous. Owners have to be extremely careful about them."

The Illusion of Security

The original AS/400s had comparatively few security concerns. A small shop with just a handful of terminal users was at low risk. It was self-contained, insular. Still there was the worry of accidental deletions.

Some longtime users still live with the old aura of security even though everything around them has changed. The terminals have changed to PCs which almost seem to have minds of their own. AS/400s now work in heterogeneous environments with Unix, Windows NT and other platforms.

Then there is the Internet. For all the opportunity of global connectivity and e-commerce, the Internet raises security concerns that stretch around the world. IBM, its business partners, and independent software vendors are eager to provide hardware and software strategies to minimize risk. Still, the biggest threat to security may be the uninformed, lackadaisical or blithe attitudes of users.

Large AS/400 shops supported by sophisticated IT staffs may well be on top of their security needs. However, the AS/400 has been marketed as "the computer for the rest of us". One of its attractions is its ability to handle line-of-business applications without a systems administrator. There may be no sentinel to sound the alarm when new applications leave an innocent shop highly vulnerable.

The first requirement, then, is a sensitivity to the dangers of lax security and a dedication to minimize the risks. The second is the tools and expertise to protect a system.

Coping with Change

If the old box-and-terminal systems were relatively bullet proof, clearly the challenge is to deal with change.

"It is fairly easy to set up security in a fresh system and a fresh set of applications," opines Carol Woodbury, the godmother of AS/400 security and a security architect for IBM in Rochester. "The primary challenge facing corporations today is that, although the AS/400 has always provided a secure environment, most didn't use all the tools available. With today's technologies, their configurations may leave them with exposures.

"The biggest challenge is to retrofit security into their current environment, their applications, or both," she emphasizes. "We have tried to provide some places for them to start retrofitting. Our manuals are aimed at new users and those who are revamping. We start them looking from a high level and save the details for the end."

Rochester's security team strives to make it realistic for the average AS/400 user to add security. They have installed intuitive, Windows-style wizards and an online Security Advisor to help the non-technical administrator. "We are trying to make it very easy for someone who doesn't have the expertise to secure their system, at least at a basic level," Woodbury offers.

How Much Is Enough?

IBM rates AS/400 security on a scale of 10-50. The latter is coded and certified by the federal government as "C2". Improvements in OS/400 V4R4 have it on track to receive a C2 RAMP rating by next October. Yet very few corporations or agencies need this world-class, 50-level protection.

One notch lower is the "40" level security provided in conjunction with V4R4. Most notable is the capacity for Virtual Private Networks (VPNs), also referred to as "tunnels". VPNs use encryption to enable a system firewall to establish a secure private connection over a non-secure network. Thus remote LANs can be connected over the Internet without risk to uninvolved servers. IBM's VPN solutions comply with the Internet Protocol Security (IPSec) standard.

However, no matter how high the standard of hardware or operating system security, the true protection is no better than that of the line-of-business applications in use. If the application software can not match it, VPN technology is for nought. The adage, "A chain is only as strong as its weakest link" applies here.

"The AS/400 can be a very secure box," intones John Earl, executive vice president of PowerTech Toolworks Inc. (Tukwila, Wash.) "Unfortunately, a lot of application vendors present vulnerability. The vast majority of purchased applications, as shipped, put customers' data at risk. Vendors have not done due diligence on their products. Upwards of 80 percent of commercial applications are vulnerable," he estimates.

It is networks that concern Earl. "PC users can do anything if the application is not set right," he warns. "In a network environment, end users could trash AS/400 libraries with Windows 95 Network Neighborhood." Earl favors regulating network access through exit pointssoftware that evaluates requests for files, a gatekeeper that controls access.

The Conundrum of Passwords

Another tool of wildly varying efficacy is passwords. When used correctly, passwords are resoundingly effective. The operative words are "used correctly". Here technology meets human psychology. Almost invariably, users seek easy-to-remember passwords. That same tendency brings the potential for security breaches.

The problem is compounded in complex systems. Without synchronization, users may have to use a different password for each application. In mixed-platform environments, there may be one set of passwords for AS/400 access, another to get to Unix applications, and yet more for Windows NT software.

Faced with a laundry list of passwords, most users revert to either an easy-to-break code or posting their passwords in easy view, effectively defeating the accompanying security. The solution is synchronization software that applies a single password across platforms and applications. It also makes passwords hard to guess and updates them regularly.

"The whole concept behind single sign-on software is taking as much control/capability away from the users," explains Heather Rosenfeld, senior product manager for PassGo Technologies (Boxborough, Mass.) "With just one password, you are not leaving passwords on Post-It notes."

That single password can be made difficult to steal. Techniques include eschewing vowels, mixing letters and numbers, and including uppercase letters and symbols. If an even higher level of security is needed, digital certificates offer the safety of encryption.

Rosenfeld also heralds the value of auditing. "We log activity across the system for all applications within the PassGo environment," she explains. "Everything passes through an authentication service, a table that shows who is allowed to sign on and at what level: read only; read and write; change within an application; and delete.

"If the system detects a user trying to get into an application that is unauthorized, it will log that," Rosenfeld continues. "Then an administrator can go back, see the unauthorized entrance and react. We can integrate our software with intrusion detection products that send e-mail to a systems administrator who can then investigate."

Getting It Done

"A well-configured AS/400 is very hard to break into," states LeVeque, "but it has to be properly managed to take advantage of the [built-in] security. There are no Trojan horses, but unethical programmers could cause havoc. It comes down to ethics and who can get a back door authority that is not theirs."

Since the danger is real, the question is one of implementation. AS/400 shops that have no systems administrator, much less a security officer, would do well to seek outside help. "If they don't have the expertise to produce security or know if they have it," suggests Woodbury, "they are probably going to have to hire it out or gain the expertise themselves." She notes that all of the biggest accounting firms provide AS/400 security specialists, as does IBM Global Services. "They offer several levels of services: The basic is an evaluation, a health check. The second is a request for a recommendation, while the third says to the consultant, 'Just fix my system.'" The customer chooses the appropriate level of service.

With threats increasing, ignoring security issues puts one in growing peril. According to LeVeque, ignorance is no excuse. "John Doe should get an outside security consultant to come in and take a look," he prescribes. "You could use your own auditors, but you want to make sure they know the AS/400 very, very well." A word to the wise is sufficient.