There's Such a Thing as Too Much Openness, Says One Vendor
The AS/400 may be one of the most secure business servers in the world, but this security must be balanced against its increasing openness. One security vendor has been sounding the alarms about potential security threats, and is now backing its claims with free software.
PowerTech Group (Tukwila, Wash.) announced it is providing the network intrusion detection portion of its PowerLock AS/400 network security software at no cost to AS/400 sites.
"IBM's done a great job with OS/400 at making stand-alone AS/400s secure," says John Earl, executive VP at PowerTech. However, many third-party applications that open up the AS/400 to PC and network access may also give away the keys to the kingdom, he says. Even IBM's Client Access, along with other vendor's PC connectivity tools and many AS/400 TCP/IP servers "don't respect traditional menu authorities and command-line restrictions," says Earl. Through these programs and Windows interfaces, users can download and upload files, change production data or any other AS/400 command.
"Even IBM will tell you that most networked AS/400s aren't secure and even a single PC connected to an AS/400 constitutes a network." Through programs such as Remote Command, ODBC, TCP/IP and FTP, users can directly access AS/400 data and accidentally change it. The AS/400's menu and green-screen security do not stand up to the job when PCs and the Internet are connected to the AS/400, Earl points out.
"Everyone knows that PCs are not secure and IT can't control what goes on at the desktop level," he says. "Face it, networked PCs and the Internet are taking over the industry. We're focused on the future of computing, and making sure that AS/400s have a role in that future."
The free network intrusion software is included on a CD-ROM with the remainder of the PowerLock application. PowerTech's PowerLock uses OS/400 security via its Exit Point technology to show an IT administrator how users are accessing the AS/400. Once aware of potential security breaches, system administrators may purchase the entire package. Then, through a command-line interface, the program lets IT control future access, serving as a client/server firewall for AS/400 data by inserting a protective screen between the AS/400 and other networked computers.
Today, users don't even need a lot of technical savvy and intent to exploit AS/400 security weaknesses, says Earl. "Beginning with Windows 95, the least sophisticated user can access and manipulate AS/400 data via the network with point-and-click ease."