Open Access, Tight Security
Can AS/400 managers allow ‘Net access without compromising security?
| ||Number of Computer Security Incidents Reported—1988-1999 1988 = 6|
1989 = 132
1990 = 252
1991 = 406
1992 = 773
1993 = 1,334
1994 = 2,340
1995 = 2,412
1996 = 2,573
1997 = 2,134
1998 = 3,734
1999 = 8,268
Source: CERT Coordination Center
Does Internet security represent the next Y2K crisis? After all, companies of all types are facing potentially momentous challenges protecting their information assets, as was the case with Y2K. The issue of security is eating up increasingly larger portions of IT budgets and resources, just as the Y2K issue did. And, as with Y2K, the AS/400 is better equipped than most platforms to handle the issue—if its owners are vigilant and aware of interaction between their system and others.
Unlike Y2K, however, the problem doesn't begin to fade after New Year's Day, it just keeps getting worse. In recent years, in fact, as more companies have opened their systems to third-party access over the Internet, there has been a surge in hacker and virus attacks. The Computer Emergency Response Team (CERT) Coordination Center at Carnegie-Mellon University (Pittsburgh, Pa.) documented more than 250 attacks in the year 1990, jumping to 2,400 by 1995, and exploding to 8,200 as of last year.
"The increased use of the Internet is both heaven and hell—heaven because electronic commerce can boost revenues and lower costs, hell because it opens up networks and servers to external and internal attacks," says Chris Christiansen, program director with research firm International Data Corp. (IDC, Framingham, Mass.).
In response, spending on security is increasing at a rate of about 20 percent a year, says Marlo Kosanovich, program director with Meta Group Inc. (Stamford, Conn.). "IT organizations can no longer view security as a burden," he says. "Security policies must become an integral part of IT as businesses continue to expose themselves."
IT executives in IDC's survey indicate that high costs and lack of integration are the top two obstacles impeding security development. In addition, companies tend to be too reactive, rather than proactive, to security issues, Kosanovich notes. Organizations' security policies are often limited to requiring minimum password lengths and restricting access to applications' server data files, and networks, he adds.
"Security policies are viewed by some senior IT managers as a time waster that diverts essential personnel from their core jobs," agrees John Stehman, an analyst with Robert Frances Group (RFG, Westport, Conn.).
To complicate matters, Internet security is a new experience and challenge for many start-up Web sites. "Many companies have just moved to the Internet, and have some big fears about not being able to get their arms around security," says Laurie Wagner, VP for ICSA Inc. (Fairfax, Va.). Even those companies that regard security very seriously have trouble distinguishing real threats from perceived threats, she warns.
Last year, for example, many companies were anxious about a perceived virus threat called "Bubble Boy," says Wagner. "Everybody was in a panic over this thing," she relates. "The reality is that it wasn't even happening. It wasn't even a real threat. People were running around trying to fix things that weren't broken." Unfortunately, the attention to these perceived threats takes away attention and resources from real threats, such as password hacking and denial of service attacks.
Meta's survey finds that 58 percent of organizations have reported security breaches over the past year, the bulk of which were committed by disgruntled employees. However, Meta Group predicts that half of all security breaches will be external. To survive, organizations must not only increase budgets, but also make security a priority within the IT department, and to the CIO, says Meta’s Kosanovich. Typically, network administrators are now charged with security functions.
Top Level Security
Security—or information assurance—has been elevated to highest priority status among the top brass of the U.S. Department of the Navy, which is in the process of applying the lessons learned in remediating its 2,000 mission-critical systems worldwide for Y2K. "Information assurance is clearly the next Y2K for us," says Dave Wennergran, deputy CIO of the Department of the Navy. "We'll be focusing a lot of attention on both information systems security and critical infrastructure protection over the coming years."
To raise awareness and share information, the Navy plans to continue to hold the kind of forums and teleconferences it initiated for its Y2K effort. "Too much security is not a realistic option in today's e-business environment," says Wennergran. "Your ultimate security is total isolation. If you wall yourself off from everybody, then you can be very secure and not worry about virus attacks and so on. At the same time, you can't get your business done. For the Department of the Navy, that's no solution. We are an organization that needs far-flung communication and the sharing of knowledge."
For example, the Navy is launching a bold "telemaintenance" initiative that enables land-based engineers to quickly communicate by voice, video, or data with personnel on carriers at sea. "They can look at a part that's not working, and collaborate. They need to be able to send information over the airwaves and Internet to do that kind of work. For us, the solution can't be to just firewall everything and lock ourselves away from the Internet. It's got to be about having secure ways of having communication and dialogue." Part of the Navy's approach is to rely on digital certificates, encryption, and smart card verification over the Internet.
The AS/400 itself is one of the more secure commercial computing platforms available on the market today. But even the ironclad AS/400 has its weak points, comments Wayne O. Evans, a leading AS/400 security consultant, based in Tucson, Ariz., and its greatest vulnerability may simply be a lack of security awareness on the part of end-users themselves. "In my experience, customers don't always make good use of the security that is available on the AS/400," he states. "Even if you have the best locks and bolts on your house, if you fail to lock the doors, then it's very easy for someone to break in.
"Essentially, security is still somewhat of a black art to many customers," Evans continues. "They don't have the time. They leave exposures on the machine."
While TCP/IP applications, such as HTTP, FTP and Telnet servers also pose security risks to the AS/400, they are extremely manageable risks. What complicates the picture is the fact that many AS/400 sites are also multi-platform sites, forcing IT managers to address a variety of challenges. In fact, 37 percent of security professionals responding to a survey from IDC say managing multi-platform sites is the most daunting aspect of security.
For overall Internet security, the most popular and proven remedies are firewalls, encryption, virtual private networks (VPNs), antivirus software, intrusion detection, single sign-on, and public key infrastructure (PKI) and certificate authorities.
IBM offers a number of security solutions with the AS/400, including IBM Firewall for AS/400 and AS/400 Virtual Private Networks.
User names and passwords pose perhaps the greatest vulnerability to AS/400 security, says Evans. Simply getting users to change passwords on a regular basis will increase security, he notes. One failing of many companies is that user names and passwords are often the same, resulting in what Evans calls "trivial" passwords. "If you don't make sure that your passwords are difficult to guess, then you will have lost the protection that's available on the AS/400," he says. OS/400 includes a security tool that enables administrators to check for passwords that duplicate user names, he adds. "I find these trivial passwords in at least 50 percent of the security reviews I do."
“IT managers worry that if they force users to regularly change their passwords, they won't remember them,” says Evans. "But you need to get them to do that, because that's a potential major exposure on the AS/400."
Another way to address confusion over passwords is to move to digital certificates or PKI. OS/400 includes an AS/400 Digital Certificate Manager (DCM), which can be used to configure a number of AS/400 applications to use the Secure Sockets Layer (SSL) for secure communications. Digital certificates are essentially electronic ID cards—the cyber-equivalent of a passport or driver's license—that are presented to Web servers to prove a user's identity. These certificates are issued and linked by a separate Certificate Authority (CA) to a pair of electronic keys that encrypt and sign digital information. A digital certificate typically contains the owner's public key, owner's name, expiration date of the public key, the CA's name, serial number of the Digital ID, and the digital signature of the issuer.
Other technologies on the horizon include smart cards and biometric authentication. Smart card readers, which store user profile data or algorithms that generate random numbers that need to match a similar set of numbers generated by the host server, can easily be attached to terminals and PCs. Fingerprint readers are another option. These devices—which are about the size of two sugar cubes—use fingerprints instead of passwords. Although this technology is not currently available for the AS/400 platform, the low price of these devices ($99; Compaq Computer Corp., Houston) may help drive acceptance of biometric security in corporate environments.
Firewalls and Antivirus Software
Firewalls provide a major line of defense against hacker attacks, Evans states. While the IBM Firewall for AS/400 is included in the Integrated Netfinity Card—essentially, a separate machine—many companies opt for physically separate Windows NT or Unix servers to fulfill this role. The addition of logical partitioning (LPAR) capabilities also provides a firewall capability to AS/400s, Evans relates. "If you wanted to prevent potential exposure to your production machines, you could get a separate computer, or partition your system with LPAR."
Typical threats to other platforms—hackers and viruses—tend to roll right off the AS/400, says Evans, adding that from a hacker's perspective, the AS/400 is not an easy system to crack. "And it's also not a system that most hackers own. They're not aware of the AS/400, or it’s foreign to them. They're used to PCs. Therefore, hackers are not very proficient with the AS/400. I call it 'security by obscurity."
Plus, even if a hacker is familiar with an AS/400, the system's security is built in below the machine-level interface layer. "The actual security implementation is included in the microcode of the AS/400, down below a place where anyone can get at it and tamper with it," he says.
Viruses are also unheard of on AS/400s, Evans adds. "Program objects on a PC are stored as file objects, which can be modified. On the AS/400, the program objects are encapsulated or stored in an internal form that cannot be modified. You can delete a program and recreate it from source, but there is no interface to go in and tamper with the internals of a program. While IBM won't make the claim directly, because it's too strong a statement, I consider the AS/400 virus-proof." The only virus that could theoretically corrupt an AS/400 would be one that posed as a validity check program and could attach itself to a command definition object, says Evans. However, he is unaware of any such breaches.
While unaffected itself, the AS/400 can still be Typhoid Mary, spreading a virus far and wide. The AS/400 can serve as a huge PC disk, storing viruses in its Integrated File System (IFS) just like any other PC program. Because AS/400s typically serve large user populations, "A virus will spread very, very rapidly," says Evans, recommending the use of standard PC antivirus scanning software.
As part of its antivirus research, IBM's T.J. Watson labs has developed a "Digital Immune System"—licensed to Symantec Corp. (Boston)—that quickly identifies and turns out fixes for new viruses. Previously, whenever a new computer virus was discovered, "deprogrammers" at various antivirus research labs would spring into action, identifying signatures and how the virus spreads. Within days, a fix would be prepared and distributed to companies. Now, much of the process is automated. IBM researchers have devised a PC-based system that can scan files for suspicious patterns and identify the virus' signature. Then, in the fashion of a body's immune system, "antibodies" are sent out over the Internet. Eventually, researchers hope, corporate servers will be able to automatically initiate the process when unusual code is detected coming through the firewall.
The goal of the system will be to be able to identify and dissect a virus and send out a cure within hours, and ultimately, within minutes. As a virus is addressed for one customer, every customer receives an update. Potentially, the entire process can be automated, with viruses detected either at the firewall or by the client system, packaged up, and sent to IBM or Symantec. "If it's a virus that's already known, Norton AntiVirus will deal with it routinely," says David Chess, researcher for IBM. "But if it's a new virus, then it would automatically get bundled up and sent off."
While malicious code can wreak havoc with PC networks, the greatest threat to the AS/400 itself is a denial of service attack, says Evans. "With the denial of service attack, what the hacker does is flood the computer system with requests. Oftentimes, these are invalid requests. But he sends so many requests to the machine, that it spends all its time rejecting these invalid requests, and therefore isn't able to service real valid users. Even the AS/400 is subject to a denial of service attack if it is directly connected to the Internet," he explains.
Even the largest of Dot Com companies are not immune from denial of service attacks, as evidenced by last month’s rash of outages that affected some of the Web’s best known sites. Yahoo is one of the busiest sites on the Internet, serving over 425 million Web pages per day. The Feb. 8 denial of service attack on Yahoo prevented its U.S. customer’s from accessing the site for approximately three hours.
The best remedy for forestalling a denial of service attack is to put a firewall between the AS/400 and the Internet. That's the strategy undertaken by the online banking hosting operations of Jack Henry & Associates at its Overland Park, Kansas facilities. "It's hard to protect yourself against a denial of service attack," agrees Tom Walsh, manager of the online services division for Jack Henry & Associates. "It's easy to identify quickly and to take corrective action, but you may not necessarily be able to do it all fast enough."
That's why Jack Henry employs numerous layers of firewalls, first to shield its Windows NT Web servers from attacks, but then to completely protect its AS/400 back-end processors.
Approximately four to five million Web visitors a month visit online bank sites hosted at the Jack Henry facility. At the front end, all Web serving is conducted by a series of IBM Netfinity model 5000 and 5500 servers. Requests are sent, via frame-relay connection, to AS/400s either located on the banks' premises or at other Jack Henry outsourcing centers. "We have firewalls both at the front end and back end of our data center," says Walsh.
In addition, online banking customers are authenticated through IDs and passwords, the length of which is determined by each bank. "We authenticate customers, identify who they are, what bank they belong to, and what information they're looking for," says Walsh. All data is kept on the back-end AS/400s, he adds. "Never do we keep any data here, and never does the Internet user actually touch the AS/400," he adds. "Even when we connect directly to a bank, we do so through a separate port on the AS/400, not to the bank's network."
Why not use the AS/400 itself, which has strong security, as a firewall? Walsh agrees that the AS/400 could do the job on its own, but still wants to keep a distance—both physically and in a virtual sense—from the public Internet. "Taking steps to remove the system even further away from the point of contact, just in general principal, enhances the security," he explains.
While no one has ever tried to break into the site, Jack Henry lets IBM's ethical hackers attempt such penetrations on a regular basis. In addition, a duplicate version of the entire system is being stress-tested at IBM laboratories. "We keep a microscope on everything that goes through the system," says Walsh.
The best line of defense in any Internet security strategy is a well thought-out security policy. The implementation of strong policies, along with regular stringent testing, is the best line of defense in the protection of companies' IT assets.
Related Editorial:IBM Brings AS/400 Support to MQSeries IntegratorThere's Such a Thing as Too Much Openness, Says One Vendor
Related Information:CERT (new window)ICSA.net (new window)Symantec (new window)