OS/400 Certified IPSec-Compliant

IP Security (IPSec) will likely become a key technology as more application and operating system vendors hop on the IPSec bandwagon. Sun Microsystems Inc. (Mountain View, Calif.), for example, shipped an IPSec implementation with its new Solaris 8 operating system and Microsoft has also touted IPSec’s inclusion in its Windows 2000—but IBM’s OS/400 has provided a native implementation of IPSec since early 1999. It’s no surprise, then, that OS/400 was among the first operating system platforms certified as IPSec compliant by Internet security specialist ICSA.net (Carlisle, Pa.).

ICSA.net recently published a list of products that it certified under version 1.0a of its IPSec Compliancy criteria. According to ICSA.net, version 1.0A certified IPSec-compliant products must meet extra requirements for data hashing, entity identification and other security-related functions.

The IPSec standard protocols are used to encrypt data—usually in a virtual private network-type (VPN) setting—for secure transmission across disparate network topologies. IPSec supports most if not all of the cryptographic algorithms in use today, and, its proponents claim, can also accommodate newer algorithms as they become available.

While he didn’t comment specifically on the strengths of OS/400 as a VPN or IPSec-compliant platform in particular, ICSA Labs VP George Japak acknowledged that all IPSec version 1.0a certified products had to pass a withering battery of tests.

“The criteria is significantly more stringent and addresses more IPSec features, resulting in the most robust IPSec interoperability testing to date," Japak says.

IPSec addresses a number of salient security-related issues, including the problem of data origin authentication (how can you tell that the packets you’re receiving were really sent by the source that claims to be sending them?), data confidentiality (how can you keep data secure and private?), and data reliability (how can you ensure that packets weren’t tampered with in transit?) Moreover, IPSec provides a framework to manage cryptographic keys and other security-related issues, often without the need for manual configuration or tinkering in the first place.

So how is it that OS/400 should be among the first products of any type to be certified IPSec compliant, even ahead of those upstart client/server operating systems from Sun or Microsoft? The short answer, says Rob Enderle, a senior analyst with research firm Giga Information Group (Santa Clara, Calif.) can be summed up in one word: e-business. Because of its strategic e-business branding initiative, IBM sought to marry as many of its platforms to open Internet standards as was possible. The result, Enderle says, is that OS/400, like its bigger S/390 mainframe cousin, has been rebuilt from the ground up around the mantra of compliance with and support for open Internet standards. And IBM’s efforts now appear to be paying off.

“E-business is really a priority with IBM, and it’s these kinds of things [OS/400’s integrated support for VPNs and IPSec] that are the direct result of that priority,” Enderle comments.

Beginning with the release of V4R4, OS/400’s Internet standards story suddenly became a lot more compelling. OS/400 V4R3 provided limited support for VPNs by virtue of IBM’s AS/400 Firewall add-on product, but V4R4 for the first time provided native VPN support in the OS/400 operating system itself. OS/400’s VPN implementation actually uses two IPSec protocols to protect data as it flows through a VPN tunnel: Encapsulating Security Payload (ESP) and Authentication Header (AH). Moreover, OS/400’s VPN capabilities can also provide key management services, which can automate the exchanging of and requesting of cryptographic keys.

Related Editorial:

  • A Wake Up Call for Security

    Related Information:

  • ICSA.net (new window)