This document discusses expanding control of access to IBM i systems and data. It begins with some logistical information about the webcast. The presentation will discuss myths about IBM i security, exit points and access methods, examples of security issues, and how Syncsort can help with security. The agenda includes discussing the myth that IBM i is secure by nature, reviewing exit points and access methods, providing examples, and explaining how Syncsort can help manage security risks. Overall, the document aims to educate about security risks on IBM i and how third party solutions can help address vulnerabilities from various access methods and improve overall security.
Expand Your Control of Access to IBM i Systems and Data
1. Expand Your Control of Access
to IBM i Systems and Data
Jeff Uehling,
Syncsort Security Expert
1
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the presentation
using the chat window.
• We will answer them during our Q&A session following the
presentation.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.
4. What you’ll learn today
Controlling all of the ways your company’s
data is being accessed is critical, especially
given the proliferation of open source
software and other non-traditional
data-access methods.
This webinar reviews the different ways your
data can be accessed, how exit points work
and ways to manage them, and why a global
data access control strategy is especially
important as a means to efficiently protect
sensitive data against unwanted access.
5. 1. Myth - the IBM i is secure by nature
2. Exit points and access methods
3. Examples
4. How Syncsort can help
Agenda
6. Here’s a Disturbing AS/400
Breach At Water District
Still thinking
the IBM i is
secure by
nature?
“It became clear that KWC
management was aware of
potential unauthorized access
into the OT systems of the
water district.”
The hackers also stole more
than 2.5 million files that
contained PII data, according
to the report.”
Hackers have stolen
valuable data,
but it could have been worse ...
March 2016
According to details of the breach, the Kemuri
Water Company (not their real name) was
hacked by a hacktivist group with ties to Syria.
They first infiltrated KWC's systems by
exploiting known security vulnerabilities in a
Web-based payment server application that
KWC had set up to allow customers to pay
their bills and view water usage information.
Unfortunately, that system was directly linked
by cable to its backend "AS/400" system.
Making matters worse, the water district
stored login credentials for the AS/400 on
that front-end Web server, and the AS/400
was directly connected to the Internet.
7. DEF CON 23 attracts more than 10,000 hackers
of all stripes
Still thinking the IBM i
is secured by nature?
Did IBM i Get Hacked at DEF CON?
The IBM i was the subject of a special session at
DEF CON® (THE global convention of hackers!)
And the fact is that the IBM i often hosts the
most critical data in a corporation.
Check out the session “Hack the legacy! IBM i
(aka AS/400) revealed.”
9. How does an
organization
achieve security?
An organization achieves their desired
level of security by:
• Defining a security policy
• Implementing the policy
• Monitoring compliance with policy
• Getting independent confirmation
that the policy is sufficient and has
been implemented
Security is an intangible attribute
possessed by an organization
It is what you have after you analyze
your risks, mitigate those risks that you
can, and know which ones you have
chosen to accept.
The process provides security.
Computer systems and their
data are those things that are
secured as a result of following
the process
“You cannot prove security.
You can only prove insecurity.”
10. What is the definition of risk?
If security is the state of being protected from danger or
harm then risk is:
• Something that could cause injury or harm
• A situation involving exposure to danger
• Difficult to defend against
In our travels we find customers address security
in a number of ways, but often neglect the
configuration risks that make them vulnerable
to data breach and theft.
11. • Too often there is no Security Policy
• Lack of regular security health checks (often a regulatory requirement)
• Lack of expertise – a dedicated security officer doesn’t exist
• Not using qualified external resources to validate security
• No security or penetration testing
• Too many powerful users
• Auditing not turned on
• Audit logs not checked
• Patches not applied
Common ways risks
are neglected
Is ignorance bliss?
Security by obscurity?
12. Definition of security,
secure and securable
Security – the quality or state of being secure
Secure – protected from risk of danger or harm
Securable – capable of being secured from risk
of danger or harm
13. Still thinking
the IBM i is
secured by
nature?
It is time to inject some reality
into the subject
IBM i is securable BUT not secured
by default
Being compliant does not mean
you are secure
Protecting the well-known
interfaces is not enough for
TODAY’s networks
Many different populations are
becoming more interested in
the platform: hackers, young IT
workers with extensive skills on
new technologies, older IT
professionals with extensive IBM i
experience, application users, …)
14. Network interfaces, the often overlooked risk
• Network Servers are likely to be your single
biggest threat
• Activities that come through the network
servers are ubiquitous – you may not be able
to tell who is downloading (or uploading),
running SQL statements, or even executing
remote commands
• Some servers allow command functions
and IGNORE a profile’s 5250 command
line restriction
15. • Apache Tomcat Server
• Bootstrap Protocol
• Common Information Model Object Manager
• Debug Server
• DDM Server
• Dynamic Host Configuration Protocol
• LDAP
• DataLink File Manager
• Domain Name Server
• Domino
• Extended Dynamic Remote SQL
Turn off those servers you are not using and control those necessary via Exit Point technology
• File Transfer Protocol
• Host on Demand
• HTTP Server
• Internet Daemon
• Line Printer Daemon
• Management Central
• Net Server
• Network Station Login Daemon
• Simple Network Time Protocol
• On Demand Platform Authentication
• On Demand Server
A significant number of network servers are started with STRTCPSVR
• Post Office Protocol
• Quality of Service Server
• Remote Execution Servers
• Router Daemon
• Simple Mail Transfer Protocol
• Simple Network Management Protocol
• Trigger Cache Manager
• Telnet
• Trivial FTP
• Virtual Private Networking
• Webfacing Server
16. Regulations require strict system and object access control
plus audit
Standard object level security model:
• A user who has *USE authority on a critical file can download it
using any method or protocol
• A user who has *CHANGE authority can change records in a
critical file using any method or protocol
Adopted authority and profile swapping security model:
• We have to trust the programs
• Programs that adopt authority or implement profile swap often
use security officer level of authority
REINFORCE object security,
but don’t replace it
Are the traditional object and adopt/swap security
models sufficient today?
17. Exit point solutions
Adding an additional layer of Security to traditional access control methods
The base IBM i OS facts
• User profiles with *ALLOBJ special authority are impossible to control
• A limited capability user can still run CL commands, via certain network applications
• It is difficult to determine if user access is via a network interface vs 5250
Exit point solutions provide additional control, even for powerful users
• Exit point solutions can control, or even block, access via network applications
• Exit point solutions can control File and CL command access and use
• Exit point solutions provide significant auditing of Network and File access
to compliment the OS audit
18. 1. Myth - the IBM i is secure by nature
2. Exit points and access methods
3. Examples
4. How Syncsort can help
Agenda
19. Access methods available on the IBM i
IFS QSYS.LIB
data
We need to lock down and/or audit this activity as it could
potentially cause damage or disclose our critical data
20. The exit program
decides (accepts or
rejects) prior to the
object level security (can
block powerful users)
Traditional
exit points
Legacy
exit points
Exit points
23. http://www.ibm.com/support/knowledgecen
ter/ssw_ibm_i_73/rzajr/rzajrmst35.htm
Exit points
Traditional exit points
• Are connected to Host and TCP/IP servers
• Cannot be unplugged for active jobs, with the exception of TELNET
• Generally allow just one program per point
• Are unaware of port numbers
• Must reside in *SYSBAS
• Are different from each other
• Things to consider: IP Address, CCSID, authorities, activation group
• QIBM_QZDA_SQL2 is the most difficult one (potential impact on
performance)
• Limitations: carefully read the documentation
Command exit points
• One entry per command & timing (before
or after options)
Other exit points
• Open database file
• Sockets
24. Remote commands & parameters “Limit capabilities”
CALL QSYS.QCMDEXC (‘dspsysval qdate', 0000000015.00000)
cl:dspsysval qdate
SBMRMTCMD CMD('dspsysval qdate') DDMFILE(library/DDMfile)
dspsysval qdate
Rmtcmd //system dspsysval qdate
RUNRMTCMD CMD('dspsysval qdate')
RMTLOCNAME(system *IP) RMTUSER(user) RMTPWD( )
5250
FTP Server
Quote Rcmd dspsysval qdate
REXEC
IBM i Access for Windows
ODBC / DRDA
System i Navigator
DDM
db2 "call qcmdexc ('dspsysval qdate')"PuTTY
User profile = LMTCPB(*YES)
and CL Command = ALWLMTUSR(*NO)
COMMAND EXECUTION BLOCKED
COMMAND EXECUTION ALLOWED
26. Access methods and exit points
IFS QSYS.LIB
data
OTHERS
CLI QSQSRVR PHP, XML Service, …
QSQPRCED XDA, XDN, …
Sockets Socket programs
Open Source
Node.js, Python, Ruby
GCC, GIT, Orion, Perl…
27. OTHERS
CLI QSQSRVR PHP, XML Service, …
QSQPRCED XDA, XDN, …
Sockets Socket programs
Open Source
Node.js, Python, Ruby
GCC, GIT, Orion, Perl…
Access methods and exit points
IFS QSYS.LIB
data
28. Real life situation & perspectives:
• Gap exists between the growing number of ways to access data and the traditional exit points
• Gap exists between the long-time IBM i administrators and new IT people
• IBM promotes open source, which introduces new ways to access data
• SQL is growing in term of utilization, power and complexity
• Exit programs add overhead and risk to production environments
• Database Monitor cannot block access and can also add overhead; it is not designed for security
• There are no exit points for the Unix space, this is still based on Syslog files
• If you rely on RCAC, you still have to fully audit SQL and commands
- alter table … deactivate row access control ; drop permission;
- CHGFCNUSG FCNID(QIBM_DB_SECADM)
Access methods and exit points
This way of protecting data is not efficient on today’s systems with today’s workloads. We have to keep in
mind that more than 70% of fraudulent acts are internal, which adds a huge challenge
29. Managing
confidential data
Tracking at object level -
Who is opening this file?
At the object level :
• (journaling) - Auditing value *ALL
generates ZC & ZR entries in journal
QAUDJRN
• (journaling) - Parameter
OMTJRNE(*NONE) generates OP
entries in database journals
• (exit point) QIBM_QDB_OPEN
intercepts in real time the openings
of files under audit
Tracking at record level -
Who is reading this record?
At the record level :
• Application (ex: send “user entries”
to a journal for specific reads) ➔
incomplete
• Field procedures (7.1) ➔ gives the
value of the field, not the entire record
• Read triggers ➔ it works, with
limitations (not compatible with RCAC)
Impact on performance is a
major concern
Alternative options : tokenization,
encryption and RCAC (IBM i 7.2 and
above)
30. 1. Myth - the IBM i is secure by nature
2. Exit points and access methods
3. Examples
4. How Syncsort can help
Agenda
31. This is for educational
purposes only. It’s better to
know before it happens.
Right?
32. select * from erpfile.glfclien ;
values (select clinombr from erpfile.glfclien where rrn(erpfile.glfclien) = 9) ;
create alias qtemp."MyAliasWithLongName" for erpfile.glfclien;
select * from qtemp."MyAliasWithLongName" ;
with captured as (select * from qsys2.qsqptabl),
hidden as (select * from erpfile.glfclien) select * from hidden ;
create table qtemp.dummy as (select * from erpfile.glfclien) with data ;
select * from qtemp.dummy;
drop table qtemp.dummy ;
Create Function erppgm.DummyFunction ()
Returns table (clicom char(3),clinbr char(16),cliname char(50),clitaxid char(10))
language sql disallow parallel
begin return select * from erpfile.glfclien;
end;
select * from table (erppgm.DummyFunction ()) hello ;
Drop Function erppgm.DummyFunction ;
Example interfaces that allow
SQL statements to be run but are
difficult to control:
• ODBC
• JDBC
• EDRSQL
• QSQPRCED
• STRSQL
• QSH db2
• DRDA
Examples with SQL statementsBASICCOMPLEX
Blue items are interfaces not covered by
standard exit points. Seek a 3rd party solution.
33. Connect to Remote Database using DRDA
Exit point available for CONNECT (DDMACC)
No standard exit point for the SQL Statements after the CONNECT
Example with DRDA
Blue items are interfaces not covered by
standard exit points. Seek a 3rd party solution.
34. Access to a local file as a reference to a remote file (DDMF)
Exit point available when opening the remote file (DDMACC)
Example with a DDMF file
35. Access to a DB2 file in QSYS.LIB using NetServer
Controled by exit point QIBM_QPWFS_FILE_SERV
Authorization List QPWFSERVER can be used to prevent
access to QSYS.LIB
Example with NetServer
36. d freesqlc pr
d mySQL 1600
d freesqlc pi
d mySQL 1600
/free
EXEC SQL
SET option Commit = *NONE
, DATFMT = *ISO
, TIMFMT = *ISO
, NAMING = *SYS
, SQLPATH= *LIBL
;
EXEC SQL EXECUTE IMMEDIATE : mySQL ;
// exec sql commit ;
return;
RUNSQL not allowed?
Try to create your own command —
which maybe won’t be tracked
Example of command similar
to RUNSQL
Blue items are interfaces not covered by
standard exit points. Seek a 3rd party solution.
37. This simple program uses CLI to invoke SQL statements
No standard exit point for the SQL Statements after the CONNECT
Example with CLI
Blue items are interfaces not covered by
standard exit points. Seek a 3rd party solution.
38. PuTTY
Logon with a limited user (no command line access)
db2 opens the SQL world
No standard exit point for the SQL Statements
Example with PuTTY
Blue items are interfaces not covered by
standard exit points. Seek a 3rd party solution.
39. QSH/STRQSH
starts an interactive shell session
Example with QSH
Blue items are interfaces not covered by
standard exit points. Seek a 3rd party solution.
40. QP2TERM
interactive terminal session to run PASE programs
Example with QP2TERM
Blue items are interfaces not covered by
standard exit points. Seek a 3rd party solution.
41. PuTTY
Running the Node.js script
Source Node.js
Getting the file content in a browser after typing
http://192.168.5.95:8082/
Example with Node.js
Blue items are interfaces not covered by
standard exit points. Seek a 3rd party solution.
43. 1. Myth - the IBM i is secure by nature
2. Exit points and access methods
3. Some examples
4. How Syncsort can help
Agenda
44. Data Privacy
Protect the privacy of data at-rest
or in-motion to prevent data
breaches
Access Control
Ensure comprehensive control of
unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Compliance Monitoring
Gain visibility into all security activity
on your IBM i and optionally
feed it to an enterprise console
Security Risk Assessment
Assess your security threats
and vulnerabilities
Assure Security
addresses the issues on
the radar screen of
every security officer
and IBM i admin
45. Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Assure Security
Risk Assessment
Choose the full product
Choose a feature bundle
Or select a specific capability
Assure Compliance
Monitoring
46. Assure System
Access Manager
Comprehensive control of
external and internal access
• Network access
(FTP, ODBC, JDBC, OLE DB, DDM, DRDA,
NetServer, etc.)
• Communication port access
(using ports, IP addresses, sockets -
covers SSH, SFTP, SMTP, etc.)
• Database access
(open-source protocols - JSON, Node.js,
Python, Ruby, etc.)
• Command access
Powerful, flexible and easy to
manage
• Easy to use graphical interface
• Standard configuration easy deployment
• Powerful, flexible rules for controlling
access based on conditions such as
date/time, user profile settings, IP
addresses, etc.
• Simulation mode for rules testing
• Provides alerts and produces reports
• Logs access data for SIEM integration
47. Assure Db2
Data Monitor
Gives you complete control
over sensitive data access
• Monitors Db2 data to inform you of who
has viewed sensitive records in a file,
when and how
• Rich set of rules enable fine tuning of
read-access detection and alerts (e.g.
specific access of a specific file)
• No need to change existing applications
• Generates reports in multiple formats and
real-time alerts
• Blocking mode prevents users from
reading specified information in a file
• Simulation mode available for testing
rules to ensure blocking doesn’t disrupt
normal activities before deployment
Produces clear, targeted
reports on data views
• Reports could show on views of:
• Manager salaries
• Medical data
• Credit information
• Reports can include information on how
data was accessed, such as:
• IP address
• Current user
• Call stack
• And more
• Specify only the fields you need to see in a
report, not the entire record, to keeps your
confidential data truly confidential
48. Expert services are available for
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage the seasoned security experts in Syncsort Global Services!
Syncsort Global Services Adds
Value to Security Investments