The iSeries has long been knownf for having a robust, secure architecture that's even received the coveted U.S. Department of Defense C2 computer security rating. Unfortunately, this reputation encourages iSeries security complacency in some people.

Network access tools such as FTP and ODBC can present special problems for iSeries administrators because use of these tools, while growing in user popularity, can have security ramifications that aren't always obvious. IBM wisely designed security controls for such access methods. These controls are user-written exit programs executed automatically by server jobs. You can implement security tests with exit programs for nearly two dozen iSeries servers (e.g., the FTP server, DRDA server, Telnet server).

You've Got the Power

PowerTech Group's PowerLock NetworkSecurity for iSeries means you don't have to produce your own custom exit programs. NetworkSecurity not only uses exit programs to control access to all iSeries servers, it also gives you the option of keeping your existing exit programs and calling them automatically from NetworkSecurity's exit programs.

NetworkSecurity controls access to your iSeries by using rules that you define, and you can assign different rules to given servers, such as the FTP server. There are two types of rules: location and user rules. Location rules let you grant or reject access from all IP addresses or ranges or from any subset of addresses or ranges. For example, a rule can reject all FTP file uploads from a given IP address.

User rules are part of location rules assignment and are optional. They control to which user or group profile a location rule applies. In the previous example, you could use a user rule to further restrict FTP file uploads from a given IP address to a single specified user at that address.

You can create multiple rules for each OS/400 server, and NetworkSecurity executes them from most specific to least specific. NetworkSecurity also lets you configure each rule to automatically log the action to an audit file for later reporting and optionally send an alert message during rule execution.

NetworkSecurity offers additional ways to either increase or decrease access for a user or user group using network services via a profile-switch facility. All NetworkSecurity rules use the OS/400 authorities assigned to the user accessing the network services, but this isn't always desirable. For example, if users need to upload a file to the iSeries, their user profiles may prohibit them from modifying the file. In this case, you can create a new user profile that allows you to change the file. This new user profile is then assigned as the "switch profile" for the FTP upload rule. Every time the user uploads the file, NetworkSecurity is alerted of the upload via its exit program, switches the authority under which the request is running to use the new user profile, and runs the upload. This operation has the advantage of relying entirely on OS/400's native security.

You can achieve another level of security granularity using NetworkSecurity's transaction security facility, which allows you to grant or restrict access based on transaction type. And NetworkSecurity lets you choose between three management approaches: green-screen menus, direct NetworkSecurity commands, and iSeries Navigator. A sample iSeries Navigator screen appears in Figure 1, showing some user rules for the file server.

NetworkSecurity also offers a variety of audit reporting options in two categories: intrusion detection and access rules. If you're interested in NetworkSecurity, a 30-day fully functional trial copy is available for download from The PowerTech Group's Web site.

Chuck Lundgren is a senior technical editor for iSeries NEWS.