This is an expanded version of the original article View Network Security Tools Buyers Guide

There was a time when you could simply bolt a firewall to the side of your network and call it a day because you could feel sure you'd locked out invaders by erecting an impervious perimeter wall. But network security threats have multiplied faster than the proverbial rabbits over the years, making such times a distant memory. Today you must protect against hackers, viruses, worms, and operating system bugs, any of which can be exploited from both the outside of your network and the interior. You can't just build walls — you must also deploy roving guards, intrusion sensors, and attack dogs. To make your job harder, there's no single-source solution that addresses all security threats. You'll have to integrate products from several vendors to build your own Fort Knox of network protection.

To help you accomplish this mission, iSeries NEWS has pulled together details about security products that work with the iSeries. Securing your iSeries is a multifront war — you must be vigilant both on the network side and on the iSeries side. On the network front we offer a table comparing features of network security solutions, most of which aren't iSeries-specific. They're nevertheless compatible with iSeries networks and essential to your iSeries security stance. On the internal front, we provide a list of security products that can help you secure your iSeries internally.

As an iSeries user, you're likely not interested in mastering yet another operating system or deploying security software on Windows or Unix boxes, so on the network side, we're examining only hardware security appliances. Appliances are completely self-contained solutions compatible with any host environment and have the added advantage of guaranteeing proper integration of security software with the underlying hardware. Purpose-built appliances also tend to be more reliable than products built on general-purpose operating systems, as there are fewer OS components to go awry. Virtually all security appliances can be remotely administered using an ordinary Web browser, making them easy to deploy and configure.

Security appliances fall into four broad categories: enterprise firewall, intrusion prevention, Virtual Private Network (VPN) gateway, and vulnerability assessment (VA). For complete network protection, you should employ at least one product from each of these categories. Here's a rundown of each and some salient buying points to consider when making your selection.

Enterprise Firewall Appliances

Firewalls can be cheap these days, costing as little as $50 for a lightweight consumer model designed to protect a handful of home computers. For an enterprise, however, you need certain minimum capabilities. Primary among these is the horsepower necessary to keep up with business-related Internet traffic. Firewalls inspect every packet entering and leaving your network, adding security but directly impinging on your Internet access speed. Enterprise firewalls can handle a minimum 10 Mbps Internet data rate, and many have capacities that range to hundreds of megabits per second. (Note that just because a firewall has a 100-Mbps-capable Ethernet port doesn't mean that it can actually carry 100 Mbps of traffic.)

Enterprise firewalls also sport one or more of these advanced capabilities: multiple WAN failover, high availability (HA) using redundant appliances, VPN concentration, and Wi-Fi gateway services. Multiple WAN failover is the ability to detect an upstream Internet failure and switch to a backup Internet connection automatically. For example, you might have a 10 Mbps fiber Internet upstream connection with a T1 backup connection to a different ISP. WAN failover handles the task of monitoring the primary Internet connection and re-routing traffic, DNS, and IP addresses to the backup connection when necessary.

The firewall represents a single point of failure in your network, one that you can overcome via HA, which uses a duplicate standby appliance to take over in the event your primary firewall bites the dust. As with WAN failover, recovery is automatic. The backup appliance constantly monitors the primary appliance, maintaining a duplicate copy of its configuration. You configure the primary, and the backup automatically inherits all configuration changes. Some vendors provide for session synchronization as well, where the backup firewall keeps a parallel session table so that it can take over without dropping any in-progress TCP/IP or VPN sessions.

VPNs are a standard capability in most enterprise networks today. You can purchase a separate VPN gateway or have this function incorporated into your enterprise firewall. The advantage of integrating VPN services into the firewall is that doing so provides a single point of policy administration for setting access rules for limiting VPN user access to enterprise services. The disadvantage is the additional computational load that VPN encryption puts on the firewall appliance, which can greatly reduce its bandwidth capacity.

The newest feature to arrive for enterprise firewalls is Wi-Fi gateway service, which provides a secure attachment point for corporate wireless users. This is a case of necessity breeding inventiveness. The built-in security supplied by Wi-Fi hardware (e.g., WEP, WPA, 802.11i) has been found hopelessly inadequate to provide enterprise-class security. The only safe Wi-Fi encryption technique available today is VPN encryption from the wireless client to a secure VPN gateway inside your enterprise LAN. A firewall can provide this secure gateway, isolating Wi-Fi traffic from your internal network except for users who have the credentials to establish a VPN tunnel to your firewall.

There are a slew of other features available in enterprise firewalls, such as intrusion prevention and VA, but you should beware of keeping all your security eggs in one basket for now. The jack-of-all-trades firewall is often the master of none, and in the world of security, mediocre security can be as bad as no security at all.

Intrusion Prevention Appliances

This type of security solution used to be called intrusion detection appliances, but customers naturally felt uncomfortable buying products that could only tell them when the cow was already out of the barn, as it were. The idea behind intrusion prevention is that attacks are detected and deflected before they actually get into your network. There's a blurry line between the intrusion detection capabilities of a traditional firewall and those of an IP appliance. The primary difference is that IP appliances perform deep-packet inspection, looking into the contents of every packet and analyzing its potential for danger. IP looks into SMTP, FTP, HTTP, POP3, and IMAP traffic to catch viruses and worms in transit and blocks them before they can land inside your network perimeter.

An IP appliance is also stateful, which means it tracks the behavior of remote IP addresses to recognize attacks using so-called attack signatures and block potential attackers from all access. The deep inspection process is complex and can bog down a firewall already tasked with border control, so IP appliances provide a useful division of labor.

Features to look for in IP appliances include automatic updating of attack signature databases and virus filter definitions, embargoing of suspect e-mail attachments and FTP transfers, notification to end users of embargoed files, and fine-grained policy control down to the individual user level. Most IP devices have realtime reporting and trend analysis, or can export trend data for later analsysis.

VPN Gateway Appliances

VPNs are the essential glue of enterprise security infrastructures. With the Internet's constantly improving speed and reliability, VPNs are a cost-effective way to link far-flung offices and remote users at low cost. The encryption required to protect VPN traffic, however, is processor-intensive. To support more than a handful of VPN users, you need a dedicated VPN gateway with hardware-assisted encryption, which is exactly what a VPN gateway appliance provides.

There are two popular VPN standards abroad today: Internet Protocol Security (IPSec) and Secure Sockets Layer (SSL). IPSec is the defacto standard for routing generic application traffic. To work properly, it must have a more detailed configuration and either a compatible VPN appliance at the other end or it must be handling an end-user VPN client application. SSL VPNs need only an ordinary Web browser, but are more limited in the kinds of traffic they can carry. (Note that the older Microsoft VPN standard, PPTP, is still around. But it's obsolete and you shouldn't consider it for new deployment.)

The primary discriminator for VPN appliances is the VPN flavor, IPSec or SSL. Few support both, and you'll likely need to choose between one approach or the other for your enterprise. Most IPSec gateways from different vendors are interoperable with each other, but you should always check with the vendors to see if the combination of products you're considering have been explicitly tested with each other. SSL VPNs are not as interoperable, usually requiring homogeneous products from a single vendor.

You'll have to consider how to authenticate VPN users. There are many methods to choose from. Simple user-ID/password authentication is easy to use but vulnerable to lost credentials and spoofed gateway attacks. Some products support two-factor credentials, such as a hardware key or fingerprint reader, to mitigate the lost-credentials problem, but nothing in user-ID/password authentication verifies that the destination gateway is the one the user thinks it is. For that level of security, you need to employ digital certificates. Fortunately, digital certificates are highly standardized and therefore compatible across product lines. But be prepared to expend considerable effort in the process of establishing a certificate issuing, distributing, and tracking infrastructure. You'll be tempted to skip this, but if you do you could be painfully sorry later.

A VPN gateway provides a centralized location for all of your VPN security policies, but not all gateways provide the same policy options or granularity. If your VPN communications are all within your own organization, then you may not need as fine-grained policy control. But if you have VPN tunnels to business partners, vendors, or customers, you'll need the ability to tightly control which enterprise LAN services the VPN users can access, which requires fine-grained policy support down to the IP address and protocol level.

Because VPN users are not always completely trustworthy, some VPN gateways incorporate intrusion prevention services as well. These aren't a substitute for a dedicated IP appliance, because the VPN gateway controls only a portion of your network. However, IP in a VPN gateway gives you another layer of protection, which security experts call "defense in depth." That's always a good thing.

Vulnerability Assessment Appliances

Intrusion detection tells you when your network security has been compromised. Intrusion prevention aims to deflect dangerous data when it arrives at your network border. In contrast, VA is the process of finding exploitable flaws in your network before the hackers and viruses do so that you can patch them. VA appliances are hardware devices that sit on your network and continuously probe it for weak spots, reporting them, and providing advice on remediation before a breach occurs, or is even attempted.

With 99.9 percent of all successful network penetrations exploiting well-known vulnerabilities, finding and eliminating chinks in your armor is an effective protection, and one that is considered a best practice for enterprise networks. The trend for more accountability in corporate governance is making VA mandatory for many industries, including banking, insurance, medicine, and transportation.

Just finding vulnerabilities isn't enough, though. You have to have follow-up, first to fix a problem, then to verify the fix, and finally to ensure that the flaw doesn't creep back into your network. That's the true mission of VA appliances: managing the entire VA process from detection through remediation.

VA appliances have to scan both the inside and outside of your network, so most VA solutions actually require a minimum of two appliances — one outside your Internet firewall and one behind it. If you have an extensive network interconnected by WANs and VPNs, you may need multiple sets of VA appliances for complete coverage.

The inside appliance controls all VA processing, scheduling both inside and outside scanning, and maintaining the vulnerability database used to detect, report, and track problems. The outside appliance and other satellite appliances serve as slaves to this master. You control the primary appliance through a Web interface, and it in turn coordinates policy changes and scheduling requirements with the satellites.

VA is a highly standardized activity, with a number of organizations involved in setting specifications for detecting and reporting exploits. You should make sure that candidate appliances support one or more standards, in particular the Common Vulnerability and Exposures (CVE) certification.

Essential features include remediation tracking, automatic updating of vulnerability probes, automatic retesting of remediated vulnerabilities, and reporting and trend analysis. The analysis feature is important to help you learn whether you're gaining ground in your security stance. Your initial VA scans typically detect lots of exposures, but you should see these diminish over time. By tracking trends, you can be alerted to problematic network changes should the VA alert level suddenly escalate. For example, if a department installs one or more servers that aren't properly protected, your first indication of a problem might be a spike in VA alerts.

Is It Safe?

Just as Lawrence Olivier asked Dustin Hoffman in The Marathon Man, your management is wondering, "Is it safe?" Unless you're employing the full spectrum of enterprise security tools, you'll have to answer "no" and suffer the consequences. So check out your security exposure today and begin planning to incorporate one or more of these products in your network.

Mel Beckman is a senior technical editor for iSeries NEWS.

John Ghrist is senior products editor for iSeries NEWS.

---

iSeries Security Tool Product Roundup

The following iSeries solutions offer security tools and access protection for iSeries applications and data. Please consult the appropriate vendor Web pages for comprehensive information on products or services of interest to you. A la Carte Menu and Security System BugBusters Software Engineering, Inc. Lets administrators manage access to system objects and applications from a central console and regulate access to menus based on user profile, group profile, *PUBLIC authority, or authorization lists. bugbusters.net Alliance AES/400 Patrick Townsend & Associates, Inc. A 256-bit encryption application based on the U.S. National Institute of Standard’s and Technology’s specification for the Advanced Encryption Standard. Provides command interfaces to encrypt and decrypt iSeries DB2 database and IFS stream files. patownsend.com AS400/iSeries Infrastructure Outsourcing Service Invision Security-related services provided include security vulnerability analysis and assessment, firewall management, VPN configuration and management, virus scanning, and spam filtering. Other services include disaster recovery, infrastructure outsourcing, remote operations, and infrastructure consulting and design. invision.net Auditron400 Dynamic Systems Solutions, Inc. Tracks modifications made to iSeries data at the field level, logs changes, and provides a set of reports and inquiries for determining changes to system values and configurations, user profiles, security settings, and library lists and authorities. dsscs.com EXTOL Secure EXTOL, Inc. Applies advanced encryption, authentication, and non-repudiation methods automatically to EDI communications, XML, and other data moving over the Internet via its integration with EXTOL EDI Integrator on iSeries and Windows platforms. extol.com Internet Security Systems Site Protector Internet Security Systems, Inc. Works with PowerTech Group’s PowerLock NetworkSecurity to deliver protection for enterprise-critical applications and databases on iSeries and AS/400 servers. Correlates security information with data from other network, server, and desktop agents to provide a cross-platform view of an entire enterprise security landscape. iss.net Netiq Security Solutions for iSeries Netiq, Inc. A family of security auditing, vulnerability management, and security administration tools for iSeries systems that operate in realtime and help streamline and automate user administration. netiq.com NetSentron Kobelt Development, Inc. A firewall solution with an intrusion detection system that detects, prevents, monitors, and reports external attacks on enterprise networks. netsentron.com Nexus Portal BCD International, Inc. Enables secured, controlled access to iSeries Web applications (and green-screen applications via Mochasoft’s 5250 emulation product), systems, reports, and other objects. It also provides organizational and productivity tools. bcdsoftware.com OnePass/400 Kisco Information Systems Helps users create, manage, and track single-use passwords as extra protection for telnet access and custom applications. kisco.com PowerLock AuthorityBroker PowerTech Group, Inc. Works with OS/400 security to protect and audit access to sensitive corporate assets to conform to state and federal requirements and helps security officers automate enterprise-wide security policies based on industry standards. powertech.com PowerLock CentralAdmin PowerTech Group, Inc. Creates a common and single view at a central console of iSeries security to help simplify the management of complex or distributed iSeries environments. powertech.com PowerLock NetworkSecurity PowerTech Group, Inc. Offers iSeries intrusion-detection and access control that closes the gap between networked access and the associated risk of sharing your data with employees, remote users or business. A PowerLock Interact feature offers cross-platform security by interfacing with enterprise security consoles such as the Internet Security Systems Site Protector. powertech.com PowerLock SecurityAudit PowerTech Group, Inc. Audits iSeries systems at the object level to provide a complete history and instant view of changes since the last audit. powertech.com QMessage Monitor CCSS, Ltd. Offers realtime security monitoring and auditing for the iSeries. Checks for authority failures, FTP access, system value and user profile changes, programs using QSECOFR authority, restored objects with QSECOFR authority, invalid password attempts, and other actions. Compliant with Sarbanes-Oxley. ccssltd.com SafeNet/400 Kisco Information Systems Protects iSeries systems from unauthorized access via network connections, tracks request logging, generates audit reports, limits access to functions and objects based on user profile, controls customer exit programs, and provides other functions. Available in Lite, Basic, Advanced, and Enterprise versions. kisco.com ScreenSafer/400 Kisco Information Systems Workstation security utility that takes control of inactive workstations during idle time to protect sensitive information and restrict transaction input to the user currently logged on to the device. kisco.com Secure/Net Castlehill Computer Services, Ltd. Enhances iSeries security in networked environments by conducting additional security checks when an iSeries receives a remote request, stopping authorized users from performing unauthorized functions, and creating an audit trail of all remote requests received and rejected. ccs400.com SkyView Partners Assessment Services for iSeries and AS/400 Systems SkyView Partners An security assessment service that uses a one-time license for SkyView Risk Assessor to determine risks, account for business operational needs, create a security plan and executive overview, and explain how to start implementing the recommendations. skyviewpartners.com SkyView Partners Security Remediation Services SkyView Partners Consulting help with implementing a security plan that will protect key enterprise information assets. skyviewpartners.com SkyView Risk Assessor SkyView Partners A security diagnostic tool that automates documentation of OS/400 and i5/OS security configurations, analysis and interpretation of current risks, and issues-remediation plan generation. It also generates supplemental reports on other security details. skyviewpartners.com SoftMenu SoftLanding Systems, Inc. Secure menu-management utility that nontechnical personnel can administer. Controls access to sensitive menu options, standardizes management of all menus, and enables use of exit points to customize menu administration tasks. softlanding.com StandGuard Bytware, Inc. Provides realtime security and security filters for files, directories, libraries, and other objects and uses keyword-level security to restrict access from network PCs and 5250 sessions. Also monitors OS/400 Security Audit Journal and alerts administrators to security changes such as authority changes and adoptions, profile swapping, and authority failures. bytware.com StandGuard Anti-Virus Bytware, Inc. Virus-detection product that provides special protection for iSeries IFS. bytware.com StandGuardAudit Bytware, Inc. Helps administrators assess security of iSeries data and programs and generates reports. Also helps system managers determine which user profiles have authority to access each object in a library. StandGuard Recycle Bin Bytware, Inc. Protects files and data from accidental or intentional deletion by storing them in a holding area from which they can be retrieved on demand. bytware.com StoneGate Firewall and VPN Stonesoft, Inc. Provides organizations with the ability to run virtual networks and multiple servers located within a single machine and to secure applications and VPN termination between the virtual networks. stonesoft.com TriAWorks Identity Manager for Single Sign-On (TIM SSO) TriAWorks, Inc. Specifically designed to simplify EIM domains administration, TIM SSO makes it more convenient to populate an EIM domain using wizards, create associations using rules matching registry-naming conventions, and maintain the integrity of your SSO implementations via reports. triaworks.com VISUAL Security Suite SoftLanding Systems Provides iSeries and Windows servers with user-auditing tools and protection against external intrusions, modifications to system values or user profiles, use of adopted authority, and other suspicious activity. softlanding.com/visual-ss/ ZMOD Exchange Trailblazer Systems Family of EDI and file-encryption utilities for use with FTP, HTTP, Sockets, UCCnet, XML, and other protocols. trailblazersystems.com — J.G.