Redbooks Paper                                                                                               Axel Buecker ...
Overview               Tivoli Access Manager for Operating Systems erects and enforces a seamless security               p...
running of expensive applications on insecure operating systems and ineffective protocols.Tivoli Access Manager for Operat...
Powerful: Power is provided through Tivoli Access Manager for Operating Systems’                  multi-threaded architect...
Architecture: simple, lean, and muscular         Tivoli Access Manager for Operating Systems is built on a lightweight, po...
able to secure and run on a variety of platforms. Tivoli Access Manager for Operating               Systems can secure a w...
In a recent case involving a large consumer goods company, a hacker pilfered the confidential         financial, Social Se...
8   IBM Tivoli Access Manager for Operating Systems
NoticesThis information was developed for products and services offered in the U.S.A.IBM may not offer the products, servi...
TrademarksThe following terms are trademarks of the International Business Machines Corporation in the United States,other...
Upcoming SlideShare
Loading in …5
×

Ibm tivoli access manager for operating systems host based intrusion prevention for applications and platforms redp3781

463 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
463
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ibm tivoli access manager for operating systems host based intrusion prevention for applications and platforms redp3781

  1. 1. Redbooks Paper Axel Buecker Shawn YoungIBM Tivoli Access Manager for OperatingSystems: Host-Based IntrusionPrevention for Applications and Platforms “A lot of companies have gone to a lot of effort to protect themselves from being hacked, but it’s a lot harder to stop a rogue employee … . We have the technology, but we’re not using it.” —The Washington Post, December 3, 2002 Employees—not hackers, not viruses—present the chief threat to IT security. In the biggest identity theft case yet reported, employees stole 30,000 consumer financial reports over three years. A ring of scam artists, in turn, paid the employees $30 for each stolen report. Ultimately, consumers lost more than $2.7 million. Law enforcement estimates that more than half of all identity thefts occur as a result of employees. In this IBM® Redpaper, we discuss IBM Tivoli® Access Manager for Operating Systems, a simple-to-use, powerful security system that securely locks down business-critical applications, operating platforms, and files from unauthorized access. This firewall-like capability prevents both insiders and outsiders from the unauthorized access to and use of vital customer, employee, and business partner data. Additionally, Tivoli Access Manager for Operating Systems audits application and platform activity to ensure compliance with corporate policies and government regulation. In an increasingly wired yet insecure world, Tivoli Access Manager for Operating Systems provides the assurance that customers, employees, and partners expect, and the rigorous auditing that the government and senior management require.© Copyright IBM Corp. 2003. All rights reserved. ibm.com/redbooks 1
  2. 2. Overview Tivoli Access Manager for Operating Systems erects and enforces a seamless security perimeter to UNIX/Linux systems to provide protection for business-critical systems and auditing of all users. These controls even apply to “Root” super-users, a notoriously difficult-to-secure UNIX/Linux group. Unchecked and unmonitored Root users are often the source of considerable abuse. Tivoli Access Manager for Operating Systems prevents misbehavior by Root users and all other users through the rigorous application of access controls on resources, files, and data. Further, hackers favor Root accounts as targets because Root users typically create backdoor access routes in order to bypass basic protocols. As a result, while the majority of cyber theft results from internal abusers, the application of adequate controls on Root accounts will also prevent a significant amount of external cyber theft. Tivoli Access Manager for Operating Systems ensures 24x7 protection from unauthorized access to business-critical applications by providing bulletproof controls against malicious actions. Most business-critical applications today are hosted on UNIX—or, increasingly, Linux—and are deployed throughout the enterprise network environments as shown in Figure 1. These applications include ERP, CRM, SCM, Human Resource Management applications, and Middleware platforms such as IBM WebSphere. Most of these applications offer inadequate out-of-the-box security and auditing for today’s enterprise. AS/400 S/390 UNIX Security M anagement 55% of data theft NT occurs here Mission-Critical Servers Proxy-Server W orkload Core Network M anagem ent Certificate Backup W eb Authority Restore Servers Internet VPN Single Sign-on Access Security Auditing Merchant Perim eter Network Firew all Server E-M ail Intrusion Active Detection Content Filtering PC Security Access Network Customers PC Anti-Virus Suppliers Distributors Business Partners M obile Employees Figure 1 The IT security mapPolicy-based security: peace of mind in troubled times The heart of an effective security program lies in its security policy. The bottom line is that everyone—partners, employees, customers, auditors, government regulators, and senior management—is looking for a security policy that guarantees the privacy and confidentiality of sensitive information. Never before have CIOs faced so many constituents demanding tight protection and accountability. Management and boards of directors no longer accept the2 IBM Tivoli Access Manager for Operating Systems
  3. 3. running of expensive applications on insecure operating systems and ineffective protocols.Tivoli Access Manager for Operating Systems ensures that security policy is easilyimplementable, robust, and comprehensive. Easy-to-use: Because security policy is crucial to operational effectiveness, there’s no forgiving a security policy that is difficult to understand and challenging to enforce. Tivoli Access Manager for Operating Systems simplifies policy through multiple methods. The first is through Web Portal Manager, a GUI-based, web-accessible management tool. Security policy can now be managed in a point-and-click format. Command-line interfaces and script accommodation afford UNIX and Linux experts even greater ease. Simplicity is further ensured through Tivoli Access Manager for Operating Systems’ Fast Track Policy Modules. Fast Track Policy Modules are pre-written, best-practice security policies. They provide a method for demanding enterprises to quickly adopt effective security. Security threats multiply daily, and CIOs cannot be expected to wait on slow security policies. While enterprises can use Tivoli Access Manager for Operating Systems’ Web Portal Manager to design and set detailed policy if they wish, enterprises accelerate their ROI through the use of Fast Track Policy Modules. Fast Track Policy Modules also come in application-specific versions offering customers out-of-the-box customization. These pre-written, best-practice policies make it easy to tailor security policy for specific missions. These missions may include, for instance, enhancing Web security or defending CRM, ERP, or other applications and databases. Simplicity is crucial for an effective security policy. Through Web Portal Manager, shown in Figure 2, security policies can be managed in a point-and-click fashion.Figure 2 Web Portal Manager interface IBM Tivoli Access Manager for Operating Systems 3
  4. 4. Powerful: Power is provided through Tivoli Access Manager for Operating Systems’ multi-threaded architecture. This enables Tivoli Access Manager for Operating Systems to operate fully 22 times faster than its leading competitor. This performance also means that CIOs no longer have to trade operating efficiency for security. Applications run smoothly even with the rigorous security added by Tivoli Access Manager for Operating Systems. With Tivoli Access Manager for Operating Systems, administrators can set and enforce three types of security policy: password policy, login policy, and resource policy. In the case of password policy, for instance, administrators can require the timely changing of passwords, or passwords of a specified length and alphanumeric mix. In the case of login policy administrators can determine where users can access systems or what files they can access remotely. Resource policy enables administrators to restrict access to systems, files, and data on a “need-to-know” basis. Comprehensive: As a result of its industry-leading power, Tivoli Access Manager for Operating Systems successfully scales throughout the enterprise, enforcing security comprehensively. It enables management to set a single security policy that is implemented and enforced worldwide. Centralization ensures adherence to corporate guidelines and government regulations. With Web Portal Manager, Tivoli Access Manager for Operating Systems policy can be managed from a Web-based tool. The benefit of this approach is that it enables an enterprise’s security managers to delegate limited authority for routine or emergency matters to specified, local sub-domain administrators. This scheme offers maximum control while affording flexibility when necessary. In a case of network interruption, control can be delegated to local subdomain administrators without granting local administrators excessive access or access to other subdomains.Auditing: proof positive in a cynical world Defending resources is equally as important as auditing resources. Gone are the days when a CIO could simply attest that the network was secure. Amid unrelenting attacks, omnipresent threats, and widely publicized failures, customers, partners, and regulators all demand proof of effective security controls. Tivoli Access Manager for Operating Systems responds to this need through Persistent Universal Auditing, which maintains 24x7 audit logs on all programs, files, ports, resources, and systems. This provides administrators with a centralized report on security events, enabling administrators to review which users accessed what resources, how, and when. Misbehavior rarely occurs just once. It occurs frequently. Regular audits prevent prolonged abuse. The most successful information thieves endure through “creep and take” tactics. Through incremental attacks over long periods of time they accumulate extensive amounts of sensitive data and insidiously degrade system defenses. Because they typically are insiders, such “CAT thieves” present significant risk—much more than regular Internet hackers. Insiders, after all, know on which systems valuable information resides and how to best circumvent security protocols. Recurrent auditing with Tivoli Access Manager for Operating Systems prevents CAT attacks. The United States government has responded to financial scandals and health care concerns through the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These two sets of legislation require the erection of significant barriers to secure sensitive financial and health care data. In addition, regular auditing is required to prove that confidential and private information is handled only on a need-to-know basis. Countries around the globe have enacted similar legislation. European legislation has gone even farther in its privacy and confidentiality requirements.4 IBM Tivoli Access Manager for Operating Systems
  5. 5. Architecture: simple, lean, and muscular Tivoli Access Manager for Operating Systems is built on a lightweight, powerful, easily installed architecture. This simple architecture centers on the Tivoli Access Manager Policy Server. This server houses all security policies and can also maintain the database of all users in an LDAP directory. Tivoli Access Manager for Operating Systems relies on its Security Agent for local policy enforcement. The Security Agent locally protects and audits each server, acting as a host-based firewall in physically preventing unauthorized users from accessing files. Exceeding typical firewall capability, Tivoli Access Manager for Operating Systems restricts both incoming and outgoing network traffic, providing a matchless level of security for TCP/IP ports. The Security Agent also locally audits the use of applications, files, and resources. Figure 3 is an overview of the architecture of Tivoli Access Manager for Operating Systems. Access Manager Policy Server Centralized server contains • Policy database • User IDs (LDAP) SSL connection Management Server maintains policy Policy Server maintains policy Security Agent enforces policy Security Agent Erects security perimeter • Intercepts system call • Make access decision Security Agent • Writes audit record Figure 3 Tivoli Access Manager for Operating Systems architecture For full security even during network interruptions, the Security Agent replicates the security policy and user identifications locally. In the event that the network connection fails, the Security Agent is fully able to make access decisions without the Policy Server being present.Linux: bulletproof answer to open source questions “Open source software is now the major source of elevated security vulnerabilities for IT buyers.” The majority of the 29 advisories issued from January through October 2002 by Carnegie Mellon’s CERT Coordination Center addressed vulnerabilities in open source or Linux products. —eWeek, Nov. 22, 2002 Linux provides a revolutionary platform with superb flexibility, dependability, and value—and a whole new set of security challenges. Typically, however, it is not the enterprise’s only operating system. In today’s heterogeneous enterprise, an effective security solution must be IBM Tivoli Access Manager for Operating Systems 5
  6. 6. able to secure and run on a variety of platforms. Tivoli Access Manager for Operating Systems can secure a wide range of Linux and UNIX® operating environments, and constantly expands its coverage. Tivoli Access Manager for Operating Systems supports Linux on iSeries, xSeries, pSeries, and zSeries® platforms.Integration: flexibility on demand Tivoli Access Manager for Operating Systems provides unparalleled breadth in value through full integration with the market’s leading identity management, identity provisioning, and security management products. IBM Tivoli Identity Manager, IBM Tivoli Access Manager for e-business, IBM Tivoli Privacy Manager, and IBM Tivoli Risk Manager all effectively complement Tivoli Access Manager for Operating Systems. Use of a common approach and infrastructure enables customers to rapidly meet demands for increased responsiveness, improved efficiency, and greater economy. 3rd Party Network Intrusion Software Firewalls Anti-Virus Detection VPN Security Tivoli Risk Manager Management Tivoli Tivoli Tivoli Identity Access Privacy Manager Manager Manager User Management User Application Privacy Provisioning Protection Assurance IBM Directory Server Directory Management IBM Directory Integrator Figure 4 IBM Tivoli Integrated Identity and Security Management The IBM Tivoli Integrated Identity Management suite (shown in Figure 4) scales to precisely meet customers’ needs, whether those needs are narrowly focused or broadly conceived. These solutions work together to provide significant return on investment and exceptional levels of service to internal and external users. Close cooperation with industry partners in developing standards ensures that Tivoli’s Integrated Identity Management suite is both widely interoperable and remarkably rigorous.Summary: exceptional solution for an insidious threat “The hacker who just stole your records is just as likely to be an insider as an outsider … Computer break-ins by insiders often do more damage than when a remote hacker gets into the system … They know what to take; they know what is important.” —The Atlanta Journal-Constitution, May 14, 20036 IBM Tivoli Access Manager for Operating Systems
  7. 7. In a recent case involving a large consumer goods company, a hacker pilfered the confidential financial, Social Security, and employee records of 450 co-workers. The employee bypassed protocols to slip into the company’s computer system without authorization. Incidents of insider cyber theft are rising rapidly. With increasing amounts of valuable consumer, employee, and partner data being accumulated, the incentives for insider misbehavior are increasing as well. Organizations face growing risk. Simultaneously, regulators and legislators are targeting enterprises that do not implement effective controls with fines and increased scrutiny. CIOs face unrelenting pressure for improved security, auditability, and accountability. The most economic and effective solution for CIOs is to combine comprehensive intrusion prevention technology—host-based firewall capability, application and platform protection, user tracking and controls—with persistent auditing capability. In a lightweight, powerful way, Tivoli Access Manager for Operating Systems does exactly this. No longer do organizations need to run business-critical applications on mainframes in order to enjoy mainframe-class security. With Tivoli Access Manager for Operating Systems they can enjoy mainframe-class security on distributed systems. And they can enjoy the peace of mind that comes when valuable data is fully secured and all users are held fully accountable.The team that wrote this Redpaper This Redpaper was produced by a team of specialists from around the world working at the International Technical Support Organization, Austin Center. Axel Buecker is a Certified Consulting Software I/T Specialist at the International Technical Support Organization, Austin Center. He writes extensively and teaches IBM classes worldwide on areas of Software Security Architecture. He holds a degree in computer science from the University of Bremen, Germany. He has 17 years of experience in a variety of areas related to Workstation and Systems Management, Network Computing, and e-business solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a Senior I/T Specialist in Software Security Architecture. Shawn Young is the IBM Tivoli Access Manager for Operating Systems worldwide product manager. While at IBM he has contributed to the development of a number of leading edge security products. He has an extensive background in management consulting and has consulted with leading Fortune 500 companies on customer-centric approaches to improved operational effectiveness. He holds a degree in Economics and Public Policy from Rice University and a Masters degree in Business Administration from the University of California, Los Angeles Anderson School of Management. Thanks to the following person for her contribution to this project: Betsy Thaggard International Technical Support Organization, Austin Center IBM Tivoli Access Manager for Operating Systems 7
  8. 8. 8 IBM Tivoli Access Manager for Operating Systems
  9. 9. NoticesThis information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area. Anyreference to an IBM product, program, or service is not intended to state or imply that only that IBM product,program, or service may be used. Any functionally equivalent product, program, or service that does notinfringe any IBM intellectual property right may be used instead. However, it is the users responsibility toevaluate and verify the operation of any non-IBM product, program, or service.IBM may have patents or pending patent applications covering subject matter described in this document. Thefurnishing of this document does not give you any license to these patents. You can send license inquiries, inwriting, to:IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS ORIMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer ofexpress or implied warranties in certain transactions, therefore, this statement may not apply to you.This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM may makeimprovements and/or changes in the product(s) and/or the program(s) described in this publication at any timewithout notice.Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.IBM may use or distribute any of the information you supply in any way it believes appropriate without incurringany obligation to you.Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products. Questions on thecapabilities of non-IBM products should be addressed to the suppliers of those products.This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrates programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs inany form without payment to IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operating platform for which the sampleprograms are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, anddistribute these sample programs in any form without payment to IBM for the purposes of developing, using,marketing, or distributing application programs conforming to IBMs application programming interfaces.© Copyright IBM Corp. 2003. All rights reserved. 9
  10. 10. TrademarksThe following terms are trademarks of the International Business Machines Corporation in the United States,other countries, or both: IBM® Redbooks(logo) ™ zSeries® ibm.com® Tivoli®The following terms are trademarks of other companies:UNIX is a registered trademark of The Open Group in the United States and other countries.Other company, product, and service names may be trademarks or service marks of others.10 IBM Tivoli Access Manager for Operating Systems

×