This document provides an overview of controlling access to IBM i systems and data through the use of exit points and exit programs. It discusses four key levels of access control - network access, communication port access, database access, and command access. It explains how exit points allow for exit programs to control and audit access based on parameters like permissions, IP addresses, and time/date. The document also discusses tradeoffs between do-it-yourself access control solutions versus packaged third-party solutions, and how Syncsort products can help secure access points and provide auditing, monitoring, and compliance capabilities.
2. Agenda
1 – IBM i Access Vulnerabilities
2 – Exit Points and Exit Programs
3 – Four Levels of Access Control
4 – Tradeoffs: DIY or Packaged Solutions?
How Syncsort Can Help5 –
3. • The IBM i is increasingly connected
• Prior to the 1990s, the IBM i was isolated
• In the 1990s IBM opened up the system to TCP/IP
• The numbers of ways the system could be accessed grew
• Legacy, proprietary protocols now cohabitate with new, open-
source protocols – creating access point headaches
• The worldwide hacker community now recognizes the IBM i as a
high-value target
• 4 important levels of access must now be secured
• Network access
• Communication port access
• Database access
• Command access
Why Secure Access Points?
3
4. • What are exit points and exit programs?
• Exit points and exit programs are powerful tools for access control
• Introduced in 1994 to the AS/400 in V3R1 of the operating system
• Exit points provide “hooks” to invoke one or more user-written
programs—called exit programs—for a variety of OS-related operations
• Exit point programs are registered to particular exit points
• How can exit points be used?
• Exit programs can allow or deny access based on parameters such as
permissions, date/time, user profile settings, IP addresses, etc.
• Command exit points can allow or deny command execution based on
context and parameters
• Exit programs can also trigger actions such as logging access attempts,
disabling user profiles, sending an alert, etc.
4
Exit Points and Exit Programs
5. Securing
Network Access
Security Challenges
• Network protocols make it possible for
users to connect directly to backend
databases on the IBM I
• Network protocols include FTP, ODBC,
JDBC, DDM, DRDA, NetServer, and others
• Without proper controls, the system is
open to hackers or internal users who may
create problems
• Without network controls, it is also
possible to remotely execute commands
(e.g. RCMD or REXEC) via FTP, ODBC and
RMTCMD functions
• SQL statements could also be remotely
executed via ODBC, JDBC and DRDA if not
locked down
How Exit Points Can Help
• IBM i provides dozens of exit points that
cover most network access protocols
• Exit programs can be created and assigned
to these exit points
• Exit programs can control access by a
variety of criteria and monitor and log
activity
• When access is controlled through network
exit programs, only the specific operations
defined by the exit program can occur
• Application Administration provides a partial
solution that can control which users can
access particular network functions, but
does not provide logging and cannot be
controlled via granular rules
5
6. Securing Comm
Port Access
Security Challenges
• Some network protocols don’t have their
own exit points and can’t be protected in
the same way
• These network protocols include SSH,
SFTP, SMTP and others
• IT teams may also wish to control
communication access in a way network
or other types of exit points cannot (for
example, specifying a port number)
How Exit Points Can Help
• IBM provides socket exit points
• Socket exit programs secure connections by
specific port and/or IP addresses
• Socket exit programs have limits; e.g. fewer
parameters are available to control inbound
connection
• Socket exit points paired with the other
types of exit point access control methods
provide stronger protection
6
7. Securing
Database Access
Security Challenges
• Object-level security only goes so far in
controlling access to sensitive data
• Open-source protocols that access data
create particular vulnerabilities
• Open-source protocols include JSON,
Node.js, Python, Ruby and others
• Open-source protocols don’t have their
own exit points
• Without properly securing database
access, data could be viewed or changed
without proper authorization or even
stolen
How Exit Points Can Help
• A powerful exit point called Open Database
File allows exit programs that protect data
from any kind of access
• The exit program can be invoked whenever
a physical file, logical file, SQL table or SQL
view is opened
• The exit program can contain a granular set
of rules that control under what conditions
the file can be accessed and by whom
• The exit program can also be defined to
audit all activity
7
8. Securing
Command Access
Security Challenges
• The incorrect use of commands by users
can cause considerable damage (deleting
files, ending processes, or worse)
• Access to commands can be controlled to
some extent through user profiles and
object-level security
• A more refined approach to command
control is often required – especially for
powerful profiles
How Exit Points Can Help
• IBM i provides exit points that cover the
use of commands
• Exit programs can be developed to allow or
disallow access to any command within
very specific circumstances
• Command control can be performed
regardless of whether it is performed
within the IBM i or through network access
• Command exit programs supersede
normal object-level security to provide an
additional, very useful layer of security for
users with powerful authorities
8
9. Tradeoffs
Do-It-Yourself In-House
• Resources may be stretched and pulled
off project
• May need to bring in consultants or hire
new employee because of lack of
knowledge
• Need to stay on top of new PTFs or
updates to the OS
• Knowledgeable resource may leave or
retire
Third-Party Solutions
• Frees up your resources for more important
projects
• Provides separation of duties
• Leverages experts in the field
• Vendor is in the business of releasing
updated software
• Vendors ensure exit programs stay current
to the latest threats and OS capabilities
• Ensures optimal performance of exit
programs
9
11. Sensitive Data Protection
Protecting the privacy of sensitive
data by ensuring that it cannot be
read by unauthorized persons
using encryption, tokenization
and secure file transfer
Intrusion
Detection/Prevention
Ensuring comprehensive control
of unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Security & Compliance
Assessments
Assessing your security risks or
regulatory compliance
Auditing and Monitoring
Gaining visibility into all security
activity on your IBM i and
optionally feeding it to an
enterprise console
Syncsort Security
addresses the issues
on every CISO and
system admin’s
radar screen
11
12. • Syncsort security solutions can take control of all access points
• Network access (FTP, ODBC, JDBC, OLE DB, DDM, DRDA, NetServer, etc.)
• Communication port access (using ports, IP addresses, sockets - covers SSH,
SFTP, SMTP, etc.)
• Database access (open-source protocols - JSON, Node.js, Python, Ruby, etc.)
• Command access
• Intuitive, powerful access control
• Easy to use graphical interface
• Powerful, flexible rules for controlling access
• Provides alerts, produces reports and integrates with SIEM consoles
• Low impact on system performance
• Benefits
• Reduces time and energy to maintain compliance
• Stops fraudulent activity
• Alerts you to security incidents
• Encourages best practices
Syncsort Access Control
Cilasoft CONTROLER
Enforcive Enterprise
Security Suite
(for IBM i and for AIX)
Syncsort
Security
Solutions
12
13. Expert services are available for
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (for hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage Syncsort’s team of seasoned security experts!
The Syncsort Services Team
Is Here for You
13