|
Bytware Delivers Object-Based Network Security for OS/400
Published: July 18, 2006
by Alex Woodie
Bytware last week unveiled a new release of its OS/400 network security software that replaces traditional transaction-based scanning with object-based scanning. StandGuard Network Security version 3.0 implements a similar type of object-based scanning that OS/400 security uses for determining whether a person has the necessary clearance to access data. The change, Bytware says, will make network security easier to implement and use, and should make iSeries shops feel more comfortable in locking down their servers.
StandGuard Network Security is an exit point monitoring tool that complements OS/400 and 5250 security by double-checking iSeries access requests originating from users and other systems coming in over the network. Since requests originating from FTP, ODBC, and other network access points bypass the green-screen security features IBM built into OS/400, many iSeries shops have chosen to fortify their defenses with network security tools from Bytware and other vendors.
In traditional transaction-oriented exit point tools, the software must "memorize" the SQL statements that are to be allowed. If what a user entered or another program generated doesn't match one of the many thousands of allowable transactions that have been entered into the system, that user or process is denied access, even if the action is above board.
Transaction-based security requires an administrator with SQL skills to manually pore over thousands of transactions (ideally SQL statements) to decide which ones should be allowed, says Mike Grant, Bytware's CEO. "Transaction-based security is time-intensive and prone to error," he says. "A big problem with the transaction security model is that any slight change to a previously memorized transaction will result in a mismatch between what has been memorized and what is occurring. This requires constant review and adjustment to keep your access authorities working."
With Network Security version 3.0, Bytware has implemented a new object-based scanning approach that is very similar to the object-based security system built into OS/400. Instead of capturing and analyzing all the possible permutations of SQL statements that might be encountered, the software breaks the transaction into the objects that are being accessed. If a user is cleared to access a given object, such as the payroll file, in a given way, such as via ODBC, then he can access that file via ODBC via any possible SQL transaction. Changes in upper- or lowercase will not affect whether access is granted, because all the product is doing is matching up users (sources) with libraries, objects, and files (resources).
Bytware's Network Security version 3.0 isn't the first OS/400 network security product to utilize an object-based approach, but it is one of the first, according to Grant. The software makes use of a new exit point in OS/400 V5R3 that, when utilized, detects the objects referenced in every attempt to access iSeries resources, without parsing the request into an SQL statement.
Network Security enables administrators to create private or public authorities by associating a source with a resource. In the product's parlance, a source refers to a user or a location, including individual users, group profiles, supplemental group profiles, a single IP address or a group of them, and the area beyond the DMZ, the "public." Likewise, a resource in Network Security refers to servers, databases, IFS files and directories, libraries, commands, and programs.
Bytware recommends a phased-in approach for implementing Network Security 3.0, to reduce the impact on normal business activity as much as possible. When the product is first installed, it is in listen-only mode as it gathers information about the environment, such as what databases users are accessing, and stores it in a database. During this phase, the product doesn't restrict any activity.
Next comes the trust-based phase, during which the administrators links the sources with resources to create private authorities, which blocks out the high-risk events, but leaves many network services open to public access. During this phase, the user creates a strong security policy that will eliminate access of known security risks, while causing the least impact on normal business activity.
The exclusion-based security phase is the final step in implementing Network Security 3.0, and results in the tightest security policies. This phase involves mapping sources to legitimate resources to create private authorities that grant users access to the data and objects they will need, and then excluding the public from everything else.
As an administrator gains experience with the product, they may find themselves fine-tuning the authorities, the company says. "The importance of an object-based design becomes clear as you manage public and private authorities to OS/400 objects, monitor activity in real-time, and produce audit reports," the company says in a whitepaper on the new release.
Another benefit of object-based security scanning is it keeps the user's security policy centralized. With transaction-based scanning (and previous releases of Bytware's Network Security), an administrator must piece together his organization's security policy by reading through thousands of allowed and excluded SQL statements. With object-based security, an administrator can determine a security policy by viewing the public and private authorities on an object-by-object basis. This approach is more manageable, as a typical user would apply restrictions using Network Security to a handful of objects or libraries, Grant says.
Network Security 3.0 also allows administrators to define policies for a group of objects within a library, and to set exceptions for certain objects, which makes it easier to use than OS/400's security, Grant says.
Because Network Security 3.0 uses a new feature in OS/400 V5R3 and V5R4, it still maintains the transaction-based Network Security version 2.3 release for OS/400 V5R1 and V5R2.
Bytware offers a list of 21 supported OS/400 exit points, and says it supports all OS/400 exit points, including DDM; SQL/ODBC/JDBC; data queue; two network print exit points; NetServer; SQL; Client Access file transfer; Telnet; FTP client; FTP server; three remote command exit points; three other database exit points; virtual print server; data queue, and sign-on. (In its white paper, Bytware says that its competitors may claim to support more exit points, but they really don't, because, while some of the exit points, like FTP, may have three exit points associated with them, a user can only use one at a time.)
The software provides both public and private authorities, as well as private network authorities. The product also maintains a series of reports, monitors the QAUDJRN audit journal, and offers real-time alerts via e-mail or pager. A new GUI will be delivered with version 3.1 in the fourth quarter, Grant says.
Network Security 3.0 is available now. Pricing begins at $3,500. For more information and an easily downloaded white paper on the product and object-based exit point security, visit www.bytware.com.
|
