fhs
Volume 7, Number 34 -- September 11, 2007

Bsafe Puts a Smack Down on Rouge IP Traffic

Published: September 11, 2007

by Alex Woodie

Earlier this month, Bsafe Information Systems introduced a new security product that provides IP packet filtering for System i servers. Called IP Packet Lockdown, the new product gives users more control over exactly which IP addresses, and through which ports, are allowed access to the system. The new product will provide another layer of security, especially when coupled with i5/OS's exit-point security.

IP packet filtering is a security technique that is often used inside firewalls to block unwanted Internet traffic. It's a platform-neutral technology that doesn't have anything to do specifically with the System i server, but it can be as useful in protecting System i servers as any other server. IBM offers IP packet filtering as one of the configurable options through iSeries Navigator, but it hasn't been adopted much by third-party security software vendors, who have been more focused on technologies that are specific to OS/400 and i5/OS, namely exit points.

While IP packet filtering is relatively unknown in the System i world, being relegated to the "network guys," Bsafe doesn't see any reason why IP packet filtering shouldn't be implemented and controlled with the same security software used to lock-down the most sensitive server in System i shops--the System i itself. To that end, Bsafe launched IP Packet Lockdown, which functions as an add-on to Bsafe's flagship product, Bsafe/Enterprise Security.

IP Packet Lockdown controls Internet traffic through a series of granular rules governing exactly how Internet traffic will be allowed onto the System i server, as well as how Internet traffic will be allowed to depart. The main parameters used to configure the rules are source IP address and port, and destination IP address and port. If the address and port do not match what is allowed, IP Packet Lockdown blocks the data before it even reaches the port. As such, it functions largely above the operating system.

Bsafe tried to simplify the IP packet filtering configuration process by allowing rules to be set up for ranges of IP addresses and ports. IP addresses and ranges can also be augmented with descriptions like "Bob's PC" or "main building," which makes it easier for administrators to recognize specific resources. After all, keeping track of hundreds or thousands of long IP address and what they represent can be a mind-numbing task.

IP Packet Lockdown executes rules in numerical order, which means the most general rules should be listed first, followed by the more specific, restrictive rules. Rules can be enabled or disabled at any time. The software also logs all IP activity for later analysis through Bsafe/Enterprise Security Manager's Windows-based GUI client or the product's native green-screen interface. The data can also be off-loaded to Bsafe's Cross-Platform Audit (CPA) product, which combines security information from various platforms, including i5/OS, mainframe, Windows, AIX, and Linux, for more detailed analysis.

IP packet filtering can provide a valuable service to System i shops, even those that have invested in other forms of network security protection, such as object-level security and exit-point security. When requests arrive via generic user profiles, such as QTCP, it can be difficult to determine the exact nature of the request. In these cases, tracing the actual source of the network request, such as through IP packet filtering, can be very useful in saying whether a user request is legitimate or poses a security threat.

Of course, because it lacks detailed information about the request, such as the user name of the requestor, IP packet filtering is limited in its usefulness. But in combination with other forms of protection, it can be very useful.

"It is a first-level of defense," says Bsafe spokesman Neil Leigh. "IP packet filtering is done at a different phase of the request's path to its destination, when compared to exit points. It is intercepted the moment the request arrives at the System i port, before the OS/400-specific information is known." Similarly, if it is an outgoing request, it is intercepted just before being transmitted to the port.

The combination of packet filtering and exit point protection makes Bsafe/Enterprise Security stronger, says Shimon Bouganim, Bsafe's CEO. "With Bsafe's new IP Packet Lockdown, we are the only company providing double protection and double auditing in one package," he says.

IP Packet Lockdown is available now. The product requires Bsafe/Enterprise Security version 5.5.2 or higher. Pricing ranges from $2,000 to $10,000. For more information, visit www.bsafesolutions.com.


RELATED STORIES

Bsafe Introduces Cross-Platform Auditing

Bsafe Launches Security Policy Compliance Manager


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
COMMON

COMMON Focus 2007 will be our first annual workshop conference event, featuring three days of intense, focused education. It will be a smaller, more intimate event than a traditional COMMON conference with a limited number of attendees - allowing attendees for more one-on-one interaction with the speakers and each other.

There will be 15 in-depth, all-day educational workshops offered - both in lab and lecture-style formats - in a wide range of topic areas. Attendees can attend only one workshop per day, providing attendees the opportunity to focus their educational needs on a specific topic each day.

                                Workshops offered at COMMON Focus 2007 include:

                                Monday
                                · Disaster Recovery Primer - Ready, Set, Plan
                                · Modernizing RPG Applications
                                · Implementing i5/OS Security
                                · (LAB): PHP Essentials
                                · (LAB): WDS and WDSc Guided Tour

                                Tuesday
                                · Disaster Recovery Workshop: Be Well Prepared
                                · All You Need to Know about SQL in Six Hours
                                · System i Access for Web
                                · (LAB): IBM System i Navigator Workshop
                                · (LAB): Hands on VB.net and ASP.net for System i Developers

                                Wednesday
                                · Systems Management Workshop
                                · Beyond the Basics with SQL
                                · RPG Meets the Web
                                · (LAB): Optimize Your System i with IBM Performance Management Tools
                                · (LAB): Using Java to Build System i Web Applications

COMMON Focus 2007 will kickoff on the evening of Sunday, October 14th
with a Welcome Reception, where attendees and workshop instructors can meet and network.
A continental breakfast and lunch will be provided each day, along with several breaks,
giving attendees time to interact with each other.

COMMON Focus 2007 will also have a tabletop-style exhibition area, featuring
a limited number of exhibitors. Attendees will be able to view and get
hands-on demonstration on the latest System i-related solutions available to them.

This innovative educational conference promises to be three days of intense learning -
it is an educational opportunity that you don't want to miss.

Learn more at www.common.org/focus.
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

HiT Software:  DBMoto performs real-time as well as snapshot data replication
COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 

IT Jungle Store Top Book Picks

The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
Supermegavirtualizationfest 2007

Reader Feedback on the Death of DB2/400 for Domino

Sirius Expands Northeast Presence with SCS Buy

As I See It: The Dons of Dialogue

The Linux Beacon
AMD Gets Aggressive About Watts with Quad-Core Barcelonas

NASA Buys Big Xeon-Linux Cluster from SGI

VMware Trims Down Hypervisor for Embedding in Servers

XenSource Offers Embedded Hypervisor for Servers

Big Iron
PSI Adopts NEC Itanium Servers for Mainframe Clones

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
PHP: An Easy Yet Powerful Language Syntax

I Want My F15 Back!

Admin Alert: Magical & Mysterious iSeries Access CWB Programs

System i PTF Guide
August 11, 2007: Volume 9, Number 32

August 4, 2007: Volume 9, Number 31

July 28, 2007: Volume 9, Number 30

July 21, 2007: Volume 9, Number 29

July 14, 2007: Volume 9, Number 28

July 7, 2007: Volume 9, Number 27

The Windows Observer
Microsoft Delays Windows Server 2008

Microsoft Preps Windows Vista SP1

ISO Rejects Microsoft's Open XML as Standard

The Data Quality Inflection Point

The Unix Guardian
The Left and Right Hands of Sun

Core Transition Complete as Intel Ships 'Tigerton' Xeon MPs

NetApp Sues Sun Over File System Patents

Mad Dog 21/21: Leverage

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

New Generation Software
LANSA
COMMON
ARCAD Software
RJS Software Systems


Printer Friendly Version


TABLE OF CONTENTS
Sentillion Aims for Low Cost, Ease-of-Use with SSO Product

Vaulting Over Backups: The Pros, Cons

Bsafe Puts a Smack Down on Rouge IP Traffic

Raz-Lee Eases Compliance with Update to iSecurity

But Wait, There's More:
EPI Now Distributing CenturioDB Tool . . . Logistics Company Adopts MIMIX from Vision Solutions . . . IBM Completes DataMirror Acquisition . . . Jack Henry Taps HealthEquity for Administration of Medical Accounts . . . InfoPrint Solutions Forms Developer Program for AFP Testing . . . IBM Spreads the developerWorks Love Through New 'Gizmos' . . .

Four Hundred Stuff

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement