PentaSafe Allows "What If?" Testing for OS/400 Security

by Alex Woodie

The key to PSSecure's new "What If" mode is the ability to apply new remote access security rules against a company's actual transactions in a test environment. In prior releases of the software, says PentaSafe, its programs shipped with a set of canned transactions that often didn't provide a good barometer of how actual data would behave with the new rules.

The new feature works by creating a duplicate set of transactions, what the utility calls "What If" entries, using production data. Going into the "What If" menu, the security administrator can then change the remote access security settings governing that data (such as applying safeguards to FTP transactions) and those changes won't affect the live data.

PSSecure produces a series of reports that tell the administrator how the changes would affect the transactions passage in the production environment. When the administrator is happy with the changes, the secured entries are replaced with the tested "What If" entries, and the tested rules go into production. At the same time, the software makes a backup copy of the secured changes, allowing the changes to be undone at a later date.

"There isn't another OS/400 security utility on the market with this type of capability," says Steve Martinson, PentaSafe's product manager for OS/400 software. "I happen to be a former customer [of PentaSafe]," he said. Applying security rule changes used to be "a big, onerous task," he said. "It was kind of scary."

Those days are over. "Now they can tweak it all day long, and if they mess it up, it doesn't affect anything," Martinson said. "It's a way to go in and test changes without affecting the actual security environment."

This new release should also encourage users to keep their iSeries systems in the secured mode under PSSecure, he said. Previously, users were reluctant to move their systems out of the data collection mode and into the secure mode because of fears that transactions would be rejected by PSSecure.

There were several other enhancements added to PSSecure, including the capability to configure remote servers individually and the ability to control server access by TCP/IP address as well as SNA device names. Other enhancements include specification of object level security for any file system apart from OS/400 resource security; control of read, write, manage, and execute authority for objects or entire directory trees; and control of uploads and downloads via predefined PentaSafe research groups.

Last week's VSA for iSeries announcement also included new releases and enhancements to PSAudit and PSDetect.

PSAudit 5.4 features new baseline capabilities that give security administrators 11 new reports designed to provide greater insight into how object authorities and user resources are being utilized. Administrators are able to call on reports that show current resource allocations and how they compare to rules and exceptions set by the administrator for areas including job descriptions, user profiles, directories, folders, and libraries. Other new reports log network transactions by date/time, user, function, server, and incoming source address. Lastly, a new iSeries Management Summary Report uses a red-yellow-green scorecard system to show whether certain areas are in compliance with predefined rules.

PSDetect 2.2 now allows the utility to work with Simple Network Management Protocol management consoles. The utility is able to send SNMP traps to any SNMP management consoles that are able to receive SNMP traps, such as those from Tivoli and Computer Associates. This new feature enables companies to configure PSDetect to send alerts to SNMP management consoles.

VSA for iSeries components can be deployed with or without the VigilEnt Security Manager, PentaSafe's Windows-based central security console. VSM serves as the hub for PentaSafe's growing stable of agents for a variety of products, which, at this writing, includes Linux on iSeries, Windows 2000/NT, various Unix implementations, Novell NetWare, and a host of database management systems, Web application servers, applications, and firewalls.

PSSecure, PSAudit, and PSDetect are available separately or packaged together in VSA for iSeries at a discount. Starting April 1, PSPasswordManager, which allows OS/400 administrators to view and control their users' weak and easily guessed passwords, will also be included in the suite.

Pricing for VSA for iSeries is tier-based and starts at about $9,000 for the P05 processor group, which includes a license for 300 users. PentaSafe also offers another bundle including VSM and the VSA for Linux on iSeries for $6,995. VSA for Linux on iSeries by itself goes for $1,995. For more information visit PentaSafe's Web site at www.pentasafe.com.