Guild Companies, Inc.  
Midrange Stuff - Hardware, Software & Services
OS/400 Edition
Volume 2, Number 13 -- April 2, 2002

Kisco Douses Security Concerns at Seagrave Fire Apparatus

by Robert Gast

Seagrave Fire Apparatus began building its reputation making horse-drawn equipment for Midwestern fire departments. The company, with a history dating back to 1881, now builds fire trucks and emergency vehicles for organizations around the world. Things are very busy at Seagrave these days, and there is no occasion for down time. Craftsmen at the company's Clintonville, Wisconsin, headquarters are working continuously to get 54 new fire trucks out the door and into service for the New York City Fire Department.

Under normal circumstances, production time for a single fire truck is seven to 12 months. However, in response to New York City's urgent need following the loss of fire trucks in the Sept. 11 terrorist attacks, Seagrave welders, painters, plumbers, electrical technicians, and assemblers have cut that time to 120 days per vehicle. Life and property hang in the balance.

Warning! IT Red Lights and Sirens

Seagrave cannot afford to have problems with its ERP and financial software applications. (We can't give you the name of a company who can!) Problems caused by tampering with its Freidman Frontier applications or data could ripple through the whole manufacturing process and delay delivery.

"We don't need distractions right now," says Jim Merdan, Seagrave's information systems director. "We needed a product to protect our product, which is our data."

Merdan, an experienced AS/400 technician who joined the company in 1988, became concerned when he noticed that a few employees with access to the AS/400 Model 730 through Client Access were attempting to reach restricted information. Most violations were defined as illegal accesses to the system using Network Neighborhood from Windows 98/2000 desktops. According to Merdan's estimations, Seagrave had about 180 user sessions running on the AS/400 on any given workday.

Merdan believed that making changes to OS/400 security would not be beneficial. Users were already required to sign on to the menu-driven system with a password and user ID, and were individually limited, at the file level, to what they could access.

An Invitation for Mischief

After some research and investigation, Merdan learned that client/server programs like Client Access have created significant security challenges for midrange-system security managers. Some client/server functions can bypass traditional OS/400 security checks unless users fully implement object-level security, which can make the system difficult to use.

Seagrave's OS/400 security is set at level 30, and Merdan was not in favor of making it more difficult for authorized users to do their work. He realized, however, that without object-level security, employees could use a PC-based database tool such as Microsoft Access to easily access, update, or delete any data file on an AS/400.

At the heart of this dilemma are exit points. In OS/400, exit points are instances in which users can register and insert programs and override default application functions. Exit points can be used to call programs, to block access to programs, and to perform other functions such as capturing passwords. In early versions of OS/400, there were about 30 exit points. Now there are hundreds.

To solve the problem, Merdan wrote his own exit-point routines that successfully blocked unwelcome activity. Although his solution was satisfactory, Merdan found that maintaining these programs was time- consuming and a chore. Whenever a new operating system or application program release that included client/server functions became available, Merdan had to modify his exit-point programs.

"IBM said I could recompile my programs and they would go active," Merdan says. "But I realized that I also had to bring down the whole subsystem, which involved a lot more off-hours time. I wrote a couple CL [programs] where you could just modify a data area, but as things got busier, it got unmanageable."

A more comprehensive solution was needed.

Putting Out an IT Fire

Merdan knew of several third-party AS/400 audit/security software utilities that extended beyond the tools offered in OS/400 and detected security holes. He said he wanted a solution that would not change or affect any existing native OS/400 security settings. And, for obvious reasons, he wanted something that was easy to implement and maintain.

He did the required homework, and after reviewing the product literature and specifications of several offerings, Merdan chose to take a closer look at SafeNet/400, from Kisco Information Systems. "I decided to take a look at their product because they have developed a good name in the industry and their feature set fit my requirements," he says.

Merdan ordered the free trial offered by Kisco to assess the software's ability to close the holes created by the non-twinax desktops and open exit points. Following a smooth installation during a regularly scheduled IPL, Merdan fired up the logging-only feature of SafeNet/400.

"I ran it for a week to get a picture of who was accessing the system through network connections and what objects they were trying to gain access to," Merdan says. "There seemed to be a lot of interest in system- related files. We also took a look at what exit points were being used."

With that information in hand, he decided to lock down server functions on the AS/400 using SafeNet/400 Access Controls. At Seagrave, SafeNet/400 controls more than 40 servers, and each server can be configured in a variety of ways, including allowing no restrictions, just logging, restricted by user, restricted by user and object, or disabled. Merdan reviewed each user's access requirements and created rules for them within SafeNet/400.

Merdan says that within two weeks he realized the security problems were being correctly identified and resolved. Now, when an access violation is detected, the illegal access attempt is rejected. The user receives a message stating that the operation has been blocked, and the user profile is sent to a security officer. If an access denial was made inadvertently, the rules can be updated immediately.

Keeping Things Cool

When it comes to maintenance, Merdan says new operating systems or application-program updates will require changes to SafeNet/400. He noted an instance when a new release of Seagrave's ERP software had some client/server applications that needed access to some exit points that Merdan had blocked.

Seagrave's AS/400 is not accessible by dealers or the public. In the future, Merdan plans to implement TCP/IP to support internal Client Access sessions. According to Merdan, this modification does not worry him, because SafeNet/400 has "the capability to monitor and limit those activities."

Bob Gast is a freelance writer with several years of experience in covering information technology. He can be reached via e-mail at

Sponsored By

See why WebSmart beat out 26 other vendors and was
Voted the BEST iSeries -- AS/400
e-Business / e-Commerce tool in the marketplace.

Free Download of the New Version. Build your own, or use / customize the 70+ Free templates and e-Commerce applications. Develop professional state-of-the-art applications in a day not months, all while using your existing skill set. Extend legacy applications.

Forget complex, expensive products that take months and months to learn, or bare bone products with minimal tools & features that make you do the work manually without HTML editing, restrict the look of your web apps, and restrict growth. Restrictions like no IFS, email or Graphics functions, session ids, persistent CGI handling and more.

WebSmart is a proven, state-of-the-art tool that is easy-to-use, requires little or no Web or iSeries400 programming, is packed with features to automate the work for you, and best of all itís affordably priced.

Quickly deploy elegant, robust and secure B2B, B2C and browser based apps. Including: Inquiries, reporting, maintenance, wireless (XML, WML. . . ), ordering, product catalogs, shopping carts, EIS. . . .

State-of-the-art, portable PC-based design tool. Develop anywhere: Work, on the road & home and enjoy the freedom of choice.

Simply email objects to yourself or others. Unlimited end-users and unlimited developer seats. Automatically produces dynamic HTML CGI programs written in ILE/RPG. 128 bit AES encryption. Utilizes iSeries400 database and security features for scalability and reliability.

Ask for BCDís 15-point opinion e-mail on why WebSmart is better than WebSphere TM, 1. Ability to run on smaller iSeries -- AS/400ís without having to upgrade hardware. 2. Significantly faster apps. . . .

WebSmart users include: Affinity Ins., Airways Freight, Arrow Environmental, Behr Process, Broward County Schools, Calvin Klein, D.J. Powers, Formica Corp., Goodyear, Hoshizaki America, Kauai Electric, Legacy Partners, Midwest Trophy, MSU, Oregon Dept., of Veterans Affairs, State of California, Testor Corp., Weigh-Tronix. . .

Also try CATAPULT, voted best e-mail / Automated Report Distribution Tool. FREE Downloads: WebSmart or CATAPULT

Visit or call 630-986-0800, e-mail Trust BCD, Winner of 18 Industry Awards 20,000+ product installations - 9,000 World-wide customers.

ACOM Solutions
Aldon Computer Group
BCD Int'l
Profound Logic Software
SSA GT to Purchase PRMS from Computer Associates?
SEAGULL Partners with Metaserver for BPI
Kisco Douses Security Concerns at Seagrave Fire Apparatus
Infinium inAbles Choice for Users of Customized Apps
MKS Broadens iSeries' Role in Change Management
SilverStream Tackles New WSFL Spec
News Briefs and Product Shorts
  Newsletters | Subscribe | Advertise | About Us | Contact | Search | Home  
  Last Updated: 4/1/02
Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.