Kisco Douses Security Concerns at Seagrave Fire Apparatus
by Robert Gast
Seagrave Fire Apparatus began building its
reputation making horse-drawn equipment for Midwestern fire departments. The company, with a history
dating back to 1881, now builds fire trucks and emergency vehicles for organizations around the world. Things are very busy at Seagrave these days, and there is no occasion for down time. Craftsmen at the
company's Clintonville, Wisconsin, headquarters are working continuously to get 54 new fire trucks out the
door and into service for the New
York City Fire Department.
Under normal circumstances, production time for a single fire truck is
seven to 12 months. However, in response to New York City's urgent need following the loss of fire trucks
in the Sept. 11 terrorist attacks, Seagrave welders, painters, plumbers, electrical technicians, and assemblers
have cut that time to 120 days per vehicle. Life and property hang in the balance.
Warning! IT Red Lights and Sirens
Seagrave cannot afford to have problems with its ERP and financial software applications. (We can't give
you the name of a company who can!) Problems caused by tampering with its Freidman Frontier applications or data could ripple through the
whole manufacturing process and delay delivery.
"We don't need distractions right now," says Jim Merdan, Seagrave's information systems director. "We
needed a product to protect our product, which is our data."
Merdan, an experienced AS/400 technician who joined the company in 1988, became concerned when he
noticed that a few employees with access to the AS/400 Model 730 through Client Access were attempting
to reach restricted information. Most violations were defined as illegal accesses to the system using
Network Neighborhood from Windows 98/2000 desktops. According to Merdan's estimations, Seagrave
had about 180 user sessions running on the AS/400 on any given workday.
Merdan believed that making changes to OS/400 security would not be beneficial. Users were already
required to sign on to the menu-driven system with a password and user ID, and were individually limited,
at the file level, to what they could access.
An Invitation for Mischief
After some research and investigation, Merdan learned that client/server programs like Client Access have
created significant security challenges for midrange-system security managers. Some client/server
functions can bypass traditional OS/400 security checks unless users fully implement object-level security,
which can make the system difficult to use.
Seagrave's OS/400 security is set at level 30, and Merdan was not in favor of making it more difficult for
authorized users to do their work. He realized, however, that without object-level security, employees could
use a PC-based database tool such as Microsoft
Access to easily access, update, or delete any data file on an AS/400.
At the heart of this dilemma are exit points. In OS/400, exit points are instances in which users can register
and insert programs and override default application functions. Exit points can be used to call programs, to
block access to programs, and to perform other functions such as capturing passwords. In early versions of
OS/400, there were about 30 exit points. Now there are hundreds.
To solve the problem, Merdan wrote his own exit-point routines that successfully blocked unwelcome
activity. Although his solution was satisfactory, Merdan found that maintaining these programs was time-
consuming and a chore. Whenever a new operating system or application program release that included
client/server functions became available, Merdan had to modify his exit-point programs.
"IBM said I could recompile my programs and they would go active," Merdan says. "But I realized that I
also had to bring down the whole subsystem, which involved a lot more off-hours time. I wrote a couple
CL [programs] where you could just modify a data area, but as things got busier, it got unmanageable."
A more comprehensive solution was needed.
Putting Out an IT Fire
Merdan knew of several third-party AS/400 audit/security software utilities that extended beyond the tools
offered in OS/400 and detected security holes. He said he wanted a solution that would not change or affect
any existing native OS/400 security settings. And, for obvious reasons, he wanted something that was easy
to implement and maintain.
He did the required homework, and after reviewing the product literature and specifications of several
offerings, Merdan chose to take a closer look at SafeNet/400, from
Kisco Information Systems. "I decided to take a look at
their product because they have developed a good name in the industry and their feature set fit my
requirements," he says.
Merdan ordered the free trial offered by Kisco to assess the software's ability to close the holes created by
the non-twinax desktops and open exit points. Following a smooth installation during a regularly scheduled
IPL, Merdan fired up the logging-only feature of SafeNet/400.
"I ran it for a week to get a picture of who was accessing the system through network connections and what
objects they were trying to gain access to," Merdan says. "There seemed to be a lot of interest in system-
related files. We also took a look at what exit points were being used."
With that information in hand, he decided to lock down server functions on the AS/400 using SafeNet/400
Access Controls. At Seagrave, SafeNet/400 controls more than 40 servers, and each server can be
configured in a variety of ways, including allowing no restrictions, just logging, restricted by user,
restricted by user and object, or disabled. Merdan reviewed each user's access requirements and created
rules for them within SafeNet/400.
Merdan says that within two weeks he realized the security problems were being correctly identified and
resolved. Now, when an access violation is detected, the illegal access attempt is rejected. The user receives
a message stating that the operation has been blocked, and the user profile is sent to a security officer. If an
access denial was made inadvertently, the rules can be updated immediately.
Keeping Things Cool
When it comes to maintenance, Merdan says new operating systems or application-program updates will
require changes to SafeNet/400. He noted an instance when a new release of Seagrave's ERP software had
some client/server applications that needed access to some exit points that Merdan had blocked.
Seagrave's AS/400 is not accessible by dealers or the public. In the future, Merdan plans to implement
TCP/IP to support internal Client Access sessions. According to Merdan, this modification does not worry
him, because SafeNet/400 has "the capability to monitor and limit those activities."
Bob Gast is a freelance writer with several years of experience in covering information technology. He
can be reached via e-mail at firstname.lastname@example.org.