Midrange Stuff, OS/400 Edition

PowerTech Group announced a new release of its OS/400 network security tool yesterday that's designed to be more flexible and easier to use for busy OS/400 systems administrators who don't have the time to become security experts. With PowerLock NetworkSecurity Version 4.7, available next month, the company has delivered several enhancements, including the new Easy Transaction Analyzer, Rule Version Control, and Dynamic Authority Manager features, as well as new port scanning capabilities and support for customized exit points.

The security problems posed by Internet connections to AS/400s and iSeries servers have been well documented. While OS/400 was--and still is--one of the most inherently secure commercial computing platforms around, the traditional menu-based security methodologies relied upon by many OS/400 software developers and users leave a wide plain of unprotected terrain through which hackers, disgruntled employees, or simply careless workers can gain virtually unrestricted access to OS/400 assets, if they're left unprotected from the Internet.

This vulnerability, in turn, has created a market for OS/400 network security products, and PowerTech Group was first to market with such a product seven years ago. PowerLock NetworkSecurity protects OS/400 servers from unwanted access by monitoring more than 200 exit points, such as ODBC and FTP connections, and blocking transactions that are deemed unauthorized according to the product's security rules. These rules can be designed to block certain users, or groups of users, or can be used to block specific IP addresses. The product also has tracking, logging, and reporting capabilities and can be integrated with Unix, Linux, and Windows security products.

With Version 4.7, the Kent, Washington, company has included five major new features: Easy Transaction Analyzer; Rule Version Control capabilities; Dynamic Authority Manager; port-scanning capabilities, and support for customized exit points. Except for the new exit points, each of the new features in this release is designed to make the product easier to use for the systems administrator.

Making life easier for system administrators is an important goal, as the majority of today's systems administrators are generalists and they don't have the luxury of becoming security experts who can build their own security tools, says PowerTech founder and chief technology officer John Earl. "In a typical AS/400 shop, with less than four boxes, usually a systems administrator can't do the job [of security officer] effectively," he says. "Unless they have the tools that can help them do that, they're never going to get there."

PowerTech says the new features in NetworkSecurity 4.7, such as Easy Transaction Analyzer, will strike a chord at shops where the systems administrator is asked to be a jack of all trades. With Easy Transaction Manager, administrators are given an "intuitive, top-line" view of their transaction data, which allows the administrator to more easily understand his environment and therefore design more accurate security rules, more quickly, the company says.

Administrators will be less hesitant to roll new security rules into production with the new Rule Version Control capabilities in NetworkSecurity 4.7. With this capability, administrators can simply "roll back" the security rules to a previous setting if things don't work as planned. This "roll-back" feature is an important one to have in an OS/400 network security product, as implementing security that is too tight can often have worse consequences than implementing ones that are too lax. If the rules are set too tight, legitimate transactions could be blocked or rightful users could be denied access, which could lead the system administrator to simply turn off the security product or grant users extraordinary access privileges (such as all object authority), in order to get things to work again, which hurts security in the long run.

A system administrator would really have no reason to grant users such wide-open (but potentially dangerous) authority with this release of the product, because of the new Dynamic Authority Manager. With this feature, if users have too much or too little authority to do their job, the system administrator will be able to immediately correct it. PowerTech says this feature is important because it prevents users from having to restart the server whenever they change authority.

Lastly, the new port scanning capability in this release of NetworkSecurity provides administrators with a quick view of ports that are open, which is useful in preventing intrusions.

Administrators can work with NetworkSecurity either through the native 5250 interface or in GUI mode with an optional Operations Navigator plug-in. The software is compatible with OS/400 V4R3 or later and can be networked with multiple AS/400 and iSeries servers through the PowerLock CentralAdmin product. If customers want to include their OS/400 servers in their cross-platform, data-center-wide view of their network, NetworkSecurity can be configured to communicate with Internet Security Systems' SiteProtector 2.0. For more information, go to www.powertechgroup.com.