PentaSafe Allows "What If?" Testing for OS/400 Security
by Alex Woodie
Changing the security settings of OS/400 can be a scary thing. What if you made a change that caused your
company's application to behave incorrectly, or put an unnecessary security hold on the completion of live
transactions? PentaSafe Security Technologies has
addressed these scenarios by announcing a new rev of its OS/400 security software suite that includes a
new "What If" capability that allows security administrators to test changes to remote access security
settings before rolling them into full production.
The new "What If" capability was added to PSSecure 7.0, one of three components of a suite of OS/400
security products that PentaSafe calls the VigilEnt Security Agent for iSeries. Last week, PentaSafe
announced the general availability of the next generation of VSA for iSeries, which also includes new
releases of PSAudit and PSDetect.
The key to PSSecure's new "What If" mode is the ability to apply new remote access security rules against
a company's actual transactions in a test environment. In prior releases of the software, says PentaSafe, its
programs shipped with a set of canned transactions that often didn't provide a good barometer of how actual
data would behave with the new rules.
The new feature works by creating a duplicate set of transactions, what the utility calls "What If" entries,
using production data. Going into the "What If" menu, the security administrator can then change the
remote access security settings governing that data (such as applying safeguards to FTP transactions) and
those changes won't affect the live data.
PSSecure produces a series of reports that tell the administrator how the changes would affect the
transactions passage in the production environment. When the administrator is happy with the changes, the
secured entries are replaced with the tested "What If" entries, and the tested rules go into production. At the
same time, the software makes a backup copy of the secured changes, allowing the changes to be undone at
a later date.
"There isn't another OS/400 security utility on the market with this type of capability," says Steve
Martinson, PentaSafe's product manager for OS/400 software. "I happen to be a former customer [of
PentaSafe]," he said. Applying security rule changes used to be "a big, onerous task," he said. "It was kind
Those days are over. "Now they can tweak it all day long, and if they mess it up, it doesn't affect anything,"
Martinson said. "It's a way to go in and test changes without affecting the actual security environment."
This new release should also encourage users to keep their iSeries systems in the secured mode under
PSSecure, he said. Previously, users were reluctant to move their systems out of the data collection mode
and into the secure mode because of fears that transactions would be rejected by PSSecure.
There were several other enhancements added to PSSecure, including the capability to configure remote
servers individually and the ability to control server access by TCP/IP address as well as SNA device
names. Other enhancements include specification of object level security for any file system apart from
OS/400 resource security; control of read, write, manage, and execute authority for objects or entire
directory trees; and control of uploads and downloads via predefined PentaSafe research groups.
Last week's VSA for iSeries announcement also included new releases and enhancements to PSAudit and
PSAudit 5.4 features new baseline capabilities that give security administrators 11 new reports designed to
provide greater insight into how object authorities and user resources are being utilized. Administrators are
able to call on reports that show current resource allocations and how they compare to rules and exceptions
set by the administrator for areas including job descriptions, user profiles, directories, folders, and libraries.
Other new reports log network transactions by date/time, user, function, server, and incoming source
address. Lastly, a new iSeries Management Summary Report uses a red-yellow-green scorecard system to
show whether certain areas are in compliance with predefined rules.
PSDetect 2.2 now allows the utility to work with Simple Network Management Protocol management
consoles. The utility is able to send SNMP traps to any SNMP management consoles that are able to
receive SNMP traps, such as those from Tivoli and Computer Associates. This new feature enables companies to
configure PSDetect to send alerts to SNMP management consoles.
VSA for iSeries components can be deployed with or without the VigilEnt Security Manager, PentaSafe's
Windows-based central security console. VSM serves as the hub for PentaSafe's growing stable of agents
for a variety of products, which, at this writing, includes Linux on iSeries, Windows 2000/NT, various
Unix implementations, Novell NetWare, and a host of
database management systems, Web application servers, applications, and firewalls.
PSSecure, PSAudit, and PSDetect are available separately or packaged together in VSA for iSeries at a
discount. Starting April 1, PSPasswordManager, which allows OS/400 administrators to view and control
their users' weak and easily guessed passwords, will also be included in the suite.
Pricing for VSA for iSeries is tier-based and starts at about $9,000 for the P05 processor group, which includes
a license for 300 users. PentaSafe also offers another bundle including VSM and the VSA for Linux on iSeries for $6,995.
VSA for Linux on iSeries by itself goes for $1,995. For more information visit PentaSafe's Web site at www.pentasafe.com.
Please note that this article has been edited since its original publication to correct the pricing information
for the VSM and VSA bundle for Linux on the iSeries and for the VSA for Linux on iSeries product as a standalone purchase. Guild Companies regrets the error. [Correction made March 18, 2002]