Help/Systems Launches Comprehensive Security i5/OS Suite
August 28, 2007 Alex Woodie
When Help/Systems set out 15 years ago to develop a suite of systems management tools for the AS/400, the company always intended for a security tool to be part of the mix. Now, the Minneapolis-area company is making good on that commitment with this week’s launch of Robot/SECURITY, a collection of five security modules that help protect System i servers from internal as well as external threats.
For a version 1.0 release, Robot/SECURITY offers a surprisingly comprehensive array of i5/OS security capabilities. The product offers the obligatory network security through server exit point monitoring, while the audit reporting feature enables users to see how their i5/OS security configurations shape up compared to SOX, PCI, HIPAA, and COBIT standards. Another module is dedicated to keeping constant watch over changes through QAUDJRN, the operating system’s security audit journal.
These are basic vanilla offerings that customers can find in a range of existing i5/OS security products. But Robot/SECURITY comes with two additional modules that offer more cutting-edge capabilities, including a profile swap feature that barricades users from powerful user profiles, and a graphical forensics analysis utility that lets managers dive deeper into activities that may have an effect on the security of the system. While users can find these capabilities in other products, Robot/SECURITY is the only offering to include all of these capabilities in a single product.
Let’s start with the exit point monitoring feature of Robot/SECURITY. Exit point monitoring is critical on the System i to ensure that users can’t bypass the platform’s strong security controls by accessing the server over network services like FTP or ODBC. Without exit point monitoring in place, there is a giant, gaping hole in the security of network-enabled System i servers.
Robot/SECURITY monitors only server exit points, such as FTP, ODBC, JDBC, Telnet, SQL, and others. The product offers a rich array of configuration options, including the capability to restrict access to exit points by users, groups of users, and certain user profiles, as well as by objects. Managers can set up the product just to log exit point activity, and then lock down access later on. It also includes reports, scheduling options and the capability to set up exceptions for holidays, in addition to many other options.
The product’s security audit module is designed to help managers through the complicated process of setting up System i security, continually monitoring security settings, and seeing how the settings stack up against industry standards. The product looks at various settings, including user, library, and object authority levels; general system settings such as Access Control Lists, and job descriptions and workstation entries. Managers are advised to periodically run various audit reports, which give a pass or fail grade based on how it compares to the initial security settings; they can then “drill down” into the reports to see what specifically needs fixing.
By monitoring all the entries written to the QAUDJRN, Robot/SECURITY is able to keep a real-time eye on System i security and give the manager a head-start on potentially damaging security events. This module watches the QAUDJRN for events that could signify a security breach (or a failed attempt to breach security), such as password failures, authority failures, or changes to user profiles or security settings. By hooking into other Help/Systems products, including Robot/ALERT or Robot/NETWORK, system administrators can make sure that events are dealt with swiftly.
But by running the Profile Exchange module of Robot/SECURITY, customers can forestall many of the common security problems befalling iSeries and System i users. Profile Exchange eliminates the need for users to run with powerful user profiles, such as ALLOBJ and QSYSOPR, which give users unfettered access to very powerful capabilities on the server. By allowing users to temporarily swap into powerful user profiles when they need them–as opposed to running under the powerful user profiles on an everyday basis–Profile Exchange can minimize the risk of an internal security breach.
Administrators can use the product’s profile mapping feature to set up users’ alternate accounts. The feature can be set up to allow users to swap into more powerful profiles by several means, including on an individuals basis, by lists of users, and by primary and supplemental groups; separate controls can be set for user profile swapping for interactive versus batch. Integration with Robot/NETWORK ensures profile swapping works with more than one System i server, while reporting features let managers see who swapped into their powerful profiles, and when.
While the product’s security audit module offers some analysis capabilities, managers can get a much broader picture of their server’s security posture from Robot/SECURITY’s Forensics Analysis Utility. In addition to gathering data from the QAUDJRN module, the Java-based tool brings in data from the QHIST log, the QSYSOPR message queue, other message queues, and other Help/Systems products, including Robot/ALERT, Robot/TRANSFORM, and Robot/REPORTS.
The Forensics Analysis Utility addresses the age-old problem afflicting System i managers: separating the wheat from the chaff. “There are so many entries. What the heck do you do?” says Tom Huntington, vice president of technical services at Help/Systems. “What value is it when you have 10,000 adopted authority entries. What does that mean?
With the Forensics capability, users can interrogate the system from several angles. “It interrogates several sources, and it pulls out things based on whatever selection criteria you set up. So you can see all the entries associated with jobs, with a date range, or with a user. Then there are more filters, so you don’t spend too much time.”
Robot/SECURITY has been on the drawing board at Help/Systems for more than a decade. “It was part of the original Robot vision,” Huntington says. “At least 15 years ago, we came out with the Robot vision for the product line and security was always on that. And we’re finally completing that piece of the puzzle.”
Over the years, many existing customers have asked when Help/Systems would finally ship the security product, Huntington says. “It would have been nice to have it out two years ago,” he says. “[But] I don’t think we’re too late in the marketplace. A lot of people have solutions that they’re not happy with.”
Robot/SECURITY version 1.0 will become available for download from the Help/Systems’ Web site later this week. The product supports i5/OS V5R3 and V5R4, and ranges in price from $2,500 to $20,300. Like it does for all its products, Help/Systems offers a free 30-day trial download for Robot/SECURITY.
Huntington is hosting a Webinar on Robot/SECURITY Thursday at 9 a.m. CDT. To sign up for the event, go to www.helpsystems.com/education/econferences_signup.html?econference=00000000840.