User Activity Monitoring from PacketMotion to Support i OS
December 1, 2009 Alex Woodie
System i shops that are concerned about the high level of access granted to systems administrators and others, but are hesitant to put controls in place for fear of slowing down transaction times, may want to consider trying out a new agent-less user activity monitoring (UAM) solution that is coming to the platform. PacketMotion recently rolled out support for TN3270 with its appliance-based UAM solution, called PacketSentry, and is close to beginning beta tests for a similar offering that will support the IBM i OS via TN5250.
The practice of over-allocating user credentials is a universal problem. It has been well documented in the System i world, where the majority of companies run with too many privileged user profiles, such as security administrator (SECADN) or all object authority (ALLOBJ), according to security vendor PowerTech‘s annual security survey.
The same kind of problem affects users of Windows, Unix, and mainframe servers, and customers are looking for solutions to deal with it, says Jonathan Gohstand, PacketMotion’s vice president of marketing.
“I see people really grappling with this in the mainframe, and we’re starting to see it on the AS/400 as well, because if they’re using an application and the application doesn’t have the proper logging, you’re awfully limited it what you can do,” Gohstand says. “You can go to the vendor and request them to add the logging. Good luck with that. Or if it’s homegrown, nobody wants to touch the software because they’re afraid they’ll mess something up.”
PacketMotion started developing PacketSentry about five years ago for the purpose of boosting user security. Along the way, the company added regulatory compliance to its repertoire. Today, the company’s approach to development and marketing leans heavily on the fact that many organizations don’t have the time or expertise to modify existing systems to improve security and achieve compliance with HIPAA, PCI, SOX, etc.
The PacketSentry solution basically monitors all of the actions that users–and “superusers” with special privileges in particular–take on critical systems for signs of suspicious or unauthorized activity, and stores that data in an integrated Oracle database that generates the required reports. Customers can also activate PacketSenry’s security functionality and block unauthorized activity.
While it’s a pre-loaded offering (and one that doesn’t require a dedicated Oracle DBA, by the way), customers can customize their PacketSenry devices to meet their specific needs. For example, the customer could instruct the software to not let anybody to sign in using the systems administrator profile if they’re coming in over VPN. Or user profiles used by outside contractors can be restricted to only allow access to certain machines, which will be heavily logged.
Most of PacketMotion’s early customers have been on Unix and Windows machines, so supporting UAM on mainframes required PacketMotion to get a little creative, according to Gohstand. What the company instituted was a system that basically keeps a screen-by-screen log of a user’s TN3270 session. Also, by correlating the mainframe audit trails with the Windows domain ID of the computer on which the telnet session was running, PacketMotion is able to eliminate any account sharing or confusion about where the session was running.
PacketMotion will use the same approach to support UAM on the System i server via 5250. General availability is tentatively planned for January, and the company is now accepting applications to participate in the System i beta test.
While hardened appliances are gaining favor for security and compliance tasks, they are not all created equally, according to Gohstand. Traditionally, a security information and event management (SIEM) or UAM appliance would be installed inline to monitor application traffic. However, this heightens the risk of an outage, because if something happens to the UAM device, then transactions cannot get through. This necessitates a second SIEM or UAM device for failover purposes, and the complexity increases.
The company gets around this problem by plugging PacketSenry Probe appliances into the monitored or “expand” ports of a switch, which duplicates all of the production network traffic, but does not impede its flow. The Probe appliance then sends the subject traffic to the PacketSentry Manager appliance, which is where the Oracle database is loaded.
“For example, you could have eight switches in front of an AS/400 or a mainframe, and have the monitored port sent to us, so we’re reporting everything going on, but we’re not inline,” Gohstand says. “The important thing is, if our solution blows up, traffic still goes through the switch to server. It’s not going to affect anything.”
PacketMotion has garnered praise from Gartner, which labeled it a “cool vendor,” and other analyst groups for its PacketSentry offering, which starts at around $50,000. For more information, visit www.packetmotion.com.