• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Don’t Overlook These Network Auditing Improvements in IBM i 7.3

    October 24, 2016 Alex Woodie

    What is going across those network cables connecting your IBM i server to the outside world? It’s not always easy to tell, and IBM hasn’t exactly made it easy. But thanks to new security event types and exit points released earlier this year in IBM i 7.3, you can get deeper visibility into network traffic and make your company’s SIEM system work better with your IBM i along the way.

    The focus over the past few weeks has been on IBM i 7.3 Technology Refresh 1 and IBM i 7.2 TR5. There is a lot of good stuff in there, to be sure. But it is worth shining the light a bit on a past security enhancements that didn’t get the attention they deserved. This is critical stuff–the lack of visibility into network activity before IBM i 7.3 is, frankly, a little bit scary.

    Specifically, IBM added several new security event types and exit points with IBM i 7.3 to boost network auditing. The improvements enable all sockets-based UDP and TCP traffic in and out of the system–including traffic that is encrypted–to be tracked and audited through the security audit journal (QAUDJRN).

    This is significant, because itis the first time this level of visibility has been brought to network connections that use sockets. While IBM has supported auditing of TCP sockets connections, there were significant gaps in the coverage.

    IBM now has you covered for all TCP and UDP sockets-based connections with the NETSCK and NETUDP event types with IBM i 7.3. You can audit all UDP and TCP sockets-based traffic (except for Telnet traffic over TCP; more on that later) by enabling *NETSCK and *NETUDP audit levels on your server.

    When you these turn on, IBM i will begin collecting valuable information about the UDP and TCP connections through QAUDJRN. The entries will include critical information about the flow of traffic across the network, including the local IP address and port and the remote IP address and port (as well as whether it’s an IPv4 or IPv6 connection).

    IBM also unveiled a new *NETTELSVR value to monitor Telnet traffic over TCP. “Previously, the Telnet server was specifically not audited with TCP sockets connections because the quick reconnect rates of some Telnet clients could result in a high number of audit records on a system,” IBM’s Dawn May writes in a very informative July 2016 posting to her “i Can” blog on the new auditing capabilities in IBM i 7.3.

    Don’t use any of these weak security protocols and cipher suites, IBM says.

    Considering the potential harm that a hacker or disgruntled employee could do with a TN5250 connection into an IBM i server, and the lack of audit coverage in the IBM i system prior to IBM i 7.3, it’s great that this has finally been addressed.

    But wait, there’s more! Also in IBM i 7.3, IBM added the *NETSECURE audit level to audit (supposedly) secure network traffic using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption protocols. (We say supposedly because even TLS, which was supposed to be more secure than the SSL protocol its replacing, is having its own share of security problems.)

    This feature will tell you what security protocols and cipher suites are being used on your system. It will also tell you about successful and unsuccessful attempts to create encrypted connections that utilized VPN Internment Key Exchange (IKE) negotiations, successful IP Security (IPSec) connections, and secure UDP traffic.

    It is great to have all this information about TCP and UDP connections into your IBM i server, including the ones protected with SSL/TLS encryption. But making sense of the QAUDJRN is a daunting task. Larger IBM i shops will almost certainly need some sort of power tool to chew through the log data to find the anomalies. For these customers a security information and event management (SIEM) solution will be warranted.

    In a recent podcast, Townsend Security CEO Patrick Townsend talked about the new QAUDJRN event types and exit points that debuted in IBM i 7.3, which are supported with the Townsend Alliance Log Agent.

    SIEM solutions such as QRadar and ArcSight are critical for collecting and correlating security events occurring across the enterprise.

    “Remember that almost all SIEM solutions that help you identify threats really look at the IP address of the source, both inbound and outbound, from the IBM i platform,” Townsend says. “So enabling these new event types is critically important, I think. You need to be collecting that information and forwarding it to a SIEM solution.”

    Products like the Alliance Log Agent can automatically convert QAUDJRN records into industry standard SYSLOG format used by many SIEMs. It also supports the extended log format standards used by SIEMs like HPE‘s ArcSight and IBM’s own QRadar.

    IBM i shops that feed the network traffic data into a SIEM solution will stand a better chance of identifying anomalous traffic that’s associated with a security breach, Townsend says. This is a critical capability to have, considering that 84 percent of security breaches are detected after the fact through analysis of logs, according to the recent Verizon 2016 Data Breach Investigation Report (pdf). But SIEMs, when properly fed with historical data, should also be able to identify new attacks as they occur, and provide real-time threat protection (at least theoretically).

    In light of the recent hacking incidents involving WikiLeaks, the Democratic National Party, and U.S. Government accusations of state-sponsored hacking in Russia–not to mention the ongoing barrage of security vulnerabilities in encryption protocols and cipher suites used in IBM i and nearly every other system in the world with names like Heartbleed, Sloth, Bar Mitzvah, and Drown–perhaps it’s worth taking a fresh look at the new network auditing functions that IBM delivered earlier this year.

    You can hear Townsend’s complete podcast at player.fm/series/security-insider-podcast-edition/ibm-i-73-security-new-logs-to-collect-and-monitor.

    RELATED STORIES

    On Your IBM i Radar Now: GDPR

    IBM i 7.3: High Time For High Security

    Verizon Outlines Disturbing AS/400 Breach At Water District

    IBM Patches Pair Of TLS Flaws In IBM i

    IBM Patches More OpenSSL Flaws In IBM i

    IBM Blocks ‘Bar Mitzvah’ Attack In SSL/TLS

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    NGS:  FREE Webinar: Preparing, Presenting, & Using Data with NGS-IQ and Microsoft Power BI. Nov 10
    Fresche:  IBM i staffing for all of your IT needs. Request a FREE estimate. 1-800-361-6782
    Manta Technologies Inc.:  The Leader in IBM i Education! Download catalog and take sample sessions!

    Zend Preps Speedy New PHP and Runtime for IBM i IBM’s Power Systems Stalls A Bit As Power8 Wanes

    Leave a Reply Cancel reply

Volume 26, Number 46 -- October 24, 2016
THIS ISSUE SPONSORED BY:

New Generation Software
Fresche Legacy
UCG Technologies
HiT Software
WorksRight Software

Table of Contents

  • Don’t Overlook These Network Auditing Improvements in IBM i 7.3
  • IBM Opens Up Coherent Protocols For Power Chips
  • Cross-Platform Development Targets Code Management
  • Mad Dog 21/21: Achilles And The iPhone
  • Knowing Node

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • How Committed Is Big Blue To The IBM Cloud?
  • Immutable Copies Are Only As Good As Your Validation
  • Guru: IBM i *USRPRF Security
  • ERP Transitions Loom for SAP on IBM i Customers
  • Inflation Pumps Up Global IT Spending, Supply Chain Deflates It
  • COMMON Set for First Annual Conference in Three Years
  • API Operations Management for Safe, Powerful, and High Performance APIs
  • What’s New in IBM i Services and Networking
  • Four Hundred Monitor, May 18
  • IBM i PTF Guide, Volume 24, Number 20

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.