• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Trinity Guard Fills Gap In IBM i Network Security

    December 11, 2017 Alex Woodie

    Trinity Guard, the IBM i security software company founded by the original developers from Pentasafe, this month rolled out TG Secure, a new network security product that addresses a potentially serious gap in exit point coverage that many IBM i shops who use open source software may not be aware of.

    IBM has done a good job of bringing new open source tools, technologies, and applications to the platform. The addition of languages like PHP, Node.js, Ruby, and Python; products like the NGINX Web server, the MySQL/MariaDB databases, and the Git repository; and everything else included in the 5733-OPS open source collection have done a lot to keep IBM i up to speed with technological progress and made it more competitive with other platforms. It is hard to argue against that.

    But there is an important caveat to using these products that IBM i users should know about. Because the bulk of these products have been ported via PASE, the AIX runtime for IBM i, they do not abide by traditional IBM i exit points. Instead, many of these open source technologies connect to IBM i server resources via socket connections.

    Using socket connections is not inherently bad. But without taking steps to ensure that those socket connections are properly monitored with a network security tool, it could lead to a situation where the network traffic in and out of IBM i is not monitored and rules are enforced. That’s a very bad thing for anybody who values security.

    The good news is that IBM added an exit point for socket connections way back with IBM i 7.1, thereby allowing customers to lock down that port of entry into the server. The bad news is that many IBM i professionals may not be aware of this connection. And what’s even worse is that some network security products for IBM i have not adopted IBM’s exit point for socket connections in their exit point solutions.

    This was the case with PS-Secure, the IBM i network security tool originally developed by Pentasafe, acquired (but rarely enhanced) by NetIQ, and now sold by Micro Focus. When Tony Perera and Pauline Ayala left Micro Focus to co-found Trinity Guard in the old Pentasafe stomping grounds of Houston, Texas, fixing this glaring hole in an otherwise solid exit point solution was a big priority.

    With this month’s launch of TG Secure, Trinity Guard has delivered support for IBM’s socket connection exit point with its network security solution. It fills a critical gap in the network security protection for IBM i shops, Perera says.

    “That’s very important for the full coverage of network security,” Perera tells IT Jungle. “There are a lot of applications now bypassing traditional exit points, like FTP and ODBC. If they’re using open source technology, they’re probably vulnerable if they’re not monitoring this.”

    Perera is a big fan of IBM’s work with open source software, and he even plans on using some of the technology with a forthcoming new GUI management console that will work with other Trinity Guard products.

    “IBM is doing a great job porting a lot of applications using PASE,” he says. “But all those applications traditional bypass the exit points and they connect to the socket layer, which is something people need to be aware of.”

    Don’t be fooled into thinking the network traffic is on the up and up just because it’s encrypted, Ayala says. Just because the traffic is encrypted doesn’t mean an unauthorized user isn’t weaseling their way into the system.

    “A lot of people think that, because their application is secured with SSL/TLS, then they don’t think there’s a problem,” she says. “They’re not keeping track of who is accessing it, necessarily. There’ just looking at whether the connection encrypted or not. And if it is, then they think it’s all fine. That’s a big issue as well.”

    TG Secure, which is a brand new product, also improves on PS Secure in other ways, including better management of how exit point rules and enforcement is applied to individual users.

    With the old PS Secure product, customers got into the habit of writing custom rules for every new user that came into the system. The rules control what exit points the users are allowed to access, and which ones they are not. With TG Secure, the product contains a suggestion engine designed to help administrators and security officers find existing groups that new users can be assigned to.

    It’s all about simplifying the job for administrators, Perera says. “I had a client that has about 20 people joining every day and three to four leaving the company,” he says. “For an exit point solution, to secure it, for the new 20 people to have it enabled, they had to create all the rules pertaining to their job functions manually.

    “So let’s say a new person is coming in,” he continues. ” This engine basically says ‘You should probably add this person to this group. You don’t have to go create another 10 rules for this person.”

    TG Secure also brings a user profile swap functionality that allows IBM i shops to minimize the user of powerful user profiles.

    “One of the bigger problems that our customers have is there are too many powerful users in the system,” Perera says. “Most of the reason is they need high privileges to run an operation. That’s why the security officer is high privilege user.”

    Instead of giving the night operator SECOFR or ALLOBJ authority in her regular user profile, TG Secure allows the company to temporarily swap her into a user profile that has the necessary authority levels.

    What’s more, the tool can also restrict what commands the night operator can execute. “We have a granular capability of running escalated operations, so you can create rules to allow a user to run certain commands as a privileged user, and not others,” Perera says. “So that helps them reduce the number of powerful users.”

    The company has other products in the works, including a graphical management console that it plans to unveil next month. Beyond that, the company has a full product roadmap, which we’ll get to watch unfold in 2018.

    RELATED STORY

    Trinity Guard Gives PentaSafe Customers a Lifeline

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: AIX, IBM i, Node.js, PHP, Python, Ruby

    Sponsored by
    UCG Technologies – Vault400

    Do the Math When Looking at IBM i Hosting for Cost Savings

    COVID-19 has accelerated certain business trends that were already gaining strength prior to the start of the pandemic. E-commerce, telehealth, and video conferencing are some of the most obvious examples. One example that may not be as obvious to the general public but has a profound impact on business is the shift in strategy of IBM i infrastructure from traditional, on-premises environments to some form of remote configuration. These remote configurations and all of their variations are broadly referred to in the community as IBM i hosting.

    “Hosting” in this context can mean different things to different people, and in general, hosting refers to one of two scenarios. In the first scenario, hosting can refer to a client owned machine that is housed in a co-location facility (commonly called a co-lo for short) where the data center provides traditional system administrator services, relieving the client of administrative and operational responsibilities. In the second scenario, hosting can refer to an MSP owned machine in which partition resources are provided to the client in an on-demand capacity. This scenario allows the client to completely outsource all aspects of Power Systems hardware and the IBM i operating system and database.

    The scenario that is best for each business depends on a number of factors and is largely up for debate. In most cases, pursuing hosting purely as a cost saving strategy is a dead end. Furthermore, when you consider all of the costs associated with maintaining and IBM i environment, it is typically not a cost-effective option for the small to midsize market. The most cost-effective approach for these organizations is often a combination of a client owned and maintained system (either on-prem or in a co-lo) with cloud backup and disaster-recovery-as-a-service. Only in some cases of larger enterprise companies can a hosting strategy start to become a potentially cost-effective option.

    However, cost savings is just one part of the story. As IBM i expertise becomes scarce and IT resources run tight, the only option for some firms may be to pursue hosting in some capacity. Whatever the driving force for pursing hosting may be, the key point is that it is not just simply an option for running your workload in a different location. There are many details to consider and it is to the best interest of the client to work with an experienced MSP in weighing the benefits and drawbacks of each option. As COVID-19 rolls on, time will tell if IBM i hosting strategies will follow the other strong business trends of the pandemic.

    When we say do the math in the title above, it literally means that you need to do the math for your particular scenario. It is not about us doing the math for you, making a case for either staying on premises or for moving to the cloud. There is not one answer, but just different levels of cost to be reckoned which yield different answers. Most IBM i shops have fairly static workloads, at least measured against the larger mix of stuff on the public clouds of the world. How do you measure the value of controlling your own IT fate? That will only be fully recognized at the moment when it is sorely missed the most.

    CONTINUE READING ARTICLE

    Please visit ucgtechnologies.com/IBM-POWER9-systems for more information.

    800.211.8798 | info@ucgtechnologies.com

    Article featured in IT Jungle on April 5, 2021

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Guru: Quirky SQL Creations The AS/400 Lessons Come Back Around With Power9 Systems

    Leave a Reply Cancel reply

TFH Volume: 27 Issue: 81

This Issue Sponsored By

  • Profound Logic Software
  • COMMON
  • HelpSystems
  • Computer Keyes
  • Manta Technologies

Table of Contents

  • The AS/400 Lessons Come Back Around With Power9 Systems
  • Trinity Guard Fills Gap In IBM i Network Security
  • Guru: Quirky SQL Creations
  • Mad Dog 21/21: Bubbling Over
  • As I See It: Disruption

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • When Cloud Meets DevOps on IBM i
  • JD Edwards Roadmap Reveals Decisions To Be Made
  • IBM Completes Migration of Knowledge Center to IBM Documentation
  • Four Hundred Monitor, April 7
  • Crazy Idea Number 615: Variable Priced Power Systems Partitions
  • Do The Math When Looking at IBM i Hosting For Cost Savings
  • Guru: Web Services, DATA-INTO and DATA-GEN, Part 1
  • Oracle Versus Rimini Slogs On In Second Decade
  • HCI Is The Dominant Converged System, Probably For Good
  • Skytap To Expand IBM i Cloud Offering

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2021 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.