Trinity Guard Fills Gap In IBM i Network Security
December 11, 2017 Alex Woodie
Trinity Guard, the IBM i security software company founded by the original developers from Pentasafe, this month rolled out TG Secure, a new network security product that addresses a potentially serious gap in exit point coverage that many IBM i shops who use open source software may not be aware of.
IBM has done a good job of bringing new open source tools, technologies, and applications to the platform. The addition of languages like PHP, Node.js, Ruby, and Python; products like the NGINX Web server, the MySQL/MariaDB databases, and the Git repository; and everything else included in the 5733-OPS open source collection have done a lot to keep IBM i up to speed with technological progress and made it more competitive with other platforms. It is hard to argue against that.
But there is an important caveat to using these products that IBM i users should know about. Because the bulk of these products have been ported via PASE, the AIX runtime for IBM i, they do not abide by traditional IBM i exit points. Instead, many of these open source technologies connect to IBM i server resources via socket connections.
Using socket connections is not inherently bad. But without taking steps to ensure that those socket connections are properly monitored with a network security tool, it could lead to a situation where the network traffic in and out of IBM i is not monitored and rules are enforced. That’s a very bad thing for anybody who values security.
The good news is that IBM added an exit point for socket connections way back with IBM i 7.1, thereby allowing customers to lock down that port of entry into the server. The bad news is that many IBM i professionals may not be aware of this connection. And what’s even worse is that some network security products for IBM i have not adopted IBM’s exit point for socket connections in their exit point solutions.
This was the case with PS-Secure, the IBM i network security tool originally developed by Pentasafe, acquired (but rarely enhanced) by NetIQ, and now sold by Micro Focus. When Tony Perera and Pauline Ayala left Micro Focus to co-found Trinity Guard in the old Pentasafe stomping grounds of Houston, Texas, fixing this glaring hole in an otherwise solid exit point solution was a big priority.
With this month’s launch of TG Secure, Trinity Guard has delivered support for IBM’s socket connection exit point with its network security solution. It fills a critical gap in the network security protection for IBM i shops, Perera says.
“That’s very important for the full coverage of network security,” Perera tells IT Jungle. “There are a lot of applications now bypassing traditional exit points, like FTP and ODBC. If they’re using open source technology, they’re probably vulnerable if they’re not monitoring this.”
Perera is a big fan of IBM’s work with open source software, and he even plans on using some of the technology with a forthcoming new GUI management console that will work with other Trinity Guard products.
“IBM is doing a great job porting a lot of applications using PASE,” he says. “But all those applications traditional bypass the exit points and they connect to the socket layer, which is something people need to be aware of.”
Don’t be fooled into thinking the network traffic is on the up and up just because it’s encrypted, Ayala says. Just because the traffic is encrypted doesn’t mean an unauthorized user isn’t weaseling their way into the system.
“A lot of people think that, because their application is secured with SSL/TLS, then they don’t think there’s a problem,” she says. “They’re not keeping track of who is accessing it, necessarily. There’ just looking at whether the connection encrypted or not. And if it is, then they think it’s all fine. That’s a big issue as well.”
TG Secure, which is a brand new product, also improves on PS Secure in other ways, including better management of how exit point rules and enforcement is applied to individual users.
With the old PS Secure product, customers got into the habit of writing custom rules for every new user that came into the system. The rules control what exit points the users are allowed to access, and which ones they are not. With TG Secure, the product contains a suggestion engine designed to help administrators and security officers find existing groups that new users can be assigned to.
It’s all about simplifying the job for administrators, Perera says. “I had a client that has about 20 people joining every day and three to four leaving the company,” he says. “For an exit point solution, to secure it, for the new 20 people to have it enabled, they had to create all the rules pertaining to their job functions manually.
“So let’s say a new person is coming in,” he continues. ” This engine basically says ‘You should probably add this person to this group. You don’t have to go create another 10 rules for this person.”
TG Secure also brings a user profile swap functionality that allows IBM i shops to minimize the user of powerful user profiles.
“One of the bigger problems that our customers have is there are too many powerful users in the system,” Perera says. “Most of the reason is they need high privileges to run an operation. That’s why the security officer is high privilege user.”
Instead of giving the night operator SECOFR or ALLOBJ authority in her regular user profile, TG Secure allows the company to temporarily swap her into a user profile that has the necessary authority levels.
What’s more, the tool can also restrict what commands the night operator can execute. “We have a granular capability of running escalated operations, so you can create rules to allow a user to run certain commands as a privileged user, and not others,” Perera says. “So that helps them reduce the number of powerful users.”
The company has other products in the works, including a graphical management console that it plans to unveil next month. Beyond that, the company has a full product roadmap, which we’ll get to watch unfold in 2018.