Power Systems Security: More Than The Sum Of Its Parts
February 17, 2021 Tony Perera
The IBM i platform is no longer an island unto itself. In many companies, there is a diversity of different systems — Unix systems, Linux servers, and Windows environments, not to mention IBM i. Each of these environments brings its own strength and weakness. The goal is to not let these differences hurt something that’s important to you: security.
Make no mistake: It’s a good thing that Power Systems servers can run multiple operating systems. From an IBM i perspective, it ensures more R&D dollars from IBM to support the hardware. It seems doubtful IBM would spend billions to develop processors like Power9 and the forthcoming Power10 chip if IBM i customers were the only users.
But IBM i shops benefit directly because there are many applications and infrastructure components that run on AIX or Linux but not IBM i (although the number is narrowing, thanks to IBM i’s embrace of open source software). From Web servers and databases to analytics and AI software, there’s an entire world of digital capabilities and human resources that become available once you move your business runtime beyond the confines of IBM i.
Multiple OSes, Multiple Exposures
The upside of having multiple operating systems are clear. But there are also some downsides that cannot be ignored. Security is one area that IBM i shops should spend time investigating before fully embracing a multi-operating environment. And if you have already embraced AIX and Linux on Power Systems, but haven’t spent the time to understand the security risks, then you may want to make that an immediate priority.
Of course, the IBM i server has its share of security issues. These have been well-documented through the years. Most of these security problems stem from a lack of user awareness and a lax approach to ensuring good configurations and on-going management of security settings. Once a server is properly configured and the biggest vulnerabilities are closed off, the IBM i environment must be continually monitored to keep the system that way. This is not a trivial exercise. Security is a process, not a product, after all.
Keeping up with security threats becomes an even greater challenge when multiple OSes are involved. In a networked environment, a vulnerability in any system can potentially enable a hacker to get into adjacent systems. The attack surface changes in non-intuitive ways when these systems are linked together, and it’s important to understand why.
Running multiple operating systems in the same Power Systems server in different LPARs provides a degree of protection. The data contained in that IBM i environment will not automatically leak into the adjoining Linux and AIX LPARs. IBM has done a good job providing virtual “air gaps” between these environments, even when they inhabit the same physical hardware.
But there are avenues that hackers can use to exploit a vulnerability in one system to compromise services running in another, which many IBM i professionals may not be aware of.
The good news is that IBM i is blessed with an architecturally sound security apparatus. The reliance on objects is a boon for security-loving folks everywhere. The bad news is that AIX and Linux, both of which have roots in the open source Unix world, are nothing like IBM i. There are no mysterious and impenetrable IBM i objects that must be cracked open to obtain information, such as permissions.
Linux and AIX Security
In Linux and AIX, security configuration are set and changed via files that are accessible through a file system. Much like the IBM i’s integrated file system (IFS), the Linux and AIX file systems are structured as directories. This is where admins go to configure and control security settings in Linux and AIX, including user profile information, configuring system logging, and other important security mechanisms.
In the IBM i world, the potential damage of one misconfiguration in a security setting is one thing. Thanks to the IBM i’s multi-layered security, there are other layers that must be breached for the hacker to cause great harm. On Linux, great harm can be caused by a single misconfigured file. That greatly ups the ante for ensuring good security, wouldn’t you say?
IBM i shops may be aware of the importance of the IFS, which is increasingly used for all sorts of applications. Anybody who is doing development in an open source language on IBM i, such as Python, PHP, or Node.JS, is storing the application code in the IFS. This makes IBM i applications developed in the modern open-source method somewhat more vulnerable to hackers and malware infections that native ILE application objects stored in QSYS.
One of the biggest malware threats right now is ransomware. Ransomware on IBM i, for example, commonly targets the IFS. If a PC has a mapped drive to the IFS and becomes infected with malware, it will infect the IFS with malware. (There is even the potential for a piece of malware to encrypt the contents of the QSYS directory, i.e. the compiled ILE application objects, through the IFS, which is a scary thought indeed!)
There are many configuration files in AIX and Linux systems that, if not secured properly, can be hacked and create havoc on the network. For example, if the “etc/syslog” file is not protected and a cybercriminal gets his hands on it, he can potentially change how the Linux server responds to logs without leaving a trace, which could be devastating.
For these reasons, Power Systems shops should invest the time to ensure its administrators and operators are up to speed with the file-based nature of AIX and Linux security configuration–or, absent that level of in-house skill, obtain the same capability through shrink-wrapped software.
Securing the network layer is another challenge in achieving good security in a multi-OS Power Systems environment.
On the IBM i server, most users are at least somewhat familiar with exit points, which IBM added many years ago to provide a way for existing OS/400 applications to interact with emerging networks. There are exit points for HTTP, FTP, ODBC, and a couple of dozen other protocols. It’s important for these exit points to be monitored and turned off suing exit point software.
However, in Linux environments, there is no such thing as an exit points, nor an exit point program. Control over the network is achieved in an entirely different manner. Once again, the network configuration is handled through changes made to a specific file, in this case, the “folder/etc” file.
This is the location where Linux admins can activate TCP wrappers, which is the preferred method for monitoring and controlling network access in Linux and other Unix environments. There are some similarities between how TCP wrappers and exit points work, but an IT professional would do well to learn the specifics of each before opening their critical systems up to the Internet.
The Weakest Link
While the IBM i server has its own security challenges, its architecture protects it from some of the most obvious hacks. It’s also protected, to an extent, by the fact that few hackers have in-depth technical knowledge of IBM i. But hackers definitely know about Linux, and where to look to exploit the most common misconfigurations in security settings. If time isn’t spent securing this low-hanging fruit, the Linux server risks becoming the weakest link in the enterprise network.
This is why it’s so important for organizations that run Power Systems servers to take all of their operating systems into account. A weakness in Linux or AIX can potentially impact applications running on IBM i. But thanks to significantly different architectures and configuration mechanism, IBM i security skills don’t translate into Linux and AIX.
In lieu of learning Linux security skills, Power Systems shops can invest in third-party security software that can automate many of the time-consuming tasks that are required to properly configure Linux and IBM i security settings, as well as to monitor those settings over time, thereby freeing staff to focus on more important projects.
Our heritage here at Trinity Guard is IBM i security. That is our passion and what inspires us every day. But our clients have made it clear that securing the IBM i server is not good enough anymore, which is driving us to support Linux (and soon AIX) in our products.
We have taken the time to map the security and configuration settings across IBM i and Linux environment, providing the “apples to apples” comparison that ensures no cracks remain in the security posture. Our TGCentral offering provides a unified view of security across these environments, while TGAudit ensures that server configuration are consistent that they can pass audits.
Please join us tomorrow (February 18) in a webinar to learn more about our solutions for securing the entire Power Systems environment. In this free event, titled “Get Your Guard Up!” we’ll take a deep dive into some of the common misconfigurations in IBM i and Linux environments. You can sign up for it at https://register.gotowebinar.com/register/3894807048459577871
This content is sponsored by Trinity Guard.
Tony Perera is the president and co-founder of Trinity Guard.