Many of you are considering adding another "layer" of security to your existing system or network configuration. This article looks at some of the popular purchase decisions being made today and discusses what you need to consider to help you achieve that higher level of security you're looking for.

Make a Plan Before Going Shopping

I'm a list person. If I don't have my list when I go shopping, I forget half of what I was supposed to purchase. I also may buy items I wasn't intending to buy. A little planning and list-building makes my shopping go much more smoothly, and I end the day with the items that I really need. The same applies to purchasing any security-related product. Before going shopping, do some planning:

• Define exactly what problem you're trying to solve. If you don't, be prepared for vendors to assert to you what your problem is and sell you a solution that may not help you achieve your goal.
• Understand the laws or regulatory requirements that may affect the specifications of any product or service you're considering.
• Understand any service-level agreements (SLAs) you have with your customers or business partners that may affect which product or service you choose.

Securing the Perimeter

If you're thinking about securing the perimeter, you have a couple of options for doing so.

Firewall

One method you may be considering to shore up the security of your network is to purchase a new firewall. Before contacting any of the firewall vendors, do some homework. First, decide exactly what problem you are trying to solve. In other words, what function is the new firewall supposed to perform that your old firewall can't? Firewall functionality ranges from very simple to very complex. Vendors will obviously try to sell you the most feature-packed firewall. The problem is that the more complex the firewall and the more features it has, the more likely it will be configured incorrectly, thus allowing unwanted traffic into your network. Studies have shown that the vast majority of firewall breaches are due to the firewall being misconfigured, not because of vulnerabilities or bugs in the firewall's software or hardware.

In light of the complexity issue, another consideration should be your personnel's skill set. They might be able to manage the configuration of your current firewall, but add complexity and features, and it may be beyond your personnel's abilities. If that's the case, you may have to send your employees for training or consider bringing in a specialist to configure the new firewall.

Finally, if your organization falls under the Payment Card Industry's (PCI) Data Security Standards, the firewall you choose must meet the PCI's firewall configuration requirements.

Intrusion Protection

Another method for securing the perimeter is to perform intrusion protection. Intrusion protection is a real-time, proactive, "shields up" defense to make sure no one accesses your network inappropriately. In all but the largest organizations, intrusion protection is typically outsourced to a company that specializes in this service. When choosing a vendor to perform this service, make sure you understand exactly what services they perform. Organizations having to comply with PCI's Data Security Standards understand that they are required to have quarterly external network vulnerability scans. Some organizations see "vulnerability scan" and think they're getting intrusion protection, but they're not. Intrusion protection includes vulnerability scanning, but intrusion protection occurs 24x7, detects network intrusions, and more. So if your requirement is for intrusion protection, don't settle for a periodic network vulnerability scan.

Another point to clarify before choosing a vendor is the support level they will provide if a breach occurs. Will they help trace the breach? Will they be available and willing to assist should law enforcement have to be called in?

Finally, find out up front how much time it typically takes to configure and implement the intrusion protection and how much of your current staff's resources will be required. For example, someone on your staff may be required to help the company fine-tune the intrusion detection feature of intrusion protection to reduce the number of "false positive" intruder alerts received.

Gaining Access to Your Internal Network

One security-related purchase is often a solution to allow users or processes to gain access to your internal network. For instance, Virtual Private Network (VPN) connections allow employees to gain secure access to your internal network from their homes, ensuring that all traffic between their PC and your internal network is encrypted. When choosing a connection solution, make sure that you consider scalability. All of these solutions provide some authentication information to validate the workstation before making the connection. Make sure that the issuance of this authentication information is not onerous—in other words, be sure your current staff can easily manage it. For example, one authentication method some VPNs use is a digital certificate. The digital certificate must be loaded onto the PC making the connection. For some organizations that provide employees with laptops for their workstations, this process may be quite easy to accomplish. When the employee is in the office, the digital certificate is loaded onto the system and the VPN client is configured. However, for employees who use their own home computers to connect into the internal network, you'll have to determine how to get the digital certificate loaded and the VPN client configured. If you have only 5 or 10 users, you can probably walk them through the process via a phone call. However, if you have hundreds of users, this solution may not be feasible.

Also, whenever you use a digital certificate for authentication—whether it's for a VPN, single sign-on, Transport Layer Security (TLS), or other solution—you will want to understand who is going to issue the digital certificates: either someone internal to your organization or a third party. The issuer is called a Certificate Authority, or CA. Then, you need to understand the CA's response time—in other words, how quickly requests for a new certificate can be fulfilled and whether this meets your requirements. Finally, you need to understand how the CA will help your organization manage the digital certificates; for example, will they notify someone when an employee's certificate is about to expire and needs to be renewed, or will they just let it expire and allow the function to fail? The bottom line is this: Don't look solely at the solution; instead, make sure you understand the maintenance and administrative costs associated with the technology being used—in this case, digital certificates.

Encrypting Traffic

You may discover that you are sending private or confidential data over an unencrypted connection to a business or a trading partner or some outsourcer that performs financial transactions for your organizations. (I'm still surprised how often this occurs.) If you are looking at a solution to resolve this issue, first determine whether there are any laws or regulations with which your organization must comply that will dictate what algorithm is to be used as well as the length (i.e., strength) of the encryption key and encryption key management requirements. Next, determine whether the organizations (such as your trading partners) already have an encrypted transport method in place. If so, make sure you understand what encryption algorithm and key strength is being used so that the solution you purchase will "talk" to the other organizations' transport servers and meet any requirements they may have in place.

Accepting Payment over the Internet

More and more businesses are expanding into online payments. Some organizations choose to bring the transaction into an internal server and process it there. Other organizations route the transaction to a third-party payment-processing Web site where the payment is accepted. Whichever method you choose, make sure that the PCI Data Security Standards are adhered to. When investigating third-party payment-processing solutions, ask to see the results of their last Visa audit or PCI self-audit. If they refuse or the results show significant gaps, consider finding another solution provider. (Visa sends out auditors to assess merchants' and credit card processors' adherence to the PCI standards.) The intent of the PCI Data Security Standards is to ensure the security and privacy of credit card information. You don't want your organization's name dragged through the headlines because you or the payment-processing vendor you chose didn't secure the data or transmission of data properly, thereby allowing a breach to occur.

If you choose a third-party online payment-processing solution, you will want to understand the terms of the contract to determine where your security configuration requirements and responsibilities end and the solution provider's begin. You may also want your legal counsel to review the contract to make sure your organization cannot be held responsible for a breach that is the provider's fault. Finally, make sure the contract is clear as to who is responsible for notifying individuals under the various state notification laws should a data breach occur.

Consolidated Management Solutions for Security Administration

Products exist in the market that attempt to consolidate security functions such as access controls for databases and user account ("user profile" in the i5/OS world) administration. Sometimes these products work and play well with i5/OS, and sometimes they don't. Some are architected to work better in a Windows server environment than a robust, multi-user, multi-tasking operating system such as i5/OS. Exercise caution when purchasing one of these products to ensure that its interoperability with i5/OS really lives up to the vendor's claims and that it performs the functions on i5/OS as you would expect and doesn't attempt to usurp or contradict i5/OS security features.

One product that I encountered in the past attempted to consolidate the administration of database access control settings by routing all database accesses through this administration product. This worked well on paper and in their demonstrations because all database accesses were through a Web application. The technical marketing material associated with this product would lead you to believe that you only had to administer the access controls to all of your resources (including databases in your internal network) through this product. The claim was true as long as the database was accessed only via Web applications. But it is rare that an i5/OS database is accessible only through a Web site. Most systems running i5/OS are the primary data source for an organization's information, serving as a data repository for many applications. Data is accessed via native green-screen applications, data warehouse reports and queries, WebSphere applications, client/server applications, and more. If you only read the marketing material and don't think things through, you might believe that you no longer have to worry about i5/OS object-level security, that the product consolidates all access checks so native access controls are no longer required. Nothing could be further from the truth in the case of i5/OS. The product takes care of database accesses via a Web application but fails to consider other ways applications access data on i5/OS.

In addition, some products that attempt to consolidate function across multiple platforms don't provide the i5/OS configuration options required to make it worthwhile to run on i5/OS. For example, none of the consolidated security configuration products I've seen provide the ability to control all of the security-relevant system values, user profile settings, and object authority settings required to secure i5/OS. For example, some provide good user profile management yet only control half of the security-relevant system values. Others provide a method for granting *PUBLIC authority but not for securing an object with an authorization list.

My point is not to bash consolidated security management products. You may be able to find a product that will fulfill your requirements. To ensure this, however, you must determine what tasks a consolidated product will perform on i5/OS. Then envision—or, if possible, try—the product in your current environment. Finally, analyze whether the product fulfills your list of requirements. Note whether any gaps in the function will leave your network or system configurations vulnerable or whether function is missing that will require your administrators to perform configuration tasks both in the new product and on the system itself.

Last but Not Least

Last but certainly not least, all purchase considerations should be made with the requirements of your organization's security policy in mind. Don't be surprised if the purchase that you're about to make triggers an update to your security policy. You may be considering a security-related purchase because your organization is falling under a new law or regulation or your organization is branching out into new technology or changing how it does business (going into more e-commerce, for example.) If that's the case and your security policy has not been updated in the last year, it's likely that it will need to be updated to address the security requirements of this new area of business.

The Goal Is More Security, Not Less

Just because you are looking to add a new solution or another layer of security to your configuration doesn't mean that the solution will actually help you achieve a higher level of security. Some solutions may actually leave your systems and data more vulnerable. However, with some careful requirements gathering and planning, as well as careful scrutiny of the solution itself, you can achieve that higher level of security that you're hoping to attain.

Carol Woodbury is co-founder of SkyView Partners, Inc., a firm specializing in security policy compliance and assessment software as well as security services. Carol is the former chief security architect for AS/400 for IBM in Rochester, Minnesota, and has specialized in security architecture, design, and consulting for more than 15 years. Carol speaks around the world on a variety of security topics and is coauthor of the book Experts' Guide to OS/400 and i5/OS Security. 

 

Carol Woodbury is President and CTO of DXR Security and has over 30 years’ experience with IBM i Security. She started her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies – SkyView Partners and DXR Security. Her current company - DXR Security - specializes in penetration testing for IBM i. Her practical experience together with her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known world-wide as an author and award-winning speaker on security technology, specializing in IBM i Security topics. She has written seven books on IBM i Security. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.

 

---

MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

		IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
		IBM i Security Administration and Compliance: Second Edition Get the must-have guide by the industry’s #1 security authority. List Price $71.95 Now On Sale
		IBM i Security Administration and Compliance For beginners to veterans, this is the definitive security resource. List Price $69.95 Now On Sale

Also Read

Securing IBM i: A Dual Responsibility

Top IBM i Security Issues of 2024

Why Cleaning Up Is an Important Part of Your IBM i Security Practice