News Archives

The iSeries Approach to Security

Keeping your information secure and your network healthy

PFW Password - Fall 2002 The OS/400 operating system can be configured as one of the most secure operating environments for business use. The secret formula for providing your iSeries 400 with adequate security is understanding and using the many different security features that are provided within OS/400. It remains the responsibility of the system administrator to make it so.

Built-in security from "day one"
Like so many other functions on the iSeries 400, security was built in from "day one" as an integral element of the original system design architecture. IBM's security experience with large, multi-user mainframes gave the original OS/400 developers a significant advantage over other operating systems that were first developed for desktop systems and then extended and enhanced for Intel-based servers.

Many PC-based viruses are introduced on Intel-based servers or desktops as attachments to documents that, when detached or activated, are converted into programs that can then execute harmful command sequences. By contrast, the hardware and software architecture of the iSeries 400 (formerly AS/400) offers a much higher level of security to its users. Every stored object, whether program or data, is validated by OS/400's security component and by the AS/400's System Licensed Internal Codes authority component. This multi-layered object authority validation prevents objects being transformed from innocuous data to malicious virus or worm.

No iSeries 400 has ever been reported to have been infected by a virus! Although the iSeries 400 and OS/400 are thought to be immune from a direct virus attack, the system can still serve as a host for a virus that will infect other Intel-based servers and desktops in your network. This can happen when the iSeries 400 is used to receive and store e-mail messages (e.g., with Lotus Notes) or as a storage facility for PC files (e.g., with Client Access). To prevent this from happening, a number of vendors offer anti-virus scanning software for the iSeries 400 to protect against further distribution of these stored viruses.

The iSeries 400 was designed for businesses that require levels of security ranging from nothing at all to full government-certifiable (C2) security. In addition to the five basic system security levels, the security administrator must also define user security through the configuration of individual user and group profiles.

Every user of the iSeries 400 must have an assigned user profile. A user profile defines the level of system access a user is permitted as well as the functions each user can perform. A user profile also determines the files and programs that each user owns and has access to. Users gain access to the iSeries through a password system that itself can be configured in a number of ways to ensure uniqueness, length, expiration, and the level of system tolerance for failed signon attempts.

The OS/400 operating system can be configured as one of the most secure operating environments for business use. The secret formula for providing your iSeries 400 with adequate security is understanding and using the many different security features that are provided within OS/400. It remains the responsibility of the system administrator to make it so.

Keeping your system secure and your network healthy

1. Back up your system regularly! Your dealership's information is a critical business asset. Ensure that the backups are complete. Take a backup copy off-site on a regular basis - at least weekly. This is still the most important security measure you can take!

2. Maintain strict control over all system passwords. In the iSeries environment, QSECOFR is not the only system password that must be protected. Do not leave any iSeries system password at the default or initial setting.

3. Set the OS/400 security level to 40. This is the lowest security level recommended by PFW.

4. Assign each user a unique ID with a password that regularly expires. This tends to "weed out" old user IDs and invalidates passwords that may have been given out for "one-time" use. (You can set criteria on the iSeries for passwords that are increasingly secure.)

5. Educate your users to the importance of network security. Grant each user the minimum level of authority that they require to perform their assigned tasks - no more. The majority of the security breaches you are likely to experience will be from users inside the organization. Many security breaches result from advanced stages of curiosity. An accidentally-deleted file can be just as devastating as one that was deleted on purpose.

6. Desktop PC users should each run an up-to-date copy of virus protection. Users should understand that hundreds of new viruses are created weekly. Ideally, virus protection should be managed centrally to ensure efficient and current level updates.

7. When connected to the Internet use a firewall, as a minimum level of protection, to block unwanted incoming and outgoing traffic. Your ISP can provide this protection, or you can use a network security appliance, such as the Instagate, to provide protection from network intrusion. A network applicance can be configured for firewall, anti-virus scanning, and application filtering.

8. Application filtering will allow you to determine if your network bandwidth is being used productively. There are a number of programs and activities that generate significant, but non-productive, traffic on your network (e.g., MP3 file sharing, multimedia audio or video streaming sites, webcams or active weather radar displays). Some of these should be turned off completely or restricted to non-critical, after-business hours.

9. Turn off all services that are not necessary on your servers (e.g., FTP, telnet, web serving, etc.)

10. Use VPN (Virtual Private Networking) connections for remote users and sites to encrypt the data at one end of the connection and decrypt it at the other end. This provides a "virtual tunnel" between the two sites which is not visible or accessible at any point in between.