OPS500 - Lecture # 7
Chapter 7: Network Security
· Network security must be part of your security plan and implementation.
· By definition, a network lets users access your AS/400 who don't have a direct connection to it. Many times, attachment is not by way of terminal emulation.
· You might have program-to-program communications, Distributed Data Management (DDM) communications, Open Database Connectivity (ODBC), and FTP file transfer protocol and download requests through Client Access.
To understand the security problems and solutions in a networked environment, you must understand a variety of AS/400 concepts, including physical network security, network configuration security and network security attributes, and DDM, Client Access, and ODBC security.
Physical Security
· Physical network security helps prevent inadvertent damage as well as intentional abuse and misuse.
· If you don't physically secure your network, inevitably a janitor or an employee's child will trip over a wire and possibly sustain personal injury as well as damage your equipment.
· Some parts of a network can't be physically secured (e.g., phone lines, vendor-controlled switch boxes); however, by taking some practical, commonsense steps, you can achieve an acceptable level of physical security.
Network Configuration
· When your AS/400 is installed, it auto configures the console and internal system features.
· After installation, however, you should turn off the auto configuration option except while you're physically adding devices to the system.
· It's important that you control how physical devices are attached to your system.
To turn off auto configuration,
change system value QAUTOCFG to “0" zero
CHGSYSVAL QAUTOCFG
VALUE ('0')
- *IOSYSCFG special authority is
required to configure all lines, controllers, and devices.
- After disabling the QAUTOCFG system
value, you should also restrict who has *IOSYSCFG special authority.
- The objective is to ensure that IT has
control over all additions and changes to your system configuration.
Network Security Attributes
The system stores network-related values in network attributes, a collection of data that drives the AS/400's original, high-level networking functions. Three network attributes relate specifically to security:
-
JOBACN Job Action
- PCSACC PC Support Access
- DDMACC DDM Access
· You can use DSPNETA (Display Network Attributes) command to view the values for these attributes.
· Any user profile that has *ALLOBJ and *SECADM special authority can use the CHGNETA (Change Network Attributes) command to modify the network attribute values.
JOBACN: Determines how your AS/400 responds to incoming job streams
from other systems in your network. This network attribute can have one
of three values: *REJECT, *
· *REJECT causes the target system to reject the input job stream. When a job is rejected, the system sends a message to both the originating user profile and the intended recipient stating that the input stream was rejected.
·
*
·
*SEARCH
instructs the system to search the network job action table for information
about how to control the incoming job stream. The network job action table
holds information about how the system is to handle specific requests. Each
record in the table consists of the sender's ID, the action the local system is
to take for that sender's requests, the user profile to use when submitting the
job if the action desired is *SUBMIT, and the job queue to use for submitting
the job. (For detailed information about how to use the network job action
table, see the
PCSACC: Determines how the local system processes requests from PCs that use PC Support or from Original Client Access clients. PCSACC can have of four values: *REJECT, *REGFAC, *OBJAUT or the name of an exit program.
DDMACC: Determines how your system processes DDM
requests from remote systems. The local system receives a DDM request
when a remote system attempts to access data using a file, data area, or data
queue whose type is *DDM.
The three possible values for the DDMACC attribute are *REJECT, *OBJAUT, or the
name of an exit program. We discuss these values in detail in the section
"System-Related Security Attributes" a little later in this chapter.
Data Transfer and Remote Command
Issues
· Client Access provides the ability to transfer data and run remote commands.
· If you let users take advantage of these capabilities (i.e., if you don't use an exit program, policy, or Application Administration to disallow them), you need to be aware of the consequences with regard to the confidentiality of your data.
· Remember, all files with *PUBLIC (*USE) authority can be downloaded.
· Files with *PUBLIC (*CHANGE) authority can be downloaded, changed, and uploaded.
· Letting users run remote commands is like letting users submit batch commands:
o The
AS/400 doesn't check the user profile's LMTCPB parameter. However,
ODBC Security Considerations
· ODBC is set of standard interfaces developed to provide easy access to databases. Vendors who provide ODBC have four choices when accessing DB2 UDB for AS/400. They can use the ODBC server provided with Client Access, use DDM, use DRDA, or write their own ODBC server.
· Most vendors seem to use DRDA to access DB2 data. Because most vendors use DRDA, exit programs written for the Client Access ODBC server exit points are not called.
·
Exit programs for ODBC running over either DRDA
or DDM are registered under the DDMACC network attribute using the CHGNETA
command. Programs registered for the ODBC exit points in the registration
facility are called only when the
· If your users use ODBC, you need to carefully monitor that use.
· ODBC is designed to make it easy to write an application to access information stored in a database. Any database file that has public authority of at least *USE can be read through ODBC.
· With stored procedures, you can secure your data and still use ODBC. Because stored procedures are programs, you can use adopted authority to access data while the stored procedure runs and protect the file containing the data from access through other interfaces by setting its public authority to *EXCLUDE. (For more information about programs that adopt authority, see "Adopted Authority" in Chapter 4.)
· Alternatively, after you authenticate a user in a stored procedure, you can use the Security APIs to swap to a user profile that has authority to the database while retaining *EXCLUDE public authority. (For more information about profile swapping, see the "Profile Swapping" section in Chapter 10.)
Viruses
· Network-attached PCs are susceptible to viruses. A new virus seems to be in the news at least once a month. Although a virus that can infect a PC or an executable attached to an e-mail message won't affect OS/400, OS/400 can be a "carrier" for these types of viruses.
·
Because data stored in shared folders or the
· You could encounter a virus on a PC and remove it, only to promptly re-infect the PC when the user next downloads data from the AS/400.
·
To scan for a virus in the
Helpful Tools
Here's a tool that can help you monitor aspects of network security.
|
Security tool |
Description |
|
WRKREGINF (Work with Registration Information) |
Prints a list of all registered exit points and the programs associated with them. Use this command to track exit programs in the registration facility. |
Last Updated: July 18, 2009