Firewall Software: Why You Need an IBM i Firewall

Firewall Software: Why You Need an IBM i Firewall

Great openness can leads to great vulnerabilities, if not handled correctly.

Take the IBM i operating system, for example. There are at least nine different techniques that malevolent, ignorant, careless, or unauthorized users can use to remotely change IBM i data. These techniques include:

1. FTP, which can run remote commands affecting data after someone starts an FTP session with your IBM i.
2. ODBC, a favorite IBM i remote access technique for anyone who’s everyone wanted to import IBM i data into Microsoft Excel or Word.
3. JDBC, OLE DB, and other remote access technologies.
4. Visual Basic and Net.Data, preferred connection techniques for Microsoft professionals.
5. SQL, which runs over and inside remote access techniques.
6. The Data Transfer function that’s been available in every version of Client Access, iSeries Access, IBM i Access, and IBM Access Client software that’s ever been issued.
7. The Run Command feature that’s also been available in IBM remote access software.
8. Other IBM i TCP/IP servers that handle outside access.
9. Good old fashioned green screens, available locally via TCP/IP and remotely via VPN connections.

For auditing, security, and reporting purposes, you need to know who’s accessing your IBM i data outside of your system applications. To really lock down security on an IBM i, you need to add a prevention tool such as SEA’s iSecurity Firewall to your system.

Why People Don’t Install IBM i firewall software

Many people don’t believe they need an IBM i firewall software solution. They believe that they’re protected because their networks or subnets reside behind a network firewall. But while a network firewall stops bad actors from accessing your internal networks, it doesn’t do much to prevent internal or external users from doing bad things on your IBM I, who are usually on your network.

Many IBM i security breaches are implemented by users already inside your network firewall. Aside from truly bad actors, these breaches occur by an internal or remote user executing dangerous commands because they have excessive authority or access to commands they shouldn’t be able to run. Other breaches occur because users “borrow” other user passwords to perform system actions they shouldn’t run. Again, a network-based firewall can do nothing to stop any of these actions.

Why you need an IBM i firewall software solution

To stop data corruption, malicious updates, or unauthorized access, you need an IBM i firewall product, such as iSecurity Firewall. An IBM i firewall goes beyond the basic security that a typical network firewall provides and allows you to control access from known external sources. After access is granted, the IBM i Firewall can also control what authorized users can do with their access. Some of the more common features that are available with IBM i firewall software include:

• Exit point and TCP/IP server protection.
• Blocking or enabling user access based on typical communication protocols (TCP/IP, FTP, ODBC, Telnet, SQL, etc.).
• Specifying what actions users may take after access is granted.
• Protecting native IBM i objects and IFS objects against malicious threats
• User access logging and filtering to investigate and detect suspicious activity on your system.
• Report generation to create audit documentation for regulatory standards such as PCI DSS, SOX, HIPAA, and others.
• Providing a test mode where you can simulate the results of proposed firewall restrictions before they are put into place.
• Access logging and filtering to perform forensic work when a breach occurs.

The benefit of adding an IBM i firewall package to your system is that it allows you to do three things:

1) secure your IBM i system against all types of unauthorized access

2) provide graphical inquiry and reporting of logged activity for performing forensic research when a breach occurs, using a tool like the iSecurity Visualizer BI tool (figure 1)

3) provide management and auditor reporting detailing user access activities and breaches.

While network firewall protection is critical as a first line of defense for keeping bad actors out of your network, it’s not enough to fully protect your IBM i from the damage a single bad actor or internal user can perform. Most organizations can benefit from IBM I firewall protection that goes beyond what a network firewall alone can do.

If you’d like to learn more about how an IBM i firewall your sensitive and critical data, please feel free to contact us at SEA Software.