You can use DIY exit programs to provide IBM i firewall-like capabilities, but should you?
The IBM i OS doesn’t come with its own native firewall server. For adding firewall-like capabilities and logic, IBM i provides exit points and exit programs.
Exit points and DIY exit programs are powerful tools for extending and providing firewall-like processing to IBM i operating system functions. They also enable several security, efficiency, and operational risks that can be avoided by using an IBM i exit point manager solution such as iSecurity Firewall.
This blog examines how IBM i exit points work, the risks involved in DIY exit programming, and how third-party exit point managers mitigate and avoid those risks.
How IBM i exit points work
Exit points extend IBM i native functionality by using custom programming. They allow developers to insert custom code (exit programs) into system functions to perform additional actions—including user validation, remote access control, security checking, and other organization-specific requirements—when processing native IBM i features.
There are 160+ IBM i exit points for registering exit programs that can add additional user-defined requirements to different operating system functions, including:
- TELNET access
- ODBC
- FTP (File Transfer Protocol)
- SQL access
- Integrated File System (IFS) access
Related reading: Using Exit Point Programming to Control IBM i Access
The risks in using IBM i exit programming
When invoked by an exit point, exit programs change how IBM i system functions operate. Exit programs operate within and become part of your IBM i security, administration and configuration infrastructure.
When exit programs are improperly coded, exit point programming creates risk in terms of disabling system access, opening up system vulnerabilities, ransomware & virus exposure, and allowing cyberattacks on your system. Security holes can result in data breaches, corrupted or stolen data, reputational damage, and legal liability. Performance issues can result in lost revenue and downtime.
Exit program maintenance must be done even when there are staff changes due to normal business cycles, downsizing, or layoffs. Maintenance must include bug fixes, compatibility issues, and enabling IBM i operating system changes delivered by PTF or OS upgrade.
The lesson here is to be cautious and diligent when deploying exit programs.
Related reading: SEA’s Guide to Understanding IBM i Security Exit Points.
Third-party exit point managers reduce exit programming risk
Consider whether your IBM i security and operational needs can be better met by using a third-party exit point management solution such as iSecurity Firewall, instead of creating and deploying user-written exit programs.
Third-party exit point manager solutions reduce the risk involved when using DIY exit programs for enhanced security, including:
1. Out-of-the-box exit point security, firewall, and intrusion protection: With DIY exit programming, new capabilities for enhanced functionality must be designed, coded, tested and deployed from scratch.
Exit point managers can manage authorized user access upon installation. IBM i-based firewall, intrusion prevention system (IPS), and advanced security capabilities are immediately available for monitoring and controlling system activity.
2. Using an established & supported solution, enhanced over time: Third-party exit point management solutions have been developed, established and hardened over several years. They include software support, upgrades & fixes. They are enhanced over time, providing new capabilities on a regular basis, and are generally preferred by enterprise security personnel over DIY exit programs.
DIY security-related exit programs may not be immediately hardened upon deployment and need to be supported internally for new versions, application errors and fixes, making them more vulnerable to failure or cyberattacks.
3. Freeing up application resources for line-of-business processing: With exit point manager solutions, administrative & security personnel configure exit point, firewall & IPS processing, freeing up busy application talent to work on line-of-business solutions. In contrast, applications staff must continually code, test and deploy user-written exit programs.
4. Advanced security reporting: Third-party solutions offer much more comprehensive and audit-ready reporting solutions than are available with user-written exit programs, including built-in report generators and query capabilities.
5. Simulation testing before going live: Third-party solutions often offer simulation mode, where exit point & firewall capabilities can be tested before going live. Similar capabilities must be custom coded into user-written exit programs.
Beyond exit point security
You can reduce the risk that exit points can cause by implementing a solution like SEA’s iSecurity Firewall to monitor and protect your system from unauthorized access. You can also use iSecurity Firewall’s simulator to test-drive security changes before rolling out each change, a feature that many other solutions don’t provide. Third-party exit point managers make sure that you can easily track who is accessing your exit points and more importantly, prevent users from being able to perform tasks that put your critical data at risk.
