Building an IBM i Firewall using Exit Points

If not handled correctly, IBM i’s great connectivity can lead to great vulnerabilities. 

There are many different techniques that malevolent, ignorant, careless, or unauthorized users can use to remotely change, corrupt, or extract IBM i data, including:

For auditing, security, and reporting purposes, administrators need to know who’s accessing your IBM i data and to control that access. To harden and lock down IBM i system user access, consider implementing an IBM i exit point management tool such as SEA’s iSecurity Firewall. 

What IBM i Exit Point Managers do 

The IBM i OS doesn’t come with its own out-of-the-box firewall, as you would find with stand-alone network firewalls or other servers. There are no preconfigured rules you can set up to manage system processing for access, security, validation, and other functions. 

Instead, IBM offers exit points that are activated from inside operating system requests such as Telnet & FTP signons. Custom-written exit programs can be attached to IBM i exit points to provide additional processing capabilities for OS functions. For example, a customer-written exit program attached to the FTP Server Logon exit point can create its own firewall rules designating which users are allowed to start FTP sessions.  

IBM i offers 160+ exit points for registering exit programs to different operating system functions, including most of the access techniques listed above. By writing exit programs and registering them to exit points, IBM i environments can build their own firewalls, exit point by exit point. 

There are two ways to build an IBM i firewall using exit points:  

1. By creating exit programs in-house and attaching them to IBM i exit points using operating system commands 
2. By using a third-party IBM i exit point monitoring solution such as iSecurity Firewall that manages exit point configurations, activation, monitoring and reporting.

Why people don’t use IBM i exit point managers

Many people don’t believe they need an IBM i exit point manager. They believe that they’re protected because their i servers reside behind a network firewall. But while a network firewall stops bad actors from accessing your internal networks, it doesn’t do much to prevent internal or external users inside your networks from doing bad things on your IBM i. 

Many IBM i security breaches are implemented by users already inside your network firewall. Aside from truly bad actors, these breaches occur by an internal or remote user executing dangerous commands because they have excessive authority or access to commands they shouldn’t be able to run. Other breaches occur because users “borrow” other user passwords to perform system actions they shouldn’t run. A network-based firewall can do nothing to stop any of these actions. 

Why you need an IBM i exit point manager 

To help stop data corruption, malicious updates, or unauthorized access, you need an IBM i exit point management solution, such as iSecurity Firewall. An exit point manager goes beyond the basic security that a typical network firewall provides and allows you to control access from known external sources. After access is granted, the exit point manager can also monitor and control what authorized users can do with their access. Some of the more common features that are available with IBM i exit point management solutions include: 

• Blocking or enabling user access based on typical communication protocols (TCP/IP, FTP, ODBC, Telnet, SQL, etc.). 
• Specifying what actions users may take after access is granted. 
• Protecting native IBM i objects and IFS objects against malicious threats 
• User access logging and filtering to investigate and detect suspicious activity on your system. 
• Report generation to create audit documentation for regulatory standards such as PCI DSS, SOX, HIPAA, and others. 
• Providing a test mode where you can simulate the results of proposed exit point restrictions before they are put into place. 
• Access logging and filtering to perform forensic work when a breach occurs. 

The three benefits of an IBM i exit point manager 

An IBM i exit point manager allows you to do three things: 

1. Secure your IBM i system  against all types of unauthorized access 
2. Provide graphical inquiry capabilities and activity logging for performing forensic research when a breach occurs, using business intelligence functionality such as that found in the iSecurity Visualizer BI tool (fig 1)
3. Provide management and auditor reporting detailing user access activities and breaches. 

Figure 1: The iSecurity Visualizer BI tool provides graphical analysis capabilities for activity logging and forensic research 

While network firewall protection is critical as a first line of defense for keeping bad actors out of your network, it’s not enough to fully protect your IBM i from the damage a single bad actor or internal user can perform. Most organizations can benefit from IBM I exit point protection that goes beyond what a network firewall alone can do. 

If you’d like to learn more about how an IBM i exit point manager can help protect your sensitive and critical data, please feel free to contact us at SEA Software.