You can use DIY exit programs to provide firewall-like capabilities, but should you?
The IBM i OS doesn’t come with a native firewall server, as you’d find with other operating systems.
For adding firewall-like capabilities and logic, IBM i provides exit points. Exit points extend IBM i functionality by using custom programming. They allow developers to insert custom code (exit programs) into system functions to perform additional actions, validations, security authorizations or custom logic.
For example, you can attach a custom-written program to an FTP Server Logon exit point that can determine which users can and cannot start FTP sessions. There are 160+ IBM i exit points for registering exit programs that can add additional user-defined requirements to different operating system functions, including:
- TELNET access via 5250 screens, command prompts, putty, etc.
- ODBC data sources used in desktop application software such as Microsoft Excel
- FTP (File Transfer Protocol)
- SQL Access
- Working with Integrated File System (IFS) stream file objects (opening, closing, deleting, etc.)
The risk in using IBM i exit points
Exit points and exit programs are a powerful tool for extending and providing additional firewall-like processing to IBM i operating system functions.
But there is one critical thing to understand about IBM i exit programs.
When invoked by an exit point, exit programs change how IBM i system functions operate. Exit points operate within and become part of your IBM i security, administration and configuration infrastructure.
When exit programs are improperly coded, exit point programming presents more risk in terms of disabling system access, opening up system vulnerabilities, ransomware & virus exposure, and allowing cyberattacks on your system. Security holes in an exit program can result in data breaches, corrupted or stolen data, reputational damage and legal liability. Performance issues can result in lost revenue and downtime.
Issues may arise from improper or incomplete design of custom exit programs. There are many areas both large and small that need to be written into an exit program. Exit program maintenance must be done even when there are staff changes due to normal business cycles. Maintenance will also need to include security enhancements added by IBM to the operating system by PTF or OS upgrade.
The lesson here is to be cautious and diligent when deploying exit programs.
For more information about IBM i exit points, see SEA’s Guide to Understanding IBM i Security Exit Points.
An alternative to DIY exit point programming
There are alternatives to using custom-written exit programs for adding firewall-like capabilities and rules to your IBM i systems.
Consider whether your exit point programming needs can be better met by using a third-party exit point monitoring solution such as iSecurity Firewall, instead of creating and deploying user-written exit point programs.
In general, third-party exit point monitoring solutions offer these benefits over creating your own exit programs.
1. Out-of-the-box exit point security, firewall and intrusion protection: Third-party solutions can manage authorized user access upon installation. IBM i-based firewall, intrusion prevention system (IPS) and exit point capabilities are immediately available for monitoring and controlling system activity, including:
- Database access
- File Transfer
- FTP
- ODBC
- SQL
- TELNET
With user-written exit programs, new capabilities for these functions must be designed, coded, tested and deployed from scratch.
2. Using an established & supported solution, enhanced over time: Third-party exit point security solutions have been developed, established and hardened over several years. They include software support, upgrades & fixes. Solutions are usually enhanced over time, providing new capabilities on a regular basis. Established third-party exit point solutions may also be preferred by enterprise security personnel over user-written programs.User-written security-related exit programs may not be immediately hardened upon deployment and need to be supported internally for new versions, application errors and fixes. New exit point programs may never have been deployed in a live environment and may be more vulnerable to failure or cyberattacks.
3. Freeing up application resources for line-of-business processing: With third-party solutions, administrative & security personnel configure exit point, firewall & IPS processing, freeing up busy application talent to work on line-of-business solutions. In contrast, applications staff must code, test and deploy user-written exit programs.
4. Advanced security reporting: Third-party solutions offer much more comprehensive and audit-ready reporting solutions than are available with user-written exit programs. Native IBM i exit point reporting options are more limited.
5. Simulation testing before going live: Third-party solutions often offer simulation mode, where exit point & firewall capabilities can be tested before going live. Similar capabilities must be custom coded in user-written exit programs.
Beyond exit point security
You can reduce the risk that exit points can cause by implementing a solution like SEA’s iSecurity Firewall to monitor and protect your system from unauthorized access. You can also use iSecurity Firewall’s simulator to test-drive security changes before rolling out each change, a feature that many other solutions don’t provide. Solutions like iSecurity Firewall make sure that you can easily track who is accessing your exit points and more importantly, prevent them from being able to perform tasks that put your critical data at risk.
