Bsafe Puts a Smack Down on Rouge IP Traffic

September 11, 2007 Alex Woodie

Earlier this month, Bsafe Information Systems introduced a new security product that provides IP packet filtering for System i servers. Called IP Packet Lockdown, the new product gives users more control over exactly which IP addresses, and through which ports, are allowed access to the system. The new product will provide another layer of security, especially when coupled with i5/OS’s exit-point security.

IP packet filtering is a security technique that is often used inside firewalls to block unwanted Internet traffic. It’s a platform-neutral technology that doesn’t have anything to do specifically with the System i server, but it can be as useful in protecting System i servers as any other server. IBM offers IP packet filtering as one of the configurable options through iSeries Navigator, but it hasn’t been adopted much by third-party security software vendors, who have been more focused on technologies that are specific to OS/400 and i5/OS, namely exit points.

While IP packet filtering is relatively unknown in the System i world, being relegated to the “network guys,” Bsafe doesn’t see any reason why IP packet filtering shouldn’t be implemented and controlled with the same security software used to lock-down the most sensitive server in System i shops–the System i itself. To that end, Bsafe launched IP Packet Lockdown, which functions as an add-on to Bsafe’s flagship product, Bsafe/Enterprise Security.

IP Packet Lockdown controls Internet traffic through a series of granular rules governing exactly how Internet traffic will be allowed onto the System i server, as well as how Internet traffic will be allowed to depart. The main parameters used to configure the rules are source IP address and port, and destination IP address and port. If the address and port do not match what is allowed, IP Packet Lockdown blocks the data before it even reaches the port. As such, it functions largely above the operating system.

Bsafe tried to simplify the IP packet filtering configuration process by allowing rules to be set up for ranges of IP addresses and ports. IP addresses and ranges can also be augmented with descriptions like “Bob’s PC” or “main building,” which makes it easier for administrators to recognize specific resources. After all, keeping track of hundreds or thousands of long IP address and what they represent can be a mind-numbing task.

IP Packet Lockdown executes rules in numerical order, which means the most general rules should be listed first, followed by the more specific, restrictive rules. Rules can be enabled or disabled at any time. The software also logs all IP activity for later analysis through Bsafe/Enterprise Security Manager’s Windows-based GUI client or the product’s native green-screen interface. The data can also be off-loaded to Bsafe’s Cross-Platform Audit (CPA) product, which combines security information from various platforms, including i5/OS, mainframe, Windows, AIX, and Linux, for more detailed analysis.

IP packet filtering can provide a valuable service to System i shops, even those that have invested in other forms of network security protection, such as object-level security and exit-point security. When requests arrive via generic user profiles, such as QTCP, it can be difficult to determine the exact nature of the request. In these cases, tracing the actual source of the network request, such as through IP packet filtering, can be very useful in saying whether a user request is legitimate or poses a security threat.

Of course, because it lacks detailed information about the request, such as the user name of the requestor, IP packet filtering is limited in its usefulness. But in combination with other forms of protection, it can be very useful.

“It is a first-level of defense,” says Bsafe spokesman Neil Leigh. “IP packet filtering is done at a different phase of the request’s path to its destination, when compared to exit points. It is intercepted the moment the request arrives at the System i port, before the OS/400-specific information is known.” Similarly, if it is an outgoing request, it is intercepted just before being transmitted to the port.

The combination of packet filtering and exit point protection makes Bsafe/Enterprise Security stronger, says Shimon Bouganim, Bsafe’s CEO. “With Bsafe’s new IP Packet Lockdown, we are the only company providing double protection and double auditing in one package,” he says.

IP Packet Lockdown is available now. The product requires Bsafe/Enterprise Security version 5.5.2 or higher. Pricing ranges from $2,000 to $10,000. For more information, visit www.bsafesolutions.com.