Fresche Bolsters MFA with IBM i Exit Point Coverage

December 6, 2023 Alex Woodie

Organizations relying on Fresche Solutions’ multi-factor authentication (MFA) to protect their IBM i assets can now implement more fine-grained enforcement by protecting access to IBM i exit points, the company announced recently. The MFA offering also now hooks into enterprise-level MFA solutions.

MFA has emerged as a minimum standard for protecting critical IT assets and data, as well as for preventing ransomware attacks. Even if a cybercriminal were to obtain the user ID and password to access sensitive applications and data, MFA serves as a difficult-to-overcome barrier that slows, if not prevents, them from actually getting into systems.

Fresche Solutions recently added an MFA option to the Fresche Security Suite, the collection of IBM i security and auditing tools largely based on its 2022 acquisition of Trinity Guard, which was the spiritual successor to PentaSafe based in Houston, Texas.

The company launched TGMFA in late 2022 with the capability to intercept a 5250 Telnet session and force users to authenticate themselves via one-time passcode (OTP) or via a third-party authenticator app, says Pauline Brazil Ayala, a Trinity Guard co-founder and Fresche’s vice president of compliance and security solutions.

“As far as the backend goes, there’s nothing else required to implement the Telnet MFA for IBM i sessions,” she tells IT Jungle. “That’s what we were starting out with. A lot of people seem to like that. Some environments are conducive to keeping everything on the IBM i and they had admins like that they could get it up and running on their own.”

TGMFA’s capabilities have been greatly enhanced with the latest release of the Fresche Security Suite. For starters, TGMFA now supports the Remote Authentication Dial-In User Service (RADIUS) protocol, which is used to connect enterprise MFA products with protected endpoints. That enables TGMFA to participate in company’s enterprise-wide MFA strategies, Brazil Ayala says.

“If they’re using MFA in their overall environment already, they have an IBM i agent [with TGMFA],” she says. “They can configure their users there, and then use an enterprise authenticator, like NetIQ Advanced Authentication, SecureAuth, Okta, or whatever they’re using. They just plug it into that, and then someone else is managing the enterprise-level configuration of that solution, and they just have an easier time with getting it up and running on an IBM i.”

NetIQ Advanced Authentication supports a range of authentication methods.

Enterprise-level authentication apps, such as NetIQ Advanced Authentication, which Brazil Ayala says is apparently popular among IBM i shops, support various different methods to authenticate users, such as biometrics (thumbprint, facial recognition), one-time passwords, cards, SMS-based codes, geo-fencing, and others. Support for RADIUS enables vendors like Fresche to concentrate on supporting the endpoints they specialize in (in this case, IBM i) while leaving the complexity of managing enterprise MFA environments to somebody else.

Another major new feature in TGMFA is support for IBM i exit points. Instead of just triggering an MFA session when users try to log into the IBM i server via 5250 Telnet screens, Fresche now allows customers to trigger an MFA session whenever the user tries to access an exit point.

Since ransomware often traverses the file server exit point, TGMFA could effectively shut down potential ransomware attacks on IBM i server’s Integrated File System (IFS), says Alan Hamm, a senior security services engineer with Fresche, which is headquartered in Montreal, Quebec.

“Let’s say the ransomware were to just kick in and you had mapped drive to the IBM i,” Hamm explains. “Well, if you’re leveraging the exit points and the MFA challenge, as soon as that ransomware or an end user clicks on that drive, their phone is going to pop up with a message that says ‘Hey, do you want to approve this? Do you want to continue?’

“And if you say no or just let it time out, that user or that malware or that ransomware is not going to be able to hit that IFS, because it’s not going to be approved,” he continues. “So that’s one of the major layers of security that we’re now preaching or teaching with this MFA capability, is to protect your IFS with it.”

IBM supports dozens of exit points with the IBM i, which Fresche helps customers lock down through TGSecure, a network security tool. By connecting the exit points to MFA, it adds another valuable layer of security for administrators to work with.

“We recommend that you put MFA over your ODBC and over your FTP as well,” Hamm says. “You might want to whitelist applications because you need them to work the way that you need them to work. But anything that’s non-normal, that’s what you want to challenge.”

Supporting the full gamut of IBM i exit points with TGMFA brings another valuable feature: The capability to layer MFA protections atop IBM Navigator for i, the new Web-based interface for administering IBM i.

A ransomware attack on MGM Resorts in September 2023 cost the company a reported $110 million.

“One of the big asks is when people are using IBM Navigator,” Hamm says. “There’s not really a way to challenge with MFA when an admin logs into that environment. What we’re going to be able to do is tap into the sign-on exit points and when they log on, the sign-on exit point will get triggered, and then certain users will need MFA to continue.”

Layering MFA atop Web-based applications on IBM i isn’t straightforward. Unless they’re simply running a screen-scraper atop a 5250 stream, there are various other servers and service programs running under the covers that need to be factored into an MFA architecture, according to Hamm.

“When you’re coming in through the Web, there are lots of different techniques to code that,” he says. “It’s not a simple answer. You have to pretty much observe it in its environment and then come up with a game plan on how to protect it.”

The good news for TGMFA customers is that Fresche is working to simplify the application of MFA in this more complicated Web environment. According to Hamm, there will soon be a single API that customers can use to call out to trigger an MFA session.

Fresche sells TGMFA as part of its Fresche Security Suite, which includes five other IBM i security products, including TGSecure, TGAudit, TGDetect, TGEncrypt, and TGCentral. Customers can get the whole suite for a flat price of $833 per month.

The company implemented the subscription plan and pricing earlier this year as a way to remove barriers preventing IBM i shops from getting the tools they need, says Christine McDowell, Fresche’s vice president of sales operations.

“One of the challenges is customer may have settled on a specific security solution that only locks down one aspect of their system,” McDowell says. “We made the decision to say, you know what, security is critical and there’s no reason why customer shouldn’t have an opportunity to be able to lock their systems down. Everybody should be doing it. So we brought the entire suite together in one subscription price that makes it affordable and accessible to every customer and every IBM i shop on the planet.”

For more information on TGMFA and the rest of the Fresche Security Suite, go here.

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search