PowerTech Delivers Object-Based Control Over Exit Points

May 25, 2010 Alex Woodie

For years, security experts have maintained that exit point programs will never offer the same capability as object-level security, the most powerful aspect of the i/OS security apparatus. But with this month’s release of Network Security 6.0, PowerTech says it has come up with a way to control access to i/OS exit points at the object level. Whether it provides the same functionality as true object-level security or not, the new capability is sure to create some buzz for the Help/Systems subsidiary.

Network Security is an i/OS security tool designed to prevent unauthorized access to System i resources over the network. Its main function is to monitor and control access to more than 30 exit points in i/OS, including network access points such as FTP and ODBC that are not controlled through the platform’s traditional menu-based security paradigm. And if someone does get access to something that they shouldn’t, Network Security is charged with detecting that security policy violation, and notifying the administrators.

With Network Security 6.0, the company has implemented another layer of protection over exit points, those i/OS elements that IBM added after-the-fact to provide a modicum of security and control over transactions that are initiated or responded to via modern protocols like ODBC and FTP, which were not yet mainstream when the OS/400 operating system and its integrated security mechanisms were created way back in 1988.

In particular, PowerTech says Network Security 6.0 gives administrators the capability to define exit point access rules based on i/OS objects. Previously, the software could only set access rules based on the user profile or on the IP address that initiated the access attempt. These new object-based rules will let administrators control access to both the object and the data contained within the object, and they work across all programs, files, libraries, and folders, as well as IFS directories and files, the company says.

This gives security administrators an “incredibly powerful capability,” says PowerTech product support manager Jill Martin, in a PowerTech PowerBlog posting. “This means it is possible now to restrict and audit access to an object regardless of the syntax of the incoming request.

“In SQL for example, Select fld1, fld2 from myfile was previously seen as a different request to select fld1 from myfile,” she continues. “As humans, we could look at that and know it was pulling the same data, but the server couldn’t. This capability adds to the powerful transaction-based rules that Network Security has long been admired for.”

Security experts have struggled with resolving the differences between the level of control that can be accomplished through exit points and the object-level security feature in i/OS. In a 2006 whitepaper on the topic, former PowerTech CTO John Earl (who is now CEO of Patrick Townsend Security Solutions) concluded: “After exhaustive analysis of this issue, PowerTech is convinced that it is just not possible for exit programs to accurately mimic OS/400 object level security. Put even more simply: Only OS/400 can provide object level security.”

The new version brings several other enhancements, including redesigned menus and screens that make it easier to define access rules, and a new selective activation process that makes it easier for customers to decide which exit points they will secure. In the PowerBlog, Martin says this feature “allows a staged approach to integrate Network Security into the operating system, something that is often important in large IT shops.”

Version 6.0 also introduces new reports that provide a greater level of detail about the security rules and activity on the system. PowerTech also added a new installation wizard to streamline the installation process.

PowerTech plans to hold a Webinar in the near future to discuss Network Security 6.0 with interested participants. For more information, visit www.powertech.com.