Upload
cornelia-bates
View
221
Download
0
Embed Size (px)
Citation preview
FirewallEnd-to-End Network AccessProtection for IBM i
Market Need
Hacking• Open TCP/IP environment has increased IBM i risks
• Many remote activities are now easy• Initiating commands• Installing programs• Changing data• Moving files
• Limited ability to log/block unauthorized access
Internal Fraud
• FBI Study: the most significant threat to an organization's information systems comes from inside the company
• Control and log all user access - a necessity, not “nice to have”
Firewall Features
• Airtight protection from both external and internal threats• Covers more exit points than any other product • Protects from User Level to Object Level• Protects both Incoming and Outgoing IP addresses
• Unique layered architecture- easy to use and to maintain• Proven excellent performance, especially in large environments• User friendly Wizards streamline rule definitions
• Real historical data enable effective rule definitions• Best Fit algorithm formulates rule to suit each security event
• Detailed log of all accesses and actions• Simulation mode
• Tests all Firewall rules• Enables defining rules based upon simulation results
• Reports in various formats: print, outfile, e-mail with HTML/CSV/PDF attachments
Firewall Recent Technical Additions(1/2, not a comprehensive list)
• SQL• Supports entire SQL statement- no maximum length limitation• Skip SQL parsing for specific users• Performance improvement (up to 80%) for much more faster detection of
Firewall rules using special technology for complex SQL update for writing log files
• SQL long names, using “model libraries” for defining security rules
• Basic SSH support• Activity recorded in real time• Supported as a standard Firewall server exit
• Real time alerts sent as Operator, Syslog, SNMP, Twitter, etc. messages, also e-mail and CL script execution
• Log retrieval via dataqueues provide performance and resource improvements
Firewall Recent Technical Additions(2/2, not a comprehensive list)
• Report Generator & Scheduler • Report of summarized transaction counts per time period• Numerous reports and improvements made
• Indicate Telnet connection SSL (Y/N)
• New features for Best Fit algorithm; if selected, the change allows obtaining authority from preceding directories, or from any level of a higher generic name
• Pre-checking library replacements enables defining once and later checking access rules against a single library of authorization rules, instead of defining equivalent rules for many individual libraries
Firewall Gateways
i5 server
Other firewalls
iSecurity Firewall Criteria • IP Address• User• Verb• File • Library• Commands
iSecurity Firewall
Firewall Adds Another Security Layer
• Native IBM i security: suitable for stand-alone systems
• External access bypasses IBM security
• IBM i is vulnerable in network environments
Menu
& Programs
Power i
Telnet
FTP Internet
Network PC ODBC
Before FirewallWith Firewall
Native IBM i Security
Firewall
Secured?Yes
Security Level
Allow AllReject All
IP/SSLSubnet Mask
According to services
)option – skip tests(
Log can be optionally obtained
Using User Algorithm Check
Native
IFS
No product check
Client Transaction
IBM Exit
Point
Transaction executed
No
Exit Program
AllowReject
Logon
User to Service
Verb Device IP
Firewall Flow-Chart
Layered Security Design – Object Access
Exit Point SecurityExit Point Security
Generic Names to Users, Group/Supplemental
Profiles, Internal Groups
IBM Group Profiles &Supplemental Group Profiles
Internal User Groups
FYI Simulation ModeEmergency Override
User/ServiceUser/Service
ObjectObject
IP/SNA FirewallIP/SNA Firewall IP / SNA Nameto Service
User-to-ObjectManagement Rights
Data Rights
User-to-Service /Verb/IP/Device/
Application
Allow, Reject, Level of Control
Subnet Mask Support
Layered Security Design – Logon
Exit Point SecurityExit Point Security
FTP: Set Home Dir, Alternate User, Name Format…
Telnet: Assign Terminal Name, Keyboard Layout, Auto-Signon
Passthrough: Auto-Signon, Force-Signon
FYI Simulation ModeEmergency Override
Remote Remote LogonLogon
IP/SNA FirewallIP/SNA Firewall IP / SNA Nameto Service
FTP: Authorities Based on IP
Telnet: IP, Terminal, Encryption
Passthrough: User* to System / IP
Allow, Reject, Level of Control
Subnet Mask Support
Firewall GUI: Navigation Options & Server Settings
Firewall shipped with tens of built-in reports
13
Generate New Firewall Query
14
Edit a Firewall Query- Note Filter Conditions
15
Firewall log entries to Create Detection Rule
16
Edit a Firewall Query- Note Report Tabs & Filter Conditions
17
Modify existing rule or Create a Detection Rule
Firewall Log as the basis for defining Rules
Results
(historical log entries)
Visualizer for Firewall
19
VisualizerVisualizer- and GUI Navigation Tree
20
Nightly Maintenance Job
AuditStatistics
File
FirewallStatistics
File
Firewall Audit
Visualizer
How Visualizer obtains Firewall & Audit Data
Daily Log Files Daily Log Files
Visualizer – Analysis of Firewall Log
22
Example: Select Object…
23
Continue investigating, filtering by User. See which users access the object
Drill to log data and build a Rule
Firewall Rules
Please visit us at www.razlee.com
Thank You !