FirewallEnd-to-End Network AccessProtection for IBM i

Market Need

Hacking• Open TCP/IP environment has increased IBM i risks

• Many remote activities are now easy• Initiating commands• Installing programs• Changing data• Moving files

• Limited ability to log/block unauthorized access

Internal Fraud

• FBI Study: the most significant threat to an organization's information systems comes from inside the company

• Control and log all user access - a necessity, not “nice to have”

Firewall Features

• Airtight protection from both external and internal threats• Covers more exit points than any other product • Protects from User Level to Object Level• Protects both Incoming and Outgoing IP addresses

• Unique layered architecture- easy to use and to maintain• Proven excellent performance, especially in large environments• User friendly Wizards streamline rule definitions

• Real historical data enable effective rule definitions• Best Fit algorithm formulates rule to suit each security event

• Detailed log of all accesses and actions• Simulation mode

• Tests all Firewall rules• Enables defining rules based upon simulation results

• Reports in various formats: print, outfile, e-mail with HTML/CSV/PDF attachments

Firewall Recent Technical Additions(1/2, not a comprehensive list)

• SQL• Supports entire SQL statement- no maximum length limitation• Skip SQL parsing for specific users• Performance improvement (up to 80%) for much more faster detection of

Firewall rules using special technology for complex SQL update for writing log files

• SQL long names, using “model libraries” for defining security rules

• Basic SSH support• Activity recorded in real time• Supported as a standard Firewall server exit

• Real time alerts sent as Operator, Syslog, SNMP, Twitter, etc. messages, also e-mail and CL script execution

• Log retrieval via dataqueues provide performance and resource improvements

Firewall Recent Technical Additions(2/2, not a comprehensive list)

• Report Generator & Scheduler • Report of summarized transaction counts per time period• Numerous reports and improvements made

• Indicate Telnet connection SSL (Y/N)

• New features for Best Fit algorithm; if selected, the change allows obtaining authority from preceding directories, or from any level of a higher generic name

• Pre-checking library replacements enables defining once and later checking access rules against a single library of authorization rules, instead of defining equivalent rules for many individual libraries

Firewall Gateways

i5 server

Other firewalls

iSecurity Firewall Criteria • IP Address• User• Verb• File • Library• Commands

iSecurity Firewall

Firewall Adds Another Security Layer

• Native IBM i security: suitable for stand-alone systems

• External access bypasses IBM security

• IBM i is vulnerable in network environments

Menu

& Programs

Power i

Telnet

FTP Internet

Network PC ODBC

Before FirewallWith Firewall

Native IBM i Security

Firewall

Secured?Yes

Security Level

Allow AllReject All

IP/SSLSubnet Mask

According to services

)option – skip tests(

Log can be optionally obtained

Using User Algorithm Check

Native

IFS

No product check

Client Transaction

IBM Exit

Point

Transaction executed

No

Exit Program

AllowReject

Logon

User to Service

Verb Device IP

Firewall Flow-Chart

Layered Security Design – Object Access

Exit Point SecurityExit Point Security

Generic Names to Users, Group/Supplemental

Profiles, Internal Groups

IBM Group Profiles &Supplemental Group Profiles

Internal User Groups

FYI Simulation ModeEmergency Override

User/ServiceUser/Service

ObjectObject

IP/SNA FirewallIP/SNA Firewall IP / SNA Nameto Service

User-to-ObjectManagement Rights

Data Rights

User-to-Service /Verb/IP/Device/

Application

Allow, Reject, Level of Control

Subnet Mask Support

Layered Security Design – Logon

Exit Point SecurityExit Point Security

FTP: Set Home Dir, Alternate User, Name Format…

Telnet: Assign Terminal Name, Keyboard Layout, Auto-Signon

Passthrough: Auto-Signon, Force-Signon

FYI Simulation ModeEmergency Override

Remote Remote LogonLogon

IP/SNA FirewallIP/SNA Firewall IP / SNA Nameto Service

FTP: Authorities Based on IP

Telnet: IP, Terminal, Encryption

Passthrough: User* to System / IP

Allow, Reject, Level of Control

Subnet Mask Support

Firewall GUI: Navigation Options & Server Settings

Firewall shipped with tens of built-in reports

13

Generate New Firewall Query

14

Edit a Firewall Query- Note Filter Conditions

15

Firewall log entries to Create Detection Rule

16

Edit a Firewall Query- Note Report Tabs & Filter Conditions

17

Modify existing rule or Create a Detection Rule

Firewall Log as the basis for defining Rules

Results

(historical log entries)

Visualizer for Firewall

19

VisualizerVisualizer- and GUI Navigation Tree

20

Nightly Maintenance Job

AuditStatistics

File

FirewallStatistics

File

Firewall Audit

Visualizer

How Visualizer obtains Firewall & Audit Data

Daily Log Files Daily Log Files

Visualizer – Analysis of Firewall Log

22

Example: Select Object…

23

Continue investigating, filtering by User. See which users access the object

Drill to log data and build a Rule

Firewall Rules

Please visit us at www.razlee.com

Thank You !