FirewallEnd-to-End Network AccessProtection for System i

Overview

Firewall

A solution which secures every type of access to and from System i, within & outside the organization

Market Need

Hacking• Open TCP/IP environment has increased System i risks

• Many remote activities are now easy• Initiating commands• Installing programs• Changing data• Moving files

• Limited ability to log/block unauthorized access

Internal Fraud

• FBI Study: the most significant threat to an organization's information systems comes from inside

• Control and follow-up on user access - a necessity

Firewall Features

Airtight protection from both internal and external threatsCovers more exit points than any other productProtection from User Level to Object LevelProtects both incoming and outgoing IP addresses

Unique layered architecture - easy to use and maintain

Excellent performance - especially in large environments

User-friendly Wizards streamline rule definitionsHistorical data statistics enable effective rule definition

Best-Fit feature formulates rule to suit each security event

Detailed log of all access and actions

Simulation ModeTests existing Firewall rulesEnables defining rules based on the simulation

Reports in various formats: e-mail, print-out, HTML/PDF/CSV

Firewall Scenario

Monday, Midnight

“OK, I’m bored…Let’s do some quick hacking…”

Rob BlackHacker

5 Minutes Later

“Got it! I’m inside IronTrust Bank systems. I really need a new sports car…

Let’s extract a few hundred thousands...

Tuesday, Midnight

“OK, now let’s try SMART Insurance… this should take about 5 minutes!

Rob BlackHacker

One Minute Later

Glenda Wright,Information Security Manager,

SMART Insurance

“Our Firewall just blocked a break-in attempt.I’ll have the identity, time and IP address in a minute.”

5 Hours Later

“Hey, what are all those security layers? And all these protected exit points…I can’t get through… there goes my new car!”

Rob BlackHacker

Firewall Info

Firewall Gateways

i5 server

Other products’ Gateways• IP Address

Oth

er p

rodu

cts

iSecurity Firewall Gateways • IP Address• User• Verb• File • Library• Commands

iSec

urity

Fire

wal

l

Firewall Adds Another Security Layer

• Native IBM System i security – suitable for stand-alone systems

• External access bypasses IBM security• System i is vulnerable in network

environments

Firewall

System i

FTP Internet

Network PC Telnet ODBC

Before FirewallWith Firewall

Native IBM System i Security

Firewall - Layered Security Design

Exit Point SecurityExit Point Security

IP / SNA Nameto Service

Subnet Mask Support

User-to-ObjectManagement Rights

Data RightsUser/Group/

Supplemental/ internal groups & Generic Names

User-to-Service/Verb/IP/Device/

Application

Firewall User GroupsIBM Group Profiles

RejectAllow

Level of Control

FYI Simulation ModeEmergency Override

User/VerbUser/Verb

ObjectObject

IP/SNA FirewallIP/SNA Firewall

• FTP: Authorities Based on IP & User

• Telnet: Terminal based on IP-Automatic Signon

• Internet (WSG): User to IP address

• Passthrough: User to System name (SNA)

RemoteRemote LogonLogon

Firewall - Layered Security Design (2)

Exit Point ControlExit Point Control

Standard FirewallStandard Firewall

User/VerbUser/Verb

ObjectObject

• FTP: Authorities Based on IP & User, Home dir, CCSID, Encrypt…

• Telnet: Terminal based on IP-SSL, Automatic Signon, Naming…

• Internet (WSG): User to IP address…

• Passthrough: User* to System (SNA), Replace user…

Client Access File Transfer

3 Ways to Steal Your Data

Network NeighborhoodDrag & Drop

Firewall GUI

GUI Example

User Management

21

Generate Firewall Query

22

Edit a Firewall Query

23

Edit a Firewall Query

24

Results

(historical log entries)

Current FW definitions

Firewall Suggests an Appropriate New Rule based on Log Entry

25

From Log: Get an Appropriate Rule Definition

26

From Log: Create Real-Time Detection Rule

27

From Log: “Create Detection rule” Populates the Filter with Data from Request

Visualizer for Firewall

29

• Tool for presenting at-a-glance graphic views of log data from Firewall • Immediate response to queries for any database size• Analyzes network access activity (Firewall) and system journal events

(Audit) to pinpoint breaches and trends

VisualizerVisualizer

30

Night Maintenance Job Audit

Statistics File

FirewallStatistics

File

Firewall Audit

Visualizer

How Visualizer obtains Firewall & Audit Data

Daily Log Files Daily Log Files

Visualizer – Analysis of Firewall Log

32

Example: Select Object…

33

Or: Select the Server

34

And Continue investigating, filtering by Directory & down to the SQL Verb level!

Please visit us at www.razlee.com

Thank You !