iSeries Exit Points TCPIP Security

1
iSeries Exit PointsTCP/IP Security

• Jim Stracka PentaSafe Founder

2
Outline

• Exit Program Overview
• Why do I need exit-programs?
• What is purpose of exit-programs?
• If exit-programs dont exit, why are they called
  exit programs?
• Sample exit program
• Limit file transfer and commands
• Design Alternatives

3
Security Has Changed
Today
4
PC Access Data

• Work Station

• Printer Support

• Shared Folders Documents

• Remote Commands

Menu Security

• File Transfer

• API - Data Queue

• API - ODBC

• IFS (Integrated File System)

5
Easy to Start File Transfer

• Icon to start file transfer
• User is prompted with names of libraries and
  files

6
File Transfer orODBC

• SQL-like interface for record level transfer of
  data to and from PC

7
SUBMIT REMOTE COMMAND
RMTCMD
CLRLIB PRODUCTION
8
Other Access Data

• DDM (Distributed Data
  Management)
• File Transfer
• Remote Commands
• FTP
• File Transfer
• Remote Commands
• Shared Folders

• FTP
• File Transfer
• Remote Commands
• Telnet
• IFS (Integrated File System)

9
FTP Commands

• DIR
• DELETE
• RENAME
• QUOTE
• MKDIR
• ALL THESE FUNCTIONS IGNORE LIMITED CAPABILITIES
  !!

10
Why Exit Programs
Can object security be used to protect data?
YES AS/400 security can lock up data.
HOWEVER Security design often makes security
protection ineffective make security ineffective
11
Why Exit Programs
What security designs make object security
ineffective?
Need to provide additional protection
12
Why Exit Programs

• Users are authorized to data because of existing
  applications
• Need exists to prevent the user from using their
  access outside of applications

Need to provide additional protection
?EXIT PROGRAMS provide additional protection
for application data
13
What are Exit Programs
The purpose of exit programs is not to exit
14
Request Processing
Programs are called exit programs because the
system (OS/400) exits to a user program in the
middle of a request
15
Request Processing
request
AS/400Server
AS/400 Server
User Exit Program
PARAMETERS
16
Specifying Exit Programs
How are exit programs specified?
There are two methods to name the exit programs
Registration Facility

• Multiple request types-Distributed data-Client
  Access-Integrated File System-Internet (FTP,
  Telnet)-Security- ...
• Multiple exits specific to function

• Limited number of request types- Distributed
  Data Management- PC support (Client Access)
• One exit program per network attribute

17
Specifying Exit Programs
Network Attributes
CHGNETA DDMACC(lib/pgm) PCSACC(lib/pgm)
PCSACC OBJAUT - Request access
determined by object authority REJECT -
Prevent all requests REGFAC - Use
registration facility Lib/Pgm -
Qualified name of exit program
DDMACC OBJAUT - Request access
determined by object authority REJECT -
Prevent all requests Lib/Pgm -
Qualified name of exit program
Must have ALLOBJ special authority to change the
network attributes
18
Specifying Exit Programs
Registration Facility
WRKREGINF
Work with Registration
Information

Type options, press Enter.

5Display exit point 8Work with exit programs


Exit
Exit
Point
Opt Point
Format Registered Text
_ QIBM_QHQ_DTAQ DTAQ0100 YES
Original Data Queue Server _
QIBM_QJO_DLT_JRNRCV DRCV0100 YES
Delete Journal Receiver _
QIBM_QLZP_LICENSE LICM0100 YES
Original License Mgmt Server _
QIBM_QMF_MESSAGE MESS0100 YES
Original Message Server _
QIBM_QNPS_ENTRY ENTR0100 YES
Network Print Server - entry _
QIBM_QNPS_SPLF SPLF0100 YES
Network Print Server - spool _
QIBM_QOE_OV_USR_ADM UADM0100 YES
OfficeVision/400 Administrati _
QIBM_QOE_OV_USR_SND DOCI0900 YES
OfficeVision/400 Mail Send Ex _
QIBM_QOK_NOTIFY VRFY0100 YES
System Directory Notify Exit _
QIBM_QOK_SUPPLIER SUPL0100 YES
System Directory Supplier Exi _
QIBM_QOK_VERIFY VRFY0100 YES
System Directory Verify Exit

More... Command
gt

F3Exit F4Prompt
F9Retrieve F12Cancel
19
Specifying Exit Programs
Registration Facility
Work with Exit Programs
Exit point QIBM_QLZP_LICENSE Format
LICM0100

Type options, press Enter
1Add 4Remove
5Display 10Replace

Exit

Program Exit
Opt
Number Program Library
_
___________ ___________

(No exit programs
found.)









Bottom Command

gt
F3Exit
F4Prompt F5Refresh F9Retrieve F12Cancel

When a request arrives PROG1 will be called
1 PROG1
MYLIB
20
Exit Points
No good documentation available
What exit points are used for a specific request?
What are the parameters passed to an exit?
Exit points are documented in the following
publications Client Access (File transfer,
ODBC) AS/400 Client Access Host Servers
SC41-5740 Distributed Data Management (DDM,
remote commands) AS/400 Distributed Data
Management SC41-5307 Internet (Telnet,
FTP) TCP/IP Configuration and Reference SC41-5420
Security System API Reference Security
APIs SC41-5872
21
Outline

• Exit program overview
• Why do I need exit-programs?
• What is purpose of exit-programs?
• If exit-programs dont exit, why are they called
  exit programs?
• Sample exit program
• Limit file transfer and commands
• Design alternatives

22
Exit Programs
CALL EXIT (RTNCDE STRUCTURE)

• AS/400 Distributed Data Management SC41-5307
• Client Access Server Concepts
  SC41-5740

23
Operation code by Function

• Applic function / operationation
• LMSR license management REQUEST
  RELEASE
• VPRT virtual print EXTRACT CHECK
  OPEN
• TFRFCL file transfer SELECT JOIN
  REPLACE EXTRACT AS/400 -gt PC
  retrieve information SELECT
  AS/400 -gt PC download file
  JOIN AS/400 -gt PC download
  joined file REPLACE PC --gt AS/400
  UPLOAD file

24
Operation code by Function

• Applic function / operationation
• FLRSRV shared folders type 2 CHANGE
  CREATE DELETE EXTRACT MOVE
  OPEN RENAME
• MSGFCL messages SEND RECEIVE
• DDM distributed data management
  ADDMBR DELETE RENAME CHANGE
  EXTRACT RGZMBR CHGMBR INITIALIZE
  RMVMBR CLEAR LOAD RNMMBR
  COMMAND COPY MOVE LOCK
  CREATE OPEN UNLOAD

25
Prevent Remote Commands
1. Create CL program
CRTCLPGM STOPCMDS SRCFILE( )

• PGM PARM(RTNCODE DATA) DCL
  DATA CHAR 30 DCL RTNCODE
  CHAR 1 DCL FUNC CHAR 10
  CHGVAR FUNC (SST(DATA 21 10)) IF
  (FUNC 'COMMAND ') THEN( CHGVAR
  RTNCODE '0') ELSE CHGVAR RTNCODE
  '1'ENDPGM

26
Exit Program Example
1 of 2
Prevent Remote Commands and File Upload

• /
  // Installation instructions
  // 1. Compile program
  // CRTCLPGM
  PGM(LIB/EXIT1) //
  SRCFILE( ) USRPRF(OWNER) // 2. Change
  owner of the program to user QSECOFR. //
  Adopted authority allows the program sending
  // to the audit journal
  // CHGOBJOWN OBJ(LIB/EXIT1)
  // OBJTYPE(PGM)
  NEWOWN(QSECOFR) // 3 Name the exit program in
  network attributes // CHGNETA
  DDMACC(LIB/EXIT1) //
  PCSACC(LIB/EXIT1) //
  //
  The audit journal QAUDJRN entries created are
  // 'X1' Requests that are allowed
  // 'X0' Requests that are rejected
  //
  /PGM (RC STRU ) DCL
  RC CHAR 1 /Return 1allow /
  / 0prevent/
  DCL STRU CHAR 200 /Request
  description/ DCL USER CHAR 10
  /User profile name / DCL APP1 CHAR
  10 /Requested function / DCL APP2
  CHAR 10 /Sub function / DCL
  TYPE CHAR 2 /Journal entry type /

27
Exit Program Example
2 of 2
Prevent Remote Commands and File Upload

• MONMSG CPF0000 EXE(GOTO EXIT) /If error
  exit/ CHGVAR RC '1'
  /Allow request/ CHGVAR USER SST(STRU
  1 10) /Get user / CHGVAR APP1
  SST(STRU 11 10) /Get appl / CHGVAR
  APP2 SST(STRU 21 10) /Get function /
  /Do not log IBM request to check license /
  IF (APP1 'LMSRV') GOTO EXIT IF (USER
  GOODUSERXX') GOTO LOG / Prevent use of
  remote commands / IF (APP1 'DDM'
  AND APP2 'COMMAND') CHGVAR RC
  '0' / Prevent the request / ELSE /
  Prevent file upload from PC users /
  / File download to PC is not prevented /
  IF (APP1 'TFRFCTL' AND APP2 'REPLACE')
  CHGVAR RC '0' / Prevent the
  request / / Log request in the audit
  journal /LOGCHGVAR TYPE ( 'X' CAT
  RC) SNDJRNE QAUDJRN TYPE(TYPE)
  ENTDTA(STRU)EXITENDPGM

Good Way to Monitor Use
28
The Exit Point Will Depend Upon the Operating
Client Operating System
Exit Program Usage
29
Exit Program Usage
Two programs are required becauseparameters are
different
Original File Transfer
OptimizedWindows 95/98/NT/2000/MEFile Transfer
EXIT2
EXIT1
Difficult to determine if request was upload or
download
30
Installation Instructions
1. Compile programs
CRTCLPGM PGM(XXX/EXIT1) SRCFILE(XXX/QCLSRC)
USRPRF(OWNER) CRTCLPGM PGM(XXX/EXIT2)
SRCFILE(XXX/QCLSRC) USRPRF(OWNER)
2. Change owner
CHGOBJOWN OBJ(XXX/EXIT1) OBJTYPE(PGM)
NEWOWN(QSECOFR) CHGOBJOWN
OBJ(XXX/EXIT2) OBJTYPE(PGM)
NEWOWN(QSECOFR)


Adopt owners authority to allow the programs to
send to the audit journal
31
EXIT1 - File Transfer Exit
3 of 3

• ///
  Prevent file upload from PC users //
  except in the UP_LIB library //
  prevent download to PC //
  except in the DOWN_LIB library
  ///I
  F COND(APP2 EQ 'REPLACE') THEN(DO) IF
  COND(TFLIB NE 'UP_LIB ') THEN(
• CHGVAR RC) '0') /prevent
  request/ENDDOIF COND(APP2 EQ 'SELECT')
  THEN(DO) IF COND(TFLIB NE DOWN_LIB ')
  THEN(
• CHGVAR RC) '0') /prevent request/ ENDDO
• ///
  Log request in the audit journal
  ///L
  OG CHGVAR VAR(TYPE) VALUE('X' CAT RC)
  SNDJRNE JRN(QAUDJRN) TYPE(TYPE)
  ENTDTA(STRU)
• ExitENDPGM

Good Way to Monitor Use
32
EXIT2 - File Transfer Exit
1 of 3

• /
  // To compile
  //
  
  // CRTCLPGM PGM(XXX/EXIT2)
  SRCFILE(XXX/QCLSRC) //
  USRPRF(OWNER) //
  
  // installation instructions
  // 1. Compile
  program
  //
  // 2. Change owner of the
  program to user QSECOFR. //
  Adopted authority allows the program sending
  // to the audit journal
  // CHGOBJOWN
  OBJ(XXX/EXIT2) OBJTYPE(PGM) //
  NEWOWN(QSECOFR)
  //
  // 3. Name the exit
  program in registration facility //
  ADDEXITPGM EXITPNT(QIBM_QZDA_NBR1 )
  //
  FORMAT(ZDAD0100) PGMNBR(1) //
  PGM(XXX/EXIT2) REPLACE(NO)
  // text('limit to
  specific libraries') // The request is
  recorded in the audit journal
  // The audit journal QAUDJRN entries created
  are // 'Z1' requests that
  are allowed //
  'Z0' requests that are rejected
  //
  /PGM PARM(RC
  REQUEST) DCL VAR(RC) TYPE(CHAR)
  LEN(1) / 1allow 0prevent/ DCL
  VAR(REQUEST) TYPE(CHAR) LEN(700) /request desc
  / DCL VAR(TYPE) TYPE(CHAR) LEN(2)
  /journal entry type /

33
EXIT2 - File Transfer Exit
2 of 3

• DCL var(x1800) type(char) len(4)
  value(x'00001800') / create
  database file/DCL var(x1801)
  type(char) len(4)
  value(x'00001801') / create source file/DCL
  var(x1802) type(char) len(4)
  value(x'00001802') / add member
  /DCL var(x1803) type(char) len(4)
  value(x'00001803') /
  clear member /DCL var(x1804)
  type(char) len(4)
  value(x'00001804') / delete member /DCL
  var(x1805) type(char) len(4)
  value(x'00001805') / file override
  /DCL var(x1806) type(char) len(4)
  value(x'00001806') /
  delete file override/DCL var(x1807)
  type(char) len(4)
  value(x'00001807') / create save file /DCL
  var(x1808) type(char) len(4)
  value(x'00001808') / clear save file
  /DCL var(x1809) type(char) len(4)
  value(x'00001809') /
  delete file / / OPTIMIZED DATABASE
  SERVER DECLARES /DCL VAR(DBFMT) TYPE(CHAR)
  LEN(8) / format name /DCL
  VAR(DBFID) TYPE(CHAR) LEN(4) / function
  identifier / / THE FOLLOWING PARAMETERS
  ADDITIONAL FOR FORMAT ZDAD0100 /DCL
  VAR(DBFILE) TYPE(CHAR) LEN(128)/ file name
  /DCL VAR(DBLIB) TYPE(CHAR) LEN(10)
  / library name /DCL VAR(DBMBR)
  TYPE(CHAR) LEN(10) / member name
  /DCL VAR(DBAUT) TYPE(CHAR) LEN(10) /
  authority to file /DCL VAR(DBBFIL)
  TYPE(CHAR) LEN(128) / based on file name
  /DCL VAR(DBBLIB) TYPE(CHAR) LEN(10) / based
  on library name /DCL VAR(DBOFIL) TYPE(CHAR)
  LEN(10) / override file name /DCL
  VAR(DBOLIB) TYPE(CHAR) LEN(10) / override
  library name /DCL VAR(DBOMBR) TYPE(CHAR)
  LEN(10) / override member name /

34
EXIT2 - File Transfer Exit
3 of 3

• MONMSG MSGID(CPF0000) EXEC(GOTO
  CMDLBL(EXIT)) allow request unless rejected by
  program /CHGVAR VAR(RC) VALUE('1') /
  set variables from request description /CHGVAR
  VAR(DBFMT) VALUE(SST(REQUEST 21 8))CHGVAR
  VAR(DBFID) VALUE(SST(REQUEST 29 4))CHGVAR
  VAR(DBFILE) VALUE(SST(REQUEST 33 128))CHGVAR
  VAR(DBLIB) VALUE(SST(REQUEST 161 10))CHGVAR
  VAR(DBMBR) VALUE(SST(REQUEST 171 10))CHGVAR
  VAR(DBOFIL) VALUE(SST(REQUEST 329 10))CHGVAR
  VAR(DBOLIB) VALUE(SST(REQUEST 339 10))CHGVAR
  VAR(DBOMBR) VALUE(SST(REQUEST 349 10))
• IF COND((DBFID X1805)) THEN(DO) / OVERRIDE
  / IF COND(DBOLIB 'UP_LIB') THEN(GOTO
  LOG) IF COND(DBOLIB 'DOWN_LIB') THEN(GOTO
  LOG) CHGVAR VAR(RC) VALUE('0')ENDDO/ log
  request in the audit journal /LOG CHGVAR
  VAR(TYPE) VALUE('Z' CAT RC) SNDJRNE
  JRN(QAUDJRN) TYPE(TYPE) ENTDTA(REQUEST)EXITEN
  DPGM

35
Outline

• Exit Program Overview
• Why do I need exit-programs?
• What is purpose of exit-programs?
• If exit-programs dont exit, why are they called
  exit programs?
• Sample exit program
• Limit file transfer and commands
• Design Alternatives

36
Exit Design Alternative

• Compare to constant

IF (USER ELLEN )
Constant

• Advantages
• Excellent performance
• Easy to determine program flow
• Limitations
• Must recompile program to make any change
• Security specification uses a different
  technique

37
Exit Design Alternative

• Read from File

• Advantages
• Good performance
• Add and remove users without recompiling
  program
• Limitations
• Program logic more complex
• Security specification uses a different
  technique

38
Exit Design Alternative

• Authorization list users

• Advantages
• Good performance
• Add and remove users without recompiling
  program
• Security specification uses a same technique
• Limitations
• Program logic more complex

39
Check an Authorization List

• IF COND(. ) THEN(DO)
  
• CHKOBJ OBJ(QSYS/FILEREAD)
  OBJTYPE(AUTL) AUT(USE)
• MONMSG MSGID(CPF9800)
  EXEC(CHGVAR RC '0')
• GOTO LOG
  
• ENDDO

Possible to check for different authorities
USE for Read actions
CHANGE for Update actions
40
Outline

• Exit Program Overview
• Why do I need exit-programs?
• What is purpose of exit-programs?
• If exit-programs dont exit, why are they called
  exit programs?
• Sample exit program
• Limit file transfer and commands
• Design Alternatives
• Design Considerations

41
File Transfer Transactions
42
File Transfer Transactions
Not obvious that a user performed a file transfer
43
Exit Program Considerations

• Determining exit points is trial error
• Multiple transactions obscure user actions
• Building flexibility into program logic
  complicates design

Creating Exit Programs Is Not a Simple Task
Exit Program
44
Outline

• Exit Program Overview
• Why do I need exit-programs?
• What is purpose of exit-programs?
• If exit-programs dont exit, why are they called
  exit programs?
• Sample exit program
• Limit file transfer and commands
• Design Alternatives
• Design Considerations

45
Comparison of Function

• IBM Provides
• Exit Points
• Registration Facility
• Security APIs

You must provide the programming to put the
individual pieces together
46
PentaSafe Exit Program

• Flexible solution that supports
• Logging of remote system transactions
• Wide range of remote requests
• File Transfer (DDM, Client Access, FTP)
• User Log-on (FTP, Telnet)
• Remote commands (DDM, FTP, Client Access)
• Swapping of user profiles
• Easy to specify controls
• Users (All users, Group Members, Individuals)
• Objects (Library, Object)

47
PentaSafe Exit Program

• All requests logged in Audit Journal
• Store new request types in approved entries
• Approve all requests and forward to server

Request Collection should be done for 2 weeks
before attempt to restrict access
48
Request Collection
This is easy

• Simple steps to collect data
• Does not disrupt users (NO transactions rejected
  during collection)
• Collect data to approve normal transactions

49
PentaSafe Exit Program

• All requests logged in Audit Journal
• Compare request to Approved Entries
• If APPROVED forward to server
• If REJECTED
• Record in rejected requests
• Send alert notification message

50
Control Remote Requests

• Selection Options for Remote Requests
• Users (Allow or Restrict)
• Specific User Profile
• Generic User Profile Name
• Users with Group Profile
• ALL users
• Control by Object /Library
• Command and Transaction
• Time of Day Access
• Telnet Address
• Your exit program

51
Summary
Menu security is not adequate to limit a
user.You must protect data from access via the
other Client Access servers
FILE TRANSFER
REMOTE COMMANDS
FOLDER ACCESS
Use exit programs to supplement object security
52
Summary

• Specifying exit program using network attributes
  is not recommended
• Increase overhead
• Network attributes a limited set of exits

Use Registration Facility to specify exit
programs
53
Summary

• Creating exit programs is not simple
• Unless you have time and skills consider
  investing in third party exit programs

PentaSafe exit programsare an excellent choice
54
Information Sources

• Exit Point Documentation
• Client Access (File transfer, ODBC)
• AS/400 Client Access Host Servers SC41-5740
• Distributed Data Management (DDM, remote
  commands)
• AS/400 Distributed Data Management SC41-5307
• Internet (Telnet, FTP)
• TCP/IP Configuration and Reference SC41-5420
• Security
• System API Reference Security APIs SC41-5872

55
Information Sources

• MANUALSSC41-5300 Tips and Tools for
  Securing Your AS/400
• SC41-5301 AS/400 Security Basic
• SC41-5302 AS/400 Security Reference
• Internet
• S325-6321 IBM Secure Way AS/400 and
  the Internet
• G325-6321 AS/400 and the Internet
• SG24-4929 AS/400 Internet Security
  Protecting Your AS/400 from HARM on
  the Internet

56
VigilEnt Security Solution
VigilEnt Policy Center
VigilEnt Security Manager
VigilEnt Security Agents