About This Manual - Raz
Contents
1. 1 54481246 18 02 03 14 35 34 Attention Program Library SYSVAL POPRTN SHZP S18VRL POPATN SHZP POPRTN SHzP SYSVAL User Profile Information Environmental Info Report filter parameters as shown on the following screen Firewall 15 User Manual 64 Chapter User Security RAZLEE iSecurity The iSeries Security Experts Print User Profile PRTAUUSRP Type choices press Enter Type of information gt xRUTINFO XRLL xRUTINFO xENVINFO Select by MSPCRUT XSPCRUT XUSRCLS xHISHRTCH Output XPRINT XPRINT xPRINT1 XPRINT9 Job description QBRTCH Name XNONE Library XPRODUCT Name XPRODUCT xLIBL Rdditional Parameters Special authorities XRLL xNONE xRLLOBJ for more values User class XRLL xUSER XxSYSOPR for more values Bottom F3 Exit F4 Prompt FS Refresh F12 Cancel F13 Hou to use this display F24 More keys Print User Profile Parameter or Option Description Select by SPCAUT User profiles are selected based on special authorities USRCLS User profiles are selected based on user class MISMATCH User profiles are selected based on the fact that their special authorities are not the default values assigned to their user class Job description Date and time of previous sign on for this user profile Disable Inactive Users The presence of valid but inactive user profiles can pose a potentially serious security threat Hackers ca2. 158 Firewall Specifies E M 160 General M 162 Purping all ddia of FIREWALL nde esee eie esae ret rer reb Pe Hr SEHE SER EE 163 SPRINTISTPRINTO SETA chis tcn E vss 163 Journal Product Definitions eese eese nennen 164 iSecurity Central Administration eee ee eee eese eee ee eene 168 Appendix List of Firewall Exit iuiieua ina aai naui nha SA Ea Rn Fata Ea Ra EAR ERR napa 172 Firewall 15 User Manual vi About This Manual LERN iSecurit New Features in Firewall Versions New Features for Firewall 15 6 New feature Client Application Security option 18 New Features for Firewall 15 5 Inherit in product IFS authorities from higher directory or file 81 gt 2 Skip SQL parsing if accept reject network access decision was taken at global IP or user level 81 2 Web application server performance improvements 2 11 1 Skip Checks options dramatically improve performance when a high volume of requests originate from a well secured IP that uses SSL Streamline rules support for multiple libraries 2161 by using model libraries to define security rules
3. 11 User Z6USRACT 00 xFirewallx User Activity Z6USRPRF 88 11 User Profile Modifications Bottom F3 Exit F6 Add New F8 Pr int F12 Cancel Work with Queries Firewall 15 User Manual 112 Chapter Queries Reports and Logs e RAZ LEE e The iSeries Security Experts lt S The following table lists the selection options Option Description F6 Create a new query 1 Select a query for modification 3 Copy a query Type the new query name and description in the pop up window and press Enter to continue 4 Delete a query Press Enter to confirm deletion when the warning message appears 5 Run the selected query as an interactive job 6 Print the selected query to the standard output device and file type PDF HTML CSV Rename a query Type the new query name in the pop up window and press Enter 8 Run the selected query as a batch job General Query Parameters Add Modify Screen This screen contains several basic query definition parameters 1 To work with query parameters enter the required parameters and press Enter to continue Modify Query Type choices press Enter Query name Z6IPOUT Description GF ireuallx Outgoing IP addresses Query type 1 All servers or Single server 2 List of servers selected later If query type 1 Server Id 80 All 00 Generic entry type 89 99 Restrict to subject Not Name Time group N
4. Mode for xSNR xNETRTR Name XNETRTR F3 Exit F12 Cancel Modify data or press Enter to confirm Add Network System 3 Torun the reports on a copy of data library of a remote system select option 11 Select Note a Copy run Reports The Running Locally on a Copy of a Remote System screen appears displays the system s information and shows libraries which start with SMZADTA or SMZTMPA Running Locally on a Copy of a Remote System Type options press Enter 1 Select Opt Ext System Text gt XCURRENT iSecurity 1 Firewall Screen PWD amp WideScope A 005 5150 SMZTMPA lib of 5150 Bottom This option allows you to run locally on a copy of the data of a remote system Alternatively you may use the standard reporting system specifying SYSTEM to report the current status of a single system or group of systems in either a merged or non merged report F3 Exit to xCURRENT system F12 Cancel Running Locally on a Copy of a Remote System Firewall 15 User Manual 169 Chapter Configuration and Maintenance RAZLEE iSecurity NOTE Running on multiple systems with either of the following e Merge data to a single output MRGDTA NO e Place output on OUTON SYSTEM valid for PRINT PRINT9 only Selecting other output types such as HTML PDF may result in unexpected results 4 To create a distribution package of the definitions created export select options 21 Crea
5. 0 F3 Exit F22 Enter authority code iSecurity part I Global Parameters General Definitions This option presents general definitions relating to emergency overrides FYI Simulation mode Firewall history log OS 400 Group and Supplemental profiles and Super Speed processing Follow this procedure 1 Select 1 General Definitions from the iSecurity part I Global Parameters screen The Firewall General Definitions screen appears 2 Set parameters and definitions according to the following table and press Enter Firewall 15 User Manual 146 Chapter Configuration and Maintenance RAZLEE iSe The iSeries Security Experts Fireuall General Definitions Type options press Enter Emergency override ALL Security setting Regular no override g y y g g 1 Al low 3 Re ject 2 Al loutLog 4 Re ject Log Work in XFYIX Simulation mode N VN XFYIX is an acronym for For Your Information In this mode security rules are fully operational but no action is taken Check 05 400 Group and Supplemental profile Y Y Enable Super Speed Processing N Y N The functionality of the product is not affected by this setting Set this value to N uell before you plan a Hot Upgrade of the product This uill enable temporary suspension of the activity during installation Hot upgrade is safe Y See manual F3 Exit F12 Previous Firewall General Definitions Parameter or Option Description Emergency overr
6. F3 Exit F12 Cancel Work with Group Items The supported TYPES are USER Check that the value is a user in a GROUP of users GRPPRF Check that the value is a user in an OS 400 Group Profile Firewall 15 User Manual 130 Chapter Queries Reports and Logs RAZLEE Security USRGRP USER and all user profiles which are members of same user groups as USER ALL For both GRPPRF and USRGRPs NOTE Jf the TYPE is missing USER or USRGRP is assumed based on the appearance of the percentage symbol 96 as the first character in the GROUP Using the Report Scheduler This section describes the Report Scheduler feature and provides step by step instructions for its use Overview The Report Scheduler allows you to run pre defined report groups automatically according to a fixed schedule A report group is comprised of one or more individual queries reports or Activity Log inquiries that are executed together at a designated time Grouping reports in this manner is more efficient because the scheduling details and other run time parameters need to be defined only once for the entire group The most common application of the Report Scheduler is automatically running periodic audit reports based on queries A schedule can be set up to run reports on a daily weekly or monthly basis Additional schedule parameters are provided to enable the user to specify the day of the week day of the month and time of day that your r
7. Denied for JRVR1 to SMZODTA ODPRVD xFILE SQL SELECT PRTEXT PRINFM XSQL Denied for JAVAL to SMZODTA ODPRVD XFILE SQL SELECT PRPRVD PRTEXT XSQL xFYIx Denied for JAVA1 to SMZODTR ODPRVD xFILE SQL UPDATE SMZODTA ODPRV XSQL Denied for JAVAI to SMZODTA ODPRVD SQL SELECT PRPRVD PRTEXT XTELNET Denied XTELNET Denied XTELNET Denied XTELNET Denied XTELNET Denied XTELNET Denied iy 1 1 1 1 1 1 144 1 178 1 178 1 178 178 1 178 XSQL Denied for JRVR1 to SMZ8 PROCGSEPNT xPGM SQL CALL 5 28 More F3 Exit F6 Modify rule F7 Rdd action F 8 Details Fii Single entry F12 Cancel F17 Top F18 Bottom Display Firewall Log 5 Press F6 to modify the applicable rule based on an entry in the log The rule definition screen for the applicable rule type opens This feature allows the user to respond proactively to a situation discovered while reviewing the log and leads the user to the exact screen where modification is required Firewall 15 User Manual 125 Chapter Queries Reports and Logs RAZ LEE iSecurity The iSeries Security Experts 6 To view the details of an individual entry move the cursor to the desired line and press Enter or F11 An example of an activity log entry appears below Display Entry System S720 Message ID GRE4083 User profile 1 XNONE Date 4 5 5 am 11 86 89 Tine
8. 77 M 79 Printer Files ittis titer teet 81 Dp TEX 63 COMMANAS iet 85 Command ExceptiOns sies rer t edema eaaet eig eee ete eeu A Po 67 Work with Pre check Library Replacement eerie esee esee tenentes ensis etna tn sensns enses sse tn suus 88 MBS OD eee 91 Chapter 7 Logon Securlty e ssctccscntnnacsietnncndentasasnanseesesneiaeasenacesssnectnzeadaadee 93 Procedural Overview M 95 ETP REXEC Incoming sectas e ciet ee ale ick lave seen eue pe ag bata dh Satan 96 Client FTP Outgoing EE E p CR AREE v 98 Telnet and Sign 0M 100 Telnet LOG OM EE 100 SSL Control in Firewall ict e citet 102 ATL m eee 102 Firewall 15 User Manual About This Manual e RAZ LEE ise The iSeries Security Experts n 106 P ssthroug I TRE 109 Chapter 8 Queries Reports and LOGS 111 Query Wizard P 111 Procedural QVervieWw s DE HERE t dn i DUE UE Mae we 112 Working With QUerlesz ain RED GP Hee ta entere een ees 112 G
9. 38 Using the Global Server Security Settings Feature 4 eee ee ee eerte eee eene een seen 42 FYI Simulation Mode Global Setting 4 eere ee eee e eese eese esee seen senses tss tna sts 44 Using the Emergency Override Feature 4 eerie e ee cresce esee e eene tn senses sens ta states 44 Chapter 4 Dynamic Filtering 46 IP Address Firewall Rules 4 eere sees sees etes etes eene testen ense ease 46 RAYS E 49 Why Raz Lee developed the SSL Solution essent rennen 50 The Customer s Testing Methodology eese ener nennen rennen 50 SNA Firewall Rules C 51 Chapter 5 User Securlly iiic ee sas sands Re SR davra iiaii 53 Conceptual Framework 4 eeeeee eres eese eee eene tenete senses sten s tease ease ta setas esas tastes sense ease east tna 53 Verb Supports a Ne te tose Nee Dr Fe EISE EIE INE 53 Rule Definition Procedure ccscssscssssscccscesscssccsscccsccsscscssscesssesesescssccscccsccsecssecssesssccsscssscsssessseseeesees 54 Client Application Security 4 eee ees
10. Activity allowed and Blank Activity rejected Public is the default rule for all users not explicitly covered by an object security rule Always make certain that the Public rule contains sufficient permissions to allow ordinary users to access objects Parameter or Option Description Command Library Name and library path of the command s included in this rule User Group Enter user profile or press F4 to select a user profile or group name from list Run Command y Users may execute the specified command Press Enter to return to the Work with Native Object Security screen Firewall 15 User Manual 86 Chapter Object Security RAZLEE iSecurity Command Exceptions When working with command rules it is easier to define restrictions globally for all users or for large groups of users Unfortunately there are usually only a few users who truly need permission to execute certain commands Firewall provides the ability to create one rule that prevents all or most users from using certain commands and then to create a few exceptions to that rule for the select few who are authorized to use the relevant commands One can define exceptions that will permit commands to be executed via the command line within programs FTP REXEC Remote Command Execution and or DDM The procedure for working with exceptions is quite simple 1 Define the global or general command security rules as described in the pre
11. ie beadasotecenebetaselassaqucagystaesaeses 23 Update EE PR RH EHE FUE LER Ea EERE E EEE EE 26 loge ar 27 OS 400 Group Profiles eie tte eret pecie ergo tie Rebate eek be Pee eed 27 Firewall Proprietary User Groups oui o e e e i ey sued Per 27 billes e M M 30 OVO TUL SW TE 30 Using Time Groupsias Filter Criteria iiti vie 3l Defining and or Modifying Time Groups esses nee eremi rennen nnne 3l Application Group 32 Firewall 15 User Manual iv About This Manual e RAZ LEE ise The iSeries Security Experts COV CTV CWS tics 32 Defining and or Modifying Application Groups eese rennen nenne 32 Location GrOUPS m 34 AU Pe an Oe oe eee 34 Chapter 3 Basie Security 37 About Servers amp Exit Points eee eee esset esee sees eene tenet en sense setas etas toas esses sense 37 Working with Server Security Rules 4 eere ee estes etes eese eese en sens tna siesta stas ta sess tas etas
12. Firewal 21 Save Firewall Log 71 Add Journal 22 Set Firewall Defaults 72 Remove Journal Screen Specific 79 Display Journal 31 Delete Activity Entries Uninstall 91 Uninstall Product Selection or command F3 Exit F4 Prompt F9 Retrieve F12 Cancel Fi3 Information Assistant F16 AS 400 main menu 12 entries converted from journal SMZ8 in SMZTMPA End Journal Confirmation Display Journal To view journalled files select option 79 Display Journal Display Journal Entries Journal E Ge ree we oe 5 28 Library 3 SMZTMPA Type options press Enter 5 Display entire entry Opt Sequence Code Type Object Library Job J PR QPADEVOOOV JF AUACTNP SMZTMPR QPADEVOOOV JM AUACTNP SMZTMPR QPADEVOOOV JF AULOGDJ SMZTMPA QPADEVOOOV JM AULOGDJ SMZTMPR QPADEVOOOV JF AULOGOUT SMZTMPR QPADEVOOOV JM AULOGOUT SMZTMPR QPADEVOOOV JF AUQSTN SMZTMPA QPADEVOOOV JM AUQSTN SMZTMPR QPADEVOOOV JF AUSELCP SMZTMPR QPADEVOOOV JM AUSELCP SMZTMPA QPADEVOOOV JF AUSELQP SMZTMPR QPADEVOOOV 1 2 3 4 5 6 8 F3 Exit F12 Cancel Display Journal Entries Firewall 15 User Manual 165 Chapter Configuration and Maintenance RAZLEE iSecurity xPRINT1 xPRINTS User Parameters Type options press Enter Using OUTPUT XPRINTn where n 1 9 provides extra control over prints Use this screen to specify parameters for this feature This functionality can be modified For details see the original source SMZ8 GRSOU
13. Firewall Screen Password Journal View Visual izer User management Product Administrator Modify Operator QSECOFR xRLL XRLL Name Name SAME BLANK 1 xUSE 9 xFULL 3 xQRY 9 xFULL 9 xFULL 9 xFULL 9 xFULL F3 Exit 9 9 9 9 9 9 9 9 9 9 F12 Cancel Modify Operator Option Description Password Name Password Same Same as previous password when edited Blank No password 1 USE Read authority only 9 FULL Read and Write authority 3 QRY Run Queries For auditor use 4 Set authorities and press Enter A message is prompted informing that the user being added modified was added to the Authority list that secures the product s objects the user carries Authority CHANGE and will be granted Object operational authority The Authority list is created in the installation release upgrade process The SECURITY P user profile is granted Authority ALL whilst the PUBLIC is granted Authority EXCLUDE All objects in the libraries of the product except some restricted special cases are secured via the Authority list FYI Simulation Mode The FYI Simulation Mode allows users to simulate the application of security rules without physically rejecting any activity All rejected transactions are recorded in the Activity Log as such but the activity is allowed to proceed without interruption This feature allows users to test your rules under actual wo
14. In order to use this product the user must have the SECOFR special authority To start Firewall type the STRFW command at the command line The main menu appears after a few moments An additional product password is also required to access most product features The default product password is QSECOFR We recommend that this password be changed as soon as possible using the procedure described below GSFWPMNU Firewall iSecurity System 520 Basic Security Logon Control 1 Activation and Server Setting 31 FTP REXEC 2 Dynamic Filtering IP System Names 32 Telnet 34 Passthrough User Security Advanced Features and More 11 Users and Groups 41 Rule Wizards 12 Applications 42 Advanced Security Features 13 Locations 43 Log Reports Queries 45 User Management 18 Client Application Security 49 Time Groups Object Security Maintenance 21 Native AS 400 Objects 81 System Configuration 22 IFS QDLS NFS QOpenSus 82 Maintenance Menu 83 Central Administration Selection or command F3 Exit F4 Prompt F9 Retrieve Fi2 Cancel Fi3 Information Assistant F1i6 AS 400 main menu Firewall Main Menu Modifying Operators Authorities The Operators authorities management is now maintained from one place for the entire iSecurity on all its modules There are three default groups AUDZSECAD All users with both AUDIT and SECADM special authorities By default this group has full access Read and Write to all iS
15. XFYI For Your Information action NOT performed XSIGNON Denied for DAN from 192 168 1 6 in job 521311 DAN QPADEVOG02 The rejection is based on security rule for IP Address The examined security rule was for user XPUBLIC IP xALL subnet mask 0 0 0 0 F3 Exit F6 Modify rule F7 Add action F12 Cancel Additional Message Information Firewall 15 User Manual 103 Chapter Logon Security RAZ LEE iSecurity The iSeries Security Experts Hork with User Security Type options press Enter Read top gt down Servers securing 1 Select 3 Copy 4 Delete 5 Members 6 Groups User Level only Network Servers R RFO User System Group group PUBLIC XFTP GGG 4JJJJ 4000 EDI ELIH LEO LUCRS Hore F3 Exit F6 Add user F7 fidd group F8 Print list XSIGNON Transaction for user DRN IP 192 1 6 in job 521311 DAN QPADE Work with User Security 3 Type 1 Select to modify the rule Modify User Security User o ws o 9 es s PUBLIC Type choices press Enter Activity Time Time group XNEVER Use Group Authority Y Yes N No blank Default Enable Services based also on 05 400 and XUSER Group profiles Authorities and Locations 2 Services FTP SQL NDB DDM 3 IP 4 Device Names SIGNON only Selection B In product Special Object Authority AS 400 Native 1 xALLOBJ 2 xEXCLUDE 3 x0BJRUT IFS ees mom 1 xALLOBJ 2 xEXCLUDE 3 X0BJRUT F3 Exit F4 Prompt F8 Pr int F9 0bject se
16. XRUTOSIGNON 252 8 XRUTOSIGNON xSRHE 240 8 xSRHE 255 255 0 xRCCEPT Bottom F3 Exit F5 Refresh F6 Rdd neu F8 Print F12 Cancel Work with Telnet Logon Security 3 Set parameters according to the following table and press Enter Select F6 to add a new rule or option 1 to modify Modify TELNET Logon Security setting Type information press Enter Selection criteria IP Address GALL Address F4 for list Subnet mask 0 0 0 0 F4 for list Incoming terminal name Name XRLL F4 for list Minimum pud validation 6 0 password 1 With password Process 2 Encrypted pud 3 Connection SSL Time group Name F4 for list Logon s sas 99 1 1 xRCCEPT 2 XREJECT 3 XRUTOSIGNON For XRCCEPT XRUTOSIGNON XFRCSIGNON Logon 4 kFRCSIGNON Assign terminal name XSRME Generick XSRME xSYSTEM F4 List Set neu Code page Character set Keyboard layout For xRUTOSIGNON Logon Alt User ww ss XSRME F4 for list Alt Current library xSRME Alt Program to call xSRHE Alt Initial Menu xSRME F3 Exit X F4 Prompt F12 Cancel Modify Telnet Logon Security Setting Firewall 15 User Manual 101 Chapter Logon Security RAZLEE iSe The iSeries Security Experts Parameter Description IP Address Subnet Mask IP address and subnet mask in decimal format TIP Press F4 and select the subnet mask from a list I
17. xRNY F4 for list Time group Name F4 for list Rutomatic sign on 1 xRLLOH 2 xREJECT 3 xFRCSIGNON 4 xALTLOGON Automatic sign on parameters for XRLTLOGON User profile Name F4 for list Initial program Initial menu Current library F3 Exit F4 Prompt F12 Cancel Modify Passthrough Security Parameter Description Source System SNA system name of the source incoming computer Source User User profile at the source system Generic Any user profile beginning with the text before the Wk ALL All users Target user User profile for logon at the target system SAME Use the source user profile Generic Any user profile beginning with the text before the 1 Time group Enter time group name or press F4 to select from list Automatic Sign on 1 Accept logon request 2 Reject logon request 3 Force sign on even if System i is configured for automatic sign on 4 Sign on automatically with an alternate user profile User Profiler Automatically sign on with specified replacement user profile Initial Program Automatically replace the default program to be run at sign on Initial menu Automatically replace the default initial user menu at sign on Current Library Automatically replace the default current library with specified library NOTE To work with Passthrough security select 11 Display Passthrough Logon Log from the Passthrough Security screen Firewall 15 User Manual
18. SQL long names up to 128 are now support for Table File and for Collection Schema Library SQL and Wizards performance improvements n Users and Groups security for Group the number of members appears and Group Profiles are signified by GRPPRF New Features for Firewall 15 0 Inherited Authority for IFS objects optional Optional change in IFS object authorization determination The Best Fit algorithm has new variations If selected the change allows getting authority from the preceding directories or even from any level of a higher generic name Enables easier distribution of authorities by directories Firewall 15 User Manual 1 New Features in Firewall Versions RAZ LEE iSecurity The iSeries Security Experts Chapter 1 Introducing Firewall What is Firewall Firewall is a truly comprehensive network security solution that completely secures your System i AS 400 against all known external threats and also controls what users are permitted to do after access is granted Firewall is a robust cost effective security solution Firewall is the by far the most intuitive and easy to use security software product on the market today Its top down functional design and intuitive logic creates a work environment that even System i novices can master in minutes Firewall features a user friendly Java based GUI and a System i Navigator OpsNav plug in in addition to the traditional green screen interface Why
19. 3 Emergency override ALL Security Setting option allow you to override all of the Firewall security settings Type 0 for regular Firewall settings Option Description O Regular No override regular Firewall security definitions Default setting 1 Allow Allow all users groups for all services None of the exit points is locked 2 Allow Log Allow all users groups for all services and log the activities 3 Reject Reject all users groups from all services All of the exit points are locked 4 Reject Log Reject all users groups from all services and log the activities 4 Type a Y in the Work in FYI Simulation Mode field Firewall 15 User Manual 15 Chapter First Steps RAZLEE iSecurity The iSeries Security Experts Q NOTE You may leave the Work in FYI Simulation Mode field as N but configure certain servers to work in FYI see Modifying Server Security 5 Select Y at the Check OS 400 Group and Supplemental profile field to make sure both group profile and the supplemental groups authorizations are checked It is enough to have permission for a service in one of the groups 6 Select Y at the Enable Super Speed Processing to leave programs in memory between system IPLs which will allow fast performances NOTE Before an upgrade set Enable Super Speed Processing to N and perform an IPL 7 Hot upgrade is safe this option will allow performing an update which is performed
20. 4 Delete an existing rule Firewall 15 User Manual 51 Chapter Dynamic Filtering Security RAZLEE iSecurity The iSeries Security Experts If you are creating or modifying a rule the Dynamic Filtering Modify Incoming Remote System Name screen appears The table following the screen example details the appropriate rule parameters Dynamic Filtering Modify Incoming Remote System Name Type choices press Enter Name genericX my software house DRDA Passthrough Y Y F3 Exit Fi8 Logon security F12 Cancel Modify Incoming Remote System Name Parameter or Option Description System SNA system name Text Description of the SNA system YzYes Type Y to allow activity or leave the field Blank to reject activity for each individual server F10 Work with Logon security rules Firewall 15 User Manual 52 Chapter Dynamic Filtering Security RAZLEE iSecurity The iSeries Security Experts Chapter 5 User Security Conceptual Framework User to service security rules control the activity of specific users profiles groups and Firewall user groups in individual servers You can also use user to service rules to grant or deny users ALLOB J all objects security for native OS 400 and IFS objects Server security rules as described in Chapter 4 control activity for each server on a global basis for all users User to Service security rules allow users to control activity via these se
21. Act by server default Enable Action for Screen Y Enable Screen protection N Do not enable Screen protection default SYSLOG This feature sends security related events from various IBM i facilities such as logs and message systems to a remote Syslog server according to range of severities like emergency alert critical error warning and more By using SYSLOG a user can decide whether he wants the SYSLOG to contain all of Firewall events 2 All rejects only 1 or none 0 Firewall 15 User Manual 154 Chapter Configuration and Maintenance e RAZLEE iSecurit The iSeries ZLEE e odi y SYSLOG Send SYSLOG O None 1 Rejects 2 RII Send XFYI with xFYI in front Y Y Yes N No Use option 81 iSecurity Base from previous menu to define SYSLOG global parameters If you wish to send only certain events either use the Action module with the SNDSYSLOG command or specify a user filter program in the SYSLOG global parameters F3 Exit F12 Previous SYSLOG By using Audit gt 81 System Configuration gt 21 Syslog Definitions a user can define when to send Syslog messages to what IP address from which facility list of optional facilities below in what range of severity list below and the format of the message Log retention Determine how many days you want to keep the Firewall log The job GS MNT is used to delete logs regarding the number of retention days This job is placed
22. Applications from the main menu The Work with Application Groups screen appears Type opt 1 Sele F3 Exit Work with Appl ication Groups ions press Enter Read top 5doun Servers securing ct 3 Copy 4 Delete 5 Members User Level only R RFO Appl ication 4 BOSS X CA 4 DSFSDF 4 GGG ODBC 4 PCOM 4 TCPIP TM ZHUTWO Bottom F6 Add neu F8 Print list Work with Application Groups Firewall 15 User Manual 32 Chapter First Steps RAZLEE iSecurity Description 1 Modify an application group 3 Copy an existing application group 4 Delete an application group 5 Edit the group members OS400 Users and Group profiles Rewnoitemsinnens O O C e Prin secon gop aeneis 2 Select 1 to modify a group or press F6 to create a new group as shown below Add Application Group Security Type choices press Enter Application Group Ruthorities 1 Services FTP SQL NDB DDM Selection gt In product Special Object Authority AS 400 Native 3 1 xRLLOBJ 2 XEXCLUDE 3 xOBJAUT 1 xALLOBJ 2 XEXCLUDE 3 xOBJAUT F3 Exit F4 Prompt F8 Pr int F9 Ob ject security FiQ Logon security F12 Cancel Add Application Group Security Option Description Application Group Application group name Text Enter a description of the application group Authorities Services choose server Selections Enter your choice of service In product Special T
23. HTML CSV and press Enter Run Fireuall Query RUNFHQRY Tupe choices press Enter Display last minutes Starting date and time Starting date Starting time Ending date and time Ending date Ending time Userx or XGROUP Sustem to run for Number of records to process Output Object XTEMP for attach only gt Z6IFS Name XSELECT Number XBYTIME XCURRENT 080808 Date Time XCURRENT xYESTERDRY XCURRENT 235959 xRLL XCURRENT XNOMRX Date Time XCURRENT xYESTERDAY Name XCURRENT XRLL Number xNOMRX X XPRINT xPDF xHTML F3 Exit F4 Prompt F5 Refresh F13 How to use this display More Fi18 Rdditional parameters F12 Cancel F24 More keys Run Firewall Query 2 Type MAIL in the Object field press Page Down and enter the email address you want the file to be sent to in the Mail to field Run Firewall Query RUNFHORY Type choices press Enter Directory dir Mail to maili mail2 mail3 adm in amp razl ee Mail text for more values Object size to allow attach Delete if attached F3 Exit F4 Prompt F13 Hou to use this display F5 Refresh 4 Size in MB xNO xNOMRX xYES XNO xYES CS Bottom Fi8 Rdditional parameters F12 Cancel F24 More keys Run Firewall Query Firewall 15 User Manual 122 Chapter Queries Reports and Logs RAZLEE iSecurity Th
24. Experts Passthrough This server specifies how the outside systems handle remote sign on requests It may alter sign on information 1 To work with Passthrough security select 34 Passthrough from the Firewall main menu The Passthrough Security screen appears 2 Select 1 Passthrough Logon The Work with Passthrough Security screen appears 3 Set parameters according to the following table and press Enter Select F6 to add a new rule or option 1 to modify Work with Passthrough Security Type options press Enter 1 Select 3 Copy 4 Del ete Source Source Target Rutomatic Opt System Userx User Sign on 1 xRLL xRLL xRNY xSRHE xRLL JOHN Bottom F3 Exit F6 Add neu F8 Print F12 Cancel Work with Passthrough Security Parameter or Option Description Source System SNA system name of the source incoming computer Source User User profile of the source system Target User User profile for logon at the target system Automatic Sign on 1 Accept logon request 2 Reject logon request 3 Force sign on even if System i is configured for automatic sign on 4 Sign on automatically with an alternate user profile Firewall 15 User Manual 109 Chapter Logon Security RAZ LEE iSecurity Modify Passthrough Security Type choices press Enter Source system Name XRLL Source user Name generick XRLL Target user Name
25. More keys Native AS 400 Objects Update Firewall 15 User Manual 26 Chapter First Steps RAZLEE Security 2 Enter the required parameters and press Enter to begin the selection process and return to the Wizard menu User Groups User groups allow you to apply security rules to predefined groups of users User groups are also useful as filter criteria for queries and reports The use of user groups greatly reduces the number of rules required to implement security policies as well as the time spent defining and maintaining rules Also note that User Groups are defined in Firewall Option 11 and Group Profiles are defined in the system The benefit of this new feature is that instead of the report containing thousands of lines of user data user groups group profiles and user profiles are listed Firewall supports the use of two types of user groups OS 400 group profiles Firewall proprietary user groups OS 400 Group Profiles OS 400 group profiles are useful for a variety of System i administration and security tasks Use the CRTUSRPRF or WRKUSRPRF commands to create OS 400 group profiles To assign other user profiles to the group profile simply enter the group profile name in the Group Profile field for each individual user profile that is a member of a group Firewall Proprietary User Groups Overview Firewall proprietary user groups offer greater flexibility when it comes to grouping users together for the purp
26. None Yes REXEC Server Request Validation REXEC None Yes Yes Original Remote SQL Server RHTSQL None Yes Yes Database Server SQL access amp Shoucase SQL None Yes Yes Database Server data base access NDB More F3 Exit F4 Prompt F8 Print F9 Object security 10 1 security Fii Modify Set Log 12 F23 Reject al Modify User Security Verb command rule support is available for the FTP SOL and Database and DDM servers Firewall 15 User Manual 53 Chapter User Security RAZLEE Security Rule Definition Procedure To work with user to service security select 11 Users and Groups from the main menu The Work with User Security screen appears This screen lists provide a quick glance at the user to service rules currently in effect 3 To work with an existing rule type 1 in the Opt field or press F6 to create a new rule Use the PageUp and PageDown keys to scroll through the list Press Enter to continue Work with User Security Type options press Enter Read top 5doun Servers securing 1 5 1 4 Delete 5 Members User Level only R RFO User System Group group xPUBLIC XFTP 4GGG 4JJJJ EDI ELIH LEO LUCRS QSECOFR lt lt lt e ee Hee 2 ro lt owl RB BOB F3 Exit F6 Add user F7 fidd group F8 Print list Work with User Security The following table explains the options and information on Work with User S
27. Object Security screen select 2 Libraries The Work with Native AS 400 Library Security screen appears This screen lists all the rules currently in effect 2 Type 1 to modify an existing rule or press F6 to create a new rule 3 Press Enter to return to the Native OS 400 Object Security menu Work with Native 85 480 Library Security Type options press Enter 1 Select 3 Copy 4 Delete Opt Library SALE1 Bottom F3 Exit F6 Add new F8 Pr int F12 Cancel Work with Native AS 400 Library Security Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule F6 Add new rule F8 Print rules Subset Search a file or library whose names contain the subset Firewall 15 User Manual 77 Chapter Object Security RAZ LEE iSecurity Add Modify Native AS 400 Library Security Modify Native AS 400 Library Security Type information press Enter Library SRLE1 Define user authority press Enter Y Yes Userx Group LIBRARY MANAGEMENT Group profile Delete Rename PUBLIC CRAIG JANE _ F3 Exit F4 Prompt F12 Cancel Modify Native AS 400 Library Security In the Modify Native AS 400 Library Security screen define permissions for one user profile profile group or Firewall user group on each line Use the PageUp and PageDown keys to scroll through a long list For each activity type Y Activity
28. Operators See Modifying Operators Chapter 2 First Steps for a description of this feature Firewall Specifics Save Firewall Log Allows users to save the daily Firewall log in a SAVF format Firewall 15 User Manual 160 Chapter Configuration and Maintenance RAZLEE iSecurity The iSeries Security Experts Save iSecurity Log SAVLOGDAY Type choices press Enter Save Fil e e sune Name Librerts s REG xCURLIB Name xCURLIB Date wes Gee ow wx x xCURRENT Date xCURRENT Bottom FS Exit F4 Prompt FS Refresh F12zCancel F13zHou to use this display F24 More keys Save Firewall Log Replace Firewall Users This option has 2 purposes 1 Copy and delete the users Firewall definitions and rules as defined in options 11 12 13 21 22 31 32 to another user profile 2 Remove the user definitions and rules from the Firewall using REMOVE at the Replace to user field Replace FM user RPLFHUSR Type choices press Enter Replace from user i User Group Replace to user USER Group REMOVE PRINT Bottom F3 Exit F4 Prompt FS Refresh Fi2 Cancel Fi3 How to use this display F24 More keys Replace FW user RPLFWUSR Firewall 15 User Manual 161 Chapter Configuration and Maintenance EE iSecurit General Work with Collected Data Administrators can view summaries of Audit Firewall and Action journal contents by day showing the number of
29. RAZLEE iSecurity Work with User Absence Schedule Disable users on temporary leave eg vacation sick leave of absence or Permanently delete users leaving the organization Type options press Enter 1 Select 4 Del ete Opt User Date Description a53 31 05 08 a54 13 05 09 fdsgg 14 06 06 A38 11 08 08 AS4 9 05 13 EVA 15 05 09 QSECOFR 28 05 08 Security Officer big TEST1 8 12 12 Bottom Users displayed red are scheduled to be deleted F11 for more details F3 Exit F6 Rdd Neu F8 Print list F11 Fold Drop F12 Cancel Work with User Absence Schedule 2 Select a user from the list or press F6 to add a new user The Modify User Absence Schedule screen appears Modify User Absence Schedule Type choices press Enter User WE FEY OS AB VR Date 435 5 eRe we 19 05 89 Action 5 d 1 Disable 2 Delete For scheduled xDELETE Owned object option XNODLT xDLT xCHGOHN Neu ouner if XCHGOHN Primary group change option XNOCHG xCHGPGP Neu primary group TEE New primary group authority XOLDPGP XCHANGE XUSE xEXCLUDE F3 Exit F12 Cancel Modify User Absence Schedule 3 Enter the appropriate parameters as described in the following table Parameter or Description Option User User profile to be disabled or deleted Firewall 15 User Manual 69 Chapter User Security RAZ LEE The iSeries Security Experts Parameter or Description Opt
30. SPLF0100 Original Message Server MESSO100 Database Server entry ZDAIO100 Database Server object information ZDAROI00 Database Server object information ZDARO0200 Change User Profile CHGP0100 Create User Profile CRTPO100 Delete User Profile after Delete DLTP0100 Delete User Profile before Delete DLTP0200 Restore User Profile RSTP0100 TCP Signon Server ZSOY0100 Prepower Down System PWRDO100 DHCP Address Binding Notify DHCA0100 DHCP Address Release Notify DHCRO100 DHCP Request Packet Validation DHCV0100 System Value Remote Signon Control System Value Password Validation IFS Scan on Open SCOP0100 IFS Scan on Close SCCLO100 System Value Inactive Job Timeout System Value Inactive Job MessageQ 173 Appendix List of Firewall Exit Points Thank you for using iSecurity Firewall If you have any questions or problems please contact Emails Raz Lee New York Raz Lee Israel marketing razlee com Tel 1 888 RAZLEE 4 Tel 972 9 9588860 support razlee com Tel 1 888 RAZLEE 2 Firewall 15 User Manual 174 Appendix List of Firewall Exit Points
31. System i context sensitive help is available at any time though the F1 key A help window appears containing explanatory text relating to the function or option currently in use Online help will shortly be available in Windows help format for viewing on a PC with terminal emulation Typography Conventions Menu options field names and function key names are written in Sans Serif Bold References to chapters or sections are written in Italic OS 400 commands and system messages are written in Bold Italic Key combinations are separated by a dash for example Shift Tab Emphasis is written in Times New Roman bold Firewall 15 User Manual ii About This Manual e RAZ LEE e The iSeries Security Experts Acca Table of Contents About This Manual Pee ii Who Should Read This BOOK ei eee ise ii Product Documentation Overview siccin iieis eias i i a k enne ernst e nnns ii Printed Materials 5 s oet Belen be ven a an ven Ba ERE ES or deed eee te ida ea en EE P TEE ae ii QUIT R ii ii New Features in Firewall VersIOIB aaa iunca ti npUnE tet pl a nag udi ESI Lx M E PPAXA UU IM UNE 1 New Features for Firewall 15 6 eee eee ee esee tenentes enses etas tns ss essen sensns toten senses sensn sua 1 New Features for Firewall 15 5 reete eee eee t
32. Work with Signon Schedule Type options press Enter 1 Select 4 Del ete Position to User Group Opt User Profile Enable Disable Days ABBY 7 00 19 08 xTHU xWED xTUE AMY 8 00 16 00 xTUE XHED XTHU ANNAM QSECOFR 00 00 RU 8 00 19 00 xTUE XHED xTHU RV QSECOFR 80 00 xRLL DRNIEL SRLE 8 00 10 00 XTUE XHED xTHU Hore F3 Exit F6 Add neu Fii Sort by User Group F12 Cancel Work with Sign on Schedule Parameter or Option Description Opt 1 Select to modify 4 Delete the selected user Position to Position the cursor at the first item beginning with the text string typed in this space F8 Print a report showing sign on schedules for all users NOTE You can create only one sign on schedule for each user profile 2 Select a user from the list or press F6 to define a new user schedule The Create Sign on Schedule screen appears Firewall 15 User Manual 67 Chapter User Security RAZLEE iSecurity The iSeries Security Experts Create Signon Schedule Type choices press Enter Disable This rule is in effect Everyday or Mon Tue Hed Thr Fri Sat Sun Only on specified days Apply schedule to ONE of the following All users in group profile Name User profile s Name Generick XRLL Selecting the last option and pressing F4 enables you to apply the signon schedule to more than one user at a time F3 Exit F4 Prompt F12 Cancel Creat
33. and Location Groups See Chapter 3 First Steps User Security Firewall offers optimized basic user security Defining a single user security definition can be performed as described in the following table see Chapter 6 User to Service Security for more detail Method Description Groups Assign a user to a user group similar to the option of selecting members for each of the user groups Services Same as the previous method of user to service definitions IP Same as the Location group rules but only applicable to single users Device Names Only for Telnet sign on Same as Location group rules but only applicable to single users Firewall 15 User Manual 6 Chapter Introducing Firewall RAZLEE Security User Management Originally an Action feature enabling user management abilities User Management has been added to Firewall It contains several powerful security tools that control access permissions User Management enhances active system security by allowing users to perform the following tasks View and modify security parameters in user profiles using a convenient wizard Automatically disable inactive users Restrict user sign on to specific hours and days Prevent user sign on during planned absences or following termination Analyze default passwords for effectiveness See Chapter 5 User to Service Security Intrusion Detection This feature enables Firewall to trigger proactive responses simi
34. as job scheduler and is working at a specific time 99 NOMAX save and do not erase old history logs Firewall 15 User Manual 155 Chapter Configuration and Maintenance RAZ LEE gt lt iSecurity Log amp Journal Retention Type options press Enter Log retention period days Days 99 xNOMRX Backup program for logs Name XSTD Backup program library A specified backup program may run before deleting old logs It will backup all data deleted after the retention period expires The XSTD default backup program is SMZ8 GRSOURCE GSLOGBKP F3 Exit F12 Cancel Log amp Journal Retention Language Support Double Byte Character Set DBCS is a set of characters in which each character is represented by two bytes These character sets are commonly used by national languages such as Japanese and Chinese which have more symbols than can be represented by a single byte There are two option the default setting of N do not support DBCS and Y support DBCS Choose an option based on the relevant national language 1 To work with iSecurity Language Support select 91 Language Support from the iSecurity part I Global Parameters screen The iSecurity Language Support screen appears 2 Set your desired parameter and press Enter Firewall 15 User Manual 156 Chapter Configuration and Maintenance RAZ LEE The iSeries Security Experts iSecurity Language Support Select one of the
35. by this feature Q profiles which are required for system activity are never disabled Press F11 to prevent specific users from being disabled automatically F3 Exit F11 Ruto Disable exceptions F12 Cancel Auto Disable Inactive Users To define exceptions from the Auto Disable default select 15 Exceptions from the User Management menu The Auto Disable Exceptions screen appears Press F6 and type the user profile name s that should not be disabled automatically To delete a user profile from this exception list type 4 next to the name and press Enter Restricting User Sign on Times Even valid user profiles have the potential for abuse A common hacker trick is to obtain a user s password and use it to sign on after the user has left work in order to access programs and data with that user s authorities Using this method a dishonest employee can bypass object level security and remain invisible to subsequent audit An effective defense against this scenario would be to restrict user sign on to authorized working hours Action includes a user friendly tool for defining authorized sign on periods for users by time and day of the week 1 To define authorized sign on times for users select 21 Work with Schedule from the User Management menu The following screen appears a table of explanation follows Firewall 15 User Manual 66 Chapter User Security RAZLEE iSecurity The iSeries Security Experts Sorted by User
36. current month PRVMONTHS Beginning of the previous month YEARSTR Beginning of the current year PRVYEARS Beginning of the previous year MON SUN Day of the current or previous week NOTE All constants are relative to the day on which the report runs Starting Ending Time of day using the 24 hour clock HH MM SS Time User or GROUP User profile or Group name that instigated the event being audited Server ID Choose servers you want to examine To examine all servers choose ALL System to run for The system to report information from CURRENT the current system Name a group of systems as defined in STRAUD 83 1 ALL all the systems defined in STRAUD 83 1 Output PRINT prints to local printer PRINT1 prints to remote printer PRINT2 prints to both remote and local printers PRINT3 9 user modifiable Print Format SHORT Short format FULL Full report format Results BOTH display rejected and accepted transactions Firewall 15 User Manual 134 Chapter Queries Reports and Logs Option Description REJECT display rejected transactions ACCEPT display accepted transactions Object Library Object and library path Object Type One of the available objects types from option 21 Native AS 400 Objects Firewall Main menu 5 Press Enter to continue to the Change Job Schedule Entry screen Type choices Frequency Change Job Schedul
37. definitions between LPARs or different machines Firewall will export import IP addresses System names SNA Users Groups Applicant Locate Native amp IFS Logon controls FTP TELNET Passthrough Prechecks DDM DRDA Time groups and more Export iSecurity Part 1 Defns EXPS1DFN Type choices press Enter Collection type a xRDD Work library and SAVF in QGPL XRUTO S1 System Fireuall options XREPLRCE xBYSUBJECT Screen options XREPLRCE xBYSUBJECT General options XREPLRCE xBYSUBJECT Update remote systems Systems to update Xgroup XRLL xNONE Update tupe xREPLRCE Bottom F3 Exit F4 Prompt F5 Refresh 12 F13 How to use this display F24 More keys Export iSec Part 1 Definitions EXPSIDFN Firewall 15 User Manual 158 Chapter Configuration and Maintenance RAZ LEE e The iSeries Security Experts Q Import iSecurity BASE Defns IMPS1DFN Type choices press Enter Input type XLIB xSRVF Bottom F3 Exit F4 Prompt F5S Refresh F 2 Cancel F13 Hou to use this display F24 More keys Import iSec Part 1 Definitions IMPSIDFN Parameter or Option Description Destination of export library BE a S1 Security One is default setting Name name of target library Definitions pertaining to these two applications Firewall Screen ADD add to a previously imported exported rule Options REPLACE replace a previously imported exported rule BYSUBJECT import export rules by
38. entries for each day together with the amount of disk space occupied Administrators can optionally delete individual days in order to conserve disk space 1 To view summaries of audit journals select 51 Work with Collected Data The Work with Collected Data screen appears Work with Collected Data Type options press Enter Module 1 Firewal 2 Audit 3 Action 4 Capture F3 Exit Work with Collected data 2 Enter 1 Firewall and press Enter The Work with Collected Data Firewall screen appears Firewall 15 User Manual 162 Chapter Configuration and Maintenance RAZ LEE The iSeries Security Experts Work with Collected Data Firewall Type options press Ent 4 Delete Opt Collected Date R 13 11 08 14 11 08 15 11 08 16 11 08 17 11 08 18 11 08 19 11 08 20 11 08 21 11 08 22 11 08 23 11 08 24 11 08 25 11 08 26 11 08 F3 Exit F5 Refresh er ecords 28 8 8 8 171 758 964 1 859 16 16 537 624 682 520 F12 Cancel Anna Size 8 ooo Save Date 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 15 12 08 Total Size MB Save Time 20 20 20 20 20 20 20 20 20 20 20 20 20 20 28 28 28 28 28 28 28 28 28 28 28 28 28 28 Work with Collected Data Firewall 3 Enter the correct options and press Enter Purging
39. following DBCS system F3 Exit F12 Cancel iSecurity Language Support The Maintenance Menu The Maintenance Menu enables the user to set and display global definitions for Security Part 1 To access the Maintenance Menu select 82 Maintenance Menu from the Firewall main menu GSMINTM Select one of the follouing iSecurity Part 1 Global 1 Export Definitions 2 Import Definitions 5 Display Definitions Operators and Authority Codes 11 Work with Operators 12 Work with Authority Codes Firewall Specific 21 Save Firewall Log 22 Set Firewall Defaults 25 Replace Firewall Users Screen Specific 31 Delete Activity Entries Selection or command F3 Exit F4 Prompt F9 Retrieve Maintenance Menu iSecurity Part 1 System 520 Password Specific 41 Copy Dictionary Language 42 Import Dictionary Language General Si Work with Collected Data 52 Check Locks 53 Local ize 59 xPRINT1 xPRINT9 Setup Journal Files 71 fidd Journal 72 Remove Journal 79 Display Journal Uninstall 91 Uninstall Product 99 More Fi2 Cancel Fi3 Information Assistant Fi6 AS 400 main menu Maintenance Menu Firewall 15 User Manual Chapter Configuration and Maintenance RAZLEE iSecurity The iSeries Security Experts iSecurity Part 1 Global Export Import Definitions This option is useful in transferring configuration settings definitions from one System i to another when you need to distribute
40. hours and a different group of employees during nights and weekends This can be accomplished with just one time group using the following guidelines 1 Create a time group that defines normal working hours for each day of the week 2 Use an inclusive time group filter activities occurring during the time group periods for each query or report covering activity during normal working hours Firewall 15 User Manual 30 Chapter First Steps RAZLEE iSecurity The iSeries Security Experts 3 Use an exclusive time group filter activities not occurring during the time group periods for each query or report covering activity outside of normal working hours Using Time Groups as Filter Criteria One common use of time groups is as filter criteria in security rules queries and reports For example time groups can be used to restrict application of a rule to specific times and days of the week Time group filters can be either e Inclusive Including all activities occurring during the time group periods e Exclusive Including all activities not occurring during the time group periods Generally an exclusive time group filter is indicated by placing an N NOT in the field immediately preceding the time group name field on the rule definition or query definition screen For example one can use an exclusive time group filter to apply a rule to any time occurring outside of days and hours specified in the time group Defini
41. includes FTPLOG REXLOG DDM includes DDM DRDA DB Server includes SQLENT SQL NDB OBJINF F3 Exit F6 Add neu F8 Print Fi8 Logon security F12 Cancel Work with Firewall Incoming IP Address Security Parameter or Option Description F6 Create a new firewall rule F8 Print list of firewall rules F10 Work with Logon security rules Opt 1 Modify an existing rule 4 Delete an existing rule 4 If you are creating or modifying a rule the Dynamic Filtering Incoming Outgoing IP Address screen appears The table following the screen examples details the appropriate rule parameters Firewall 15 User Manual 47 Chapter Dynamic Filtering Security RAZ LEE The iSeries Security Experts Dynamic Filtering Modify Incoming IP Address Type choices press Enter IP Address Subnet mask Secure value Equivalent IP range FTP REXEC Address ALL F4 for list Tel DB TCP net Srv SGN Y Y Yes S SSL only z RzSkip checks B SSL Skip checks L Skip checks Log M SSL Skip checks Log 0 0 0 0 255 255 255 255 SQL statments are not parsed when checks are skipped or rejected FTP FTPLOG F3 Exit Parameter or Option REXLOG F4 Select Subnet DDM DDM DRDA DB Srv SQLENT SQL NDB OBJINF 10 1 security F12zCancel Modify Firewall Incoming IP Address Description IP Address Enter an IP address using standard decimal format Subnet Mas
42. is Firewall Necessary Previously the System i was used almost exclusively in a closed environment with host systems connected to remote data terminals via proprietary technologies Within this closed environment the security features of the OS 400 operating system provided the strongest data and system security in the world User profiles menus and object level security provided all the tools necessary to control what users were allowed to see and do In today s world of enterprise networks PCs distributed databases Internet and web technologies closed computing environments are all but extinct Technological advances compelled IBM to open up the System i and its OS 400 operating system to the rest of the world This openness brought along many of the security risks inherent in distributed environments System administrators need to equip themselves with a new generation of security tools to combat these evolving threats Firewall is an advanced security tool which enhances native OS 400 by controlling access through all known external sources as well as controlling what users are permitted to do once access is granted Firewall 15 User Manual 2 Chapter Introducing Firewall iSecurity Feature Overview Top Down Security Design Top Down security design means that the process of designing and applying security rules follows the most efficient logical path possible In other words the user has to formulate a minimal
43. on access via a specific server or all servers for all users Activity Summary is for groups of users and User Activity Summary is for a specific user The screens are the same Select option 62 User Activity Statistics the Display User Activity screen appears Display User Activity DSPFHUSRR Type choices press Enter Name Display last minutes xBYTIME Number XBYTIME Starting date and time Starting date XCURRENT Date xCURRENT xYESTERDRY Starting time 000000 Time Ending date and time Ending date XCURRENT Date XCURRENT xYESTERDRY Ending time 235959 Time Server ID XFILTFR xFTPLOG xFTPSRV X XPRINT XPRINTS9 Bottom F3 Exit F4 Prompt F5 Refresh F12 Cancel F13 How to use this display Display User Activity Parameter or Option Description Display last minutes Selects only the events occurring within the previous number of minutes as specified by the user Number Enter the desired number of minutes BYTIME According to starting and ending times specified below Starting date amp time Selects only the events occurring within the range specified by Ending date amp time the starting and ending date time combination Date and time Enter the appropriate date or time CURRENT Current day Eisuina date amp time YESTERDAY Previous day Endin od ate amp time WEEKSTR PRVWEEKS Current week previous week start Continued oo PRVMONTH Current month previous month star YEARSTR PRVYE
44. prints to local printer PRINT1 prints to remote printer PRINT 2 prints to both remote and local printers PRINT 3 9 user modifiable Filter by Time Group Relationship IN Include all records in time group Inclusive OUT Include all records not in time group Exclusive NONE Do not use time group even if included in query definition Filter by time group Time group Name Name of time group SELECT Select time group from list at run time rules Filter using query Use an existing query to filter Activity Log entries This is useful for applying complex filter criteria Name Name of an existing query None Do not use query rules Default 4 Press Enter to display the Activity Log You may press F18 at any time during the data retrieval process to display a pop up status window This window continuously displays the number of records processed and selected Press Esc at any time to halt retrieval and immediately display the query or log An example of the audit log display appears as follows Display Firewall Log 11 06 89 11 86 89 XTELOFF xFYIx Telnet session ended to device QPRDEVOOGOV XTELOFF xFYIx Telnet session ended to device QPRDEVOOGR XTELNET Allowed 1 1 1 1 XTELNET Allowed 1 1 1 1 XTELNET Allowed 1 1 1 1 XSIGNON xFYIx Allowed for JAVA from xLCL QZSOSIGN in job XSQL xFYI Denied for JAVA1 to SMZODTA ODPRVD xFILE SQL SELECT PRPRVD PRTEXT XSQL
45. relevant under most circumstances 6 Press Enter to complete the definition and return to the Work with Report Scheduler screen Working with Individual Reports The next step in the definition process is to define the individual reports that are contained in the report group 1 To add a new report to a group type 2 next to the group name or type 2 next an individual report to modify it The Modify Report Definition screen appears Add Report Definition Reports in a group run periodically as per the group definition Parameters defined in the Group override the same ones defined for reports Group DAILY Daily Scheduled Report Type choices press Enter Report Id Description Display User Activity Report command XSELECT DSPFWUSRA Display User Activity Report parameters F3 Exit F4 Set Parameters F12 Cancel Modify Report Definition Option Description Report ID Numeric identification automatically assigned by the Firewall Description Free text description of the report Report Command F4 Press F4 to select report type from a pop up window 2 Define run time parameters for this report The actual parameters available are specific to the report type 3 Press Enter to finish the definition and return to the Work with Report Scheduler screen Running Reports The Report Scheduler submits all scheduled reports as batch jobs automatically on the day and time as specified in the defini
46. screen The Work with TCP IP Port Restrictions screen appears 2 Enter the parameters according to the following table To add select F6 Firewall 15 User Manual 142 Chapter Advanced Security Features ERD r RAZ LEE The iSeries Security Experts Q Work with TCP IP Port Restrictions System S720 Type options press Enter 4 Del ete Al lowed Port Range For User Port description I 250 GS 250 UDP GS 1580 TCP JAVA 1580 UDP JAVA Bottom WARNING Using port numbers in range 1 1024 may affect TCP IP processing F3 Exit F6 Add new F7 Sort by User F8 Print F12 Cancel Work with TCP IP Port restrictions Parameters Description Port Range Specifies the port number or range of port numbers identifying the port or ports that are being restricted Valid values range from 1 through 65 535 NOTE Ports 1 1024 are used by the system supplied TCP IP applications If the user specifies ports 1 through 1024 this can affect the operation of those applications Lower lower end of port range Upper ONLY Used to restrict only a single port User The user profile that will use this port or range of ports Opt 4 Delete deletes the restrictions for a port F6 Add Use to add a port restriction by typing the port number into the input field at the top of the list To add more restrictions use the Add function again License Management Security Licensed programs can either b
47. subject IP address etc Systems to update When exporting Firewall definitions the user can choose to export and import at once by preparing the definitions in a SAVF and send it to a remote system or several remote systems and automatically import them into it Update remote systems Update type UPD add new records and replace existing REPLACE clear the definition file and copy the new Keep backup in Name library where backup definitions are found library Display Definitions This feature enables the user to display and print iSecurity Part One definitions 1 To display select the desired report type from the Display Security I Definitions screen After selecting report type additional parameters appear Firewall 15 User Manual 159 Chapter Configuration and Maintenance RAZLEE iSecurity 2 Select choices and press Enter Display Security I Definitions Type choices press Enter Report type XRLL xCFG xSRVR Bottom F3 Exit F4 Prompt F5 Refresh 12 Fi3 How to use this display F24 More keys Display Security 1 Definitions Parameter or Option Description Report type ALL all general definitions CFG per configuration SRVR per server IPIN per IP address Format LIST Short form DETAILS full form Output Select correct print option See PRINTI PRINT9 Setup at the end of this chapter for details Work with
48. time filter criteria will not return data that is excluded from the actual query definition For example if your query definition includes filter criteria only for the user profile JOHNKERRY and you enter run time criteria for the user GEORGEW no events will be displayed The procedure for running queries is virtually identical for all of the above options Each method involves entering several run time parameters on the Run Audit Query screen Firewall 15 User Manual 119 Chapter Queries Reports and Logs RAZ LEE The iSeries Security Experts Run Firewall Query RUNFHQRY Type choices press Enter gt Z6IFS Display last minutes MBYTIME Starting date and time Starting date Starting time Ending date and time XCURRENT 000000 Name XSELECT Number XBYTIME Date Time XCURRENT xYESTERDRY Ending date Ending time Userx or GROUP System to run for Number of records to process Output Print format F3 Exit F24 More keys F4 Prompt xCURRENT 235959 xRLL XCURRENT xNOHRX gt XPRINT XSHORT Date Time XCURRENT xYESTERDRY Name XCURRENT Xgroup XALL Number xNOHRX XPRINT PDF xHTML XSHORT xFULL More FS Refresh F12 Cancel F13 Hou to use this display Run Firewall Query Parameter or Option Description Query Name Name of Query SELECT Select from list at run time Display Last Minutes Select only the records occurring wi
49. 00 sign on panel 1 To work with WSG logon security select 33 Internet WSG from the Firewall Main menu The Internet WSG Logon Security screen appears 2 Select 1 Internet WSG Logon The Work with WSG Logon Security screen appears 3 Set parameters according to the following table and press Enter Select F6 to add a new rule or option 1 to modify Firewall 15 User Manual 106 Chapter Logon Security RAZ LEE gt The iSeries Security Experts Work with WSG Logon Security Type options press Enter 1 Select 3 Copy 4 Delete S IP range Subset To start a session from a Web browser specify 1 On 25 400 CHGHSGR DSPSGN xNO 2 On Heb browser http hostname 5061 WSG QAPPO100 Opt IP Address I xRLL RUTO SIGNON PRRRMETERS Subnet Mask gon User Program Menu Library 0 0 0 0 Bottom F3 Exit F5 Refresh F6 Add new F8 Print F12 Cancel Work with WSG Logon Security Parameter or Option IP Address and Subnet Mask Description IP address and subnet mask in decimal format TIP Press F4 and select the subnet mask from a list Logon Y Allow logon request and use auto sign on User User profile Auto Sign on Parameters only if Logon is yes Program initial program to be called upon sign on Menu menu to be called upon sign on that will initialize the screen Library first library to be checked upon sign on Firewall 15 User Manual 107 Chapter Logon
50. 1 From the Native AS 400 Object Security screen select 6 Commands The Work with Native AS 400 Command Security screen appears This screen lists all the rules currently in effect 2 Type 1 to modify an existing rule or press F6 to create a new rule 3 Press Enter to return to the Native OS 400 Object Security menu Work with Native RS 480 Command Security Type options press Enter 1 Select 3 Copy 4 Delete Opt Command Library xRLL DSPRULOG QSECOFR DSPFHLOG JRVR ADDLIBLE GLIORA Bottom F3 Exit F6 Add new F8 Pr int F12 Cancel Work with Native AS 400 Command Security Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule F6 Add new rule F8 Print rules Subset Search a command or library whose names contain the subset Firewall 15 User Manual 85 Chapter Object Security RAZLEE iSecurity Add Modify Command Security Modify Native 5 400 Command Security Type information press Enter Command DSPFWLOG Library QGPL Define user authority press Enter Y Yes Group Group profile Command xPUBLIC JRVR I _ F3 Exit F4 Prompt F12 Cancel Modify Native AS 400 Command Security Define permissions for one user profile profile group or Firewall user group on each line Use the PageUp and PageDown keys to scroll through a long list For each activity type
51. 110 Chapter Logon Security RAZ LEE gt iSecurity The iSeries Security Experts Chapter 8 Queries Reports and Logs This chapter presents the reporting features that are built into Firewall An effective security policy relies on queries and reports to provide traceability for system activity All Firewall queries and reports work with data contained in the Activity Log Firewall offers several powerful but user friendly tools that create output containing only relevant data in a useful format All of this can be accomplished without programming with the following tools Query Wizard Selects the events that need to be audited using powerful filter criteria and creates screen based or printed reports that present the data in a customized format Activity Log Displays or prints the contents of the Firewall Activity Log quickly and easily in a standard format using basic filter criteria Report Scheduler Automatically runs queries and reports at user specified times In addition to these tools Firewall contains with over 100 predefined reports and queries that are ready to run at any time All reporting features are available via the Reporting menu To access this menu select 43 Log Reports Queries from the main menu GSRPTMNU Reporting Firewall Including HTML PDF CSV Outfile gt GUI System 720 Select one of the following Query Wizard Report Scheduler 1 Work with Queries 51 Work with Report Scheduler 2 Run
52. 2 Chapter Queries Reports and Logs RAZLEE iSecurity The iSeries Security Experts Modify Report Group Report groups are intended to run pre defined sets of reports automatically on a periodic basis Each report group may include several individual reports Parameters defined for Report Groups override those for individual reports The use of descriptive date values such as XYESTERDRY XHEEKSTR XMONTHSTR etc is highly recommended Type choices press Enter Report Group name MEEKLY Name e g DAILY WEEKLY MONTHLY Description eekly Scheduled Report Group parameters Press Enter to continue to the Define Parameters screen F3 Exit F8 Print F12 Cancel Modify Report Group Option Description Report Group Name Enter a name with a maximum of 7 alphanumeric characters The name must begin with a letter Description Free text description of the report group Group Parameters Command string automatically generated by Firewall based on run time parameters specified for the report group 4 Press Enter to continue This screen allows the user to define run time filters that apply to all reports in the group Run time filter criteria allow the user to display or print only a subset of the data extracted by the query definition For example if a query definition does not include filter criteria for a user profile i e includes all user profiles this screen can be used to print
53. 24 More keys Display User Activity 2 Choose the records that you wish to examine from this screen and press Enter to continue The table on the following page describes the record selection and display options Parameter or Option Description User Filter records by user profile Display Last n Minutes Select only the records occurring within the previous number of minutes as specified by the user Number Enter the number of minutes BYTIME According the starting and ending time specified below Starting Date amp Time Select only the records occurring within the range specified by Ending Date amp Time the starting and ending date time combination Date or Time Enter the appropriate date or time CURRENT Today Current Date YESTERDAY Previous date WEEKSTR PRVWEEKS Current week Previous week start MONTHSTR PRVMONTH Current month Previous month start YEARSTR PRVYEARS Current year Previous year start SUN SAT Day of week Server ID Filter records by server ID or display the user s activity in ALL servers Output Display Print Printed report PRINT1 PRINT9 select print option Firewall 15 User Manual 20 Chapter First Steps RAZ LEE The iSeries Security Experts Defining the Working Data Set iSecurity You can select the records from the Activity Log that will comprise the working data set that is summarized on the wizard screens The ex
54. 3o Swe t 87 13 41 Job 412264 QTCP QTVDEVICE Program XFIREHRLL IP adress Library Entry type sub type 08 R Telnet Device Initialization Action allowed gt 8 IP address 4 ese s 1 1 1 144 Ruto signon user Ruto signon current library Ruto signon initial program Menu Alt Signon Terminal name wu s Min passuord validation Server Id F3 Exit FS Display captured job data F8 Print F12 Cancel Additional Message Information 7 When pressing F1 on a display log entry and viewing the Additional Message Information screen displaying Decision Level now informs you how to correct the problem for example Menu option 2 1 or 2 means enter 2 from the main menu and then enter either option 1 or 2 Rdditional Message Information System S728 Message ID GRE4083 Transaction Date sent 11 06 09 Time sent was 07 13 41 Server Telnet Device Initialization Decision level GSTEL Telnet logon Menu opt 32 51 Operation mode NORMAL or F6 XTELNET Denied 1 1 1 144 Min password validation 0 Remote port 52105 The examined security rule uas for IP 1 2 3 4 subnet mask 252 0 0 0 incoming device XRLL password validation F3 Exit F6 Modify decision rule F7 Rdd action F12 Cancel Firewall 15 User Manual 126 Chapter Queries Reports and Logs RAZLEE iSecurity Additional Message Information Statistics This option provides statistics
55. 4 Delete this rule F6 Add new rule F8 Print rules Subset Search a program or library whose names contain the subset Firewall 15 User Manual 83 Chapter Object Security RAZ LEE iSecurity Add Modify Object Security Screen Modify Native 95 400 Program Security Type information press Enter Program CLRPFM Library QSYS Define user authority press Enter Y Yes Userx Group Run Group profile Program xPUBLIC JAVA F3 Exit F4 Prompt 12 Modify Native AS 400 Program Security Define permissions for one user profile profile group or Firewall user group on each line Use the PgUp and PgDn keys to scroll through a long list For each activity type Y Activity allowed and Blank Activity rejected Public is the default rule for all users not explicitly covered by an object security rule You should always make certain that the Public rule contains sufficient permissions for ordinary users to access objects Parameter or Option Description Program Library Name and library path of the program s included in this rule User Group Enter user profile or press F4 to select a user profile or group name from list Run Program Y Users may run the specified program Press Enter to return to the Work with Native Object Security screen Firewall 15 User Manual 84 Chapter Object Security RAZ LEE iSecurity Commands
56. ARS Current year previous year start SUN SAT Day of week Server ID Choose servers you want to examine To examine all servers choose ALL Firewall 15 User Manual 127 Chapter Queries Reports and Logs Parameter or Option Description Output PRINT prints to local printer PRINT1 prints to remote printer PRINT2 prints to both remote and local printers 9 user modifiable Group Items for Selection Define assorted groups of reports in line with your requirements to schedule a particular group of reports to run as one unit sometime in the future GROUP is used for defining a group of user profiles that all share the same authorities This solution enables defining GROUPS by GROUP TYPES These GROUP TYPES can be any system entity such as files libraries applications identification numbers etc For each GROUP TYPE one can define an unlimited number of GROUPS and within GROUPS any number of items For example all identification numbers of the PCs in the organization can be defined as one group in the GROUP TYPE defined as MACHINE ADDRESS Another group in MACHINE ADDRESS may contain all identification numbers of the PCs in a sister organization In all comparison tables for defining rules for generating and selecting queries or for defining the items in reports the ITEM GROUP TYPE GROUP syntax can be used to include only those transactions which contain the GROUP TYPE GROUP spec
57. Department KIRK Sales Team LENNY Sales Team F3 Exit F7 Subset F8 Print F11 Rdditional parameters F12 Cancel F14 Rbsence Security F15 fRuto disable exceptions Fi6 Signon times Work with User Status Basic Parameter or Option Description Opt 1 Display all parameters for the selected user profile see below 3 Enable user profile 4 Disable user profile 6 Reset invalid sign on attempt counter prevents automatic disabling of this user due to excessive sign on errors 7 Set password to expired this user must change password at next sign on Enabled Blank User profile is enabled No User profile is disabled Password Blank User profile has a valid password and can sign on None No password is associated with this user profile and he cannot sign on F7 Display a subset of user profiles filtered according to status parameters available on all screens F11 Display the next of the three parameter screens for the currently displayed user profiles F14 Temporarily disable users during planned absences e g vacation sick leave of absence or permanently delete users leaving the organization F15 Specify users that should never be disabled automatically even if they have not signed on for a long period of time inactive user F16 Restrict user sign on to predefined working hours Firewall 15 User Manual 60 Chapter User Security RAZLEE iSecurity In orde
58. EM NITEM START For LIKE NLIKE use as any string Field Test Value Time hh mm ss Ly 28 38 88 r 1 Group User profile name EQ JOHN System name LIST S728 5150 Group 2 j Object START PAYROLL Date amp Time yyyy mm dd hh mm Time hh mm ss Name of job User of job Number of job User profile name System name F3 Exit F4 Prompt F6 Insert F12 Cancel Filter Conditions Firewall 15 User Manual 116 Chapter Queries Reports and Logs RAZLEE iSecurity Defining Output Fields The Select Output Fields screen allows selection of the fields from the Activity Log that will appear in the query output as well as the order in which they should appear from left to right Fields appear in ascending order on the screen with the top field corresponding to the left hand field in the query report The second field corresponds to the field located to the right of the left hand field and so on The user can change the order of the fields simply by modifying the sequence numbers Any field can be deleted from the query report by deleting the sequence number When pressing Enter the new field sequence appears on the screen with deleted blank sequence number fields appearing at the bottom You must select at least one field for output Fields shown in pink are part of the generic header and are common to the Activity Log record for all audit types Fields shown in green on the screen are specific to
59. Firewall The Network Security Solution of iSecurity User Manual Version 15 RAZ LEE gt urity Experts Updated 05 24 2011 Copyright Notice Copyright Raz Lee Security Inc All rights reserved This document is provided by Raz Lee Security for information purposes only Raz Lee Security is a registered trademark of Raz Lee Security Inc Action System Control User Management Assessment Firewall Screen Password Audit Capture View Visualizer FileScope Anti Virus AP Journal are trademarks of Raz Lee Security Inc Other brand and product names are trademarks or registered trademarks of the respective holders Microsoft Windows is a registered trademark of the Microsoft Corporation Adobe Acrobat is a registered trademark of Adobe Systems Incorporated Information in this document is subject to change without any prior notice The software described in this document is provided under Raz Lee s license agreement This document may be used only in accordance with the terms of the license agreement The software may be used only with accordance with the license agreement purchased by the user No part of this document may be reproduced or retransmitted in any form or by any means whether electronically or mechanically including but not limited to photocopying recording or information recording and retrieval systems without written permission given by Raz Lee Security Inc Visit our website at http A
60. In order for this feature to work the user must verify that Action is installed and functioning correctly To enable real time detection 1 us de c de Select 7 Enable ACTION CL Script more from the iSecurity part I Global Parameters screen The Enable Real Time Detection screen appears Select the correct options according to the following table Select 1 Work with Servers from the Firewall main menu Choose a server and select option 1 from the Modify Server Security screen Choose desired option from the Allow Action to React field and press Enter Firewall 15 User Manual 153 Chapter Configuration and Maintenance RAZ LEE The iSeries Security Experts Enable Real Time Detection Real time detection allows fiction to react automatically to security events generated by Firewall and Screen When enabled these events events are checked against pre defined rules uhich trigger alert messages and or command scripts fiction must be installed and running in order to take advantage of this functional ity Type options press Enter Enable RCTION for Fireuall 4 By Server definition 1 Global override Stop using ACTION 2 Global override Send rejects 3 Global override Send all Enable RCTION for Screen Y N F3 Exit Fi12 Previous Option Description Enable Action for Firewall Enable Real Time Detection 1 Do not use Action 2 Act only by rejects 3 Act by all transactions 4
61. Not included in time group Output format 1 1 Tabular 2 Tabular no fold 9 Log If format 1 in print Continue vertically 8 Field number 8 xRUTO Add Header Total 1 1 Both 2 Header 3 Total 9 None 1 1 By all fields 2 By header 3 No sort F3 Exit F8 Print F12 Cancel Modify Query Firewall 15 User Manual 113 Chapter Queries Reports and Logs RAZ LEE The iSeries Security Experts Parameter or Option Description Query Name Name of query Description Free text query description Query Type 1 Single server type query or all servers 2 Multiple server types to be selected on a subsequent screen see below Not N Select records not included in the specified time group Exclusive Blank Select records included in the specified time group Inclusive Time Group Name Enter the name of the time group to use as a filter Blank Do not use a time group Output Format 1 Detailed tabular format with option for multi line field display Fold 2 Summary tabular format one line per record 9 Log display output format Sort Options 1 Sort using all log record fields 2 Sort using only generic fields 3 No sorting time sequence 2 When defining a multiple server type query it is necessary to select the server types and to define record selection criteria parameters separately for each server type When the Query Type field is set to 2 the following screen a
62. OUP xXUSER xGRPPRF xUSRGRP Allowed s sow o9 9 ts az xRLL XYES NO xRLL Starting date and time Starting date XCURRENT Date CURRENT xYESTERDRY Starting time 000000 Time Ending date and time Ending date XCURRENT Date CURRENT xYESTERDRY Ending time 235959 Time Number of records to process XNOHRX Number xNOHRX Server ID x Aus s m wk xRLL XRLL xXFILTFR XRHTSRV Bottom F3 Exit F4 Prompt FS Refresh Fi8 Rdditional parameters Fi2 Cancel Fi3 Hou to use this display F24 More keys Summarize Native AS 400 Log Firewall 15 User Manual 24 Chapter First Steps Option Description Object Library Object name and library path Native object and User wizards only Generic All objects libraries beginning with the text string preceding the ALL All objects Libraries Object Type Object type Native object and User wizards only Press F4 to select the object type from a list User Enter a user profile or press F4 to select from a list not on all wizards Group by Select a group from a list Value GRPPRF summarizes by system group profiles plus all users not defined in group profiles Value USRGRP summarizes by user groups and value GROUP first causes the product to attempt to associate the user with a relevant user group and then to attempt to associate the user with a relevant group profile If both fail the user profi
63. PRSS Alt Current library XUSRPRF Library XUSRPRF F3 Exit F4 Prompt F1 Additional parameters F11 Alt view Fi2 Cancel Modify FTP REXEC Logon User Parameter Description User Enter the user profile IP Address Subnet Enter IP address and subnet mask in decimal format You must Mask enter the IPs from which you allow this user to access or be denied FTP to your AS 400 TIP Press F4 and select the subnet mask from a list Logon 1 Allow logon request 2 Reject logon request 3 Sign on automatically if permitted by System i configuration Time group Enter time group name or press F4 to select from list Text Enter descriptive text Alternative Logon The user can access FTP from this IP but without the usual authorities He will be changed into an alternative shadow user with limited capabilities This alternative user needs to be configured in advance CRTUSRPRF This is done without that user s knowledge Validation Password This is the password used to validate the incoming user profile Password Type the password that is to be required for sign on NOCHK password is not checked Firewall 15 User Manual 97 Chapter Logon Security RAZLEE Security SYS Validation performed according to password in user profile PGM Use password presented by calling program Alt User Automatically sign on with specified replacement user profile Alt Pa
64. Pre Check User Replacement tritt a 138 DRDA Post Check User Replacement 140 DHCP Security 140 142 Work with TCP IP Port Restrictions isein eii aee eee aee 142 License Management Security eee eee eee eee eese estes 143 License M nd gement RR ai ae 143 Display License Management 1 E TE E E 145 Chapter 10 Configuration and 146 System Configuration isccccccsccsccsssssccsscssssesscsescnsccsconsscssscossensseasonsccessecnsecssscssscscscssesssosssooseasseccesscsescenses 146 General Definitions t e ber E I t eos de nente ANERE E 146 Additional Settings E 148 IIT Aue qiio ser REDE m 149 Transaction POSt PLOCESSING iiie erre tns eher tanen t a S Lene e ETE Ern eoe ees n RS iets 151 PLURI TH 151 Password Exit PrOBYGns os eee ade terr eee suas EET E EE AI SPHERE RENS 152 Enable ACTION CL Script 153 MAYO 154 LOG retention c 155 TAN GUAGE SUP VOTE CORRER 156 The Maintenance Menu 157 POLE Ts GIODUE s eet edite etiani
65. RCE GSSPCPRT Press F14 for setup instructions OutQ DutQ Save XPRINT Name Library Hold Description 1 QONTROL SMZTMPA Y OUTQ to print on the remote CONTROL SMZTMPA Y Local OUTQ that print on the remote 2 3 4 9 6 7 8 9 Bottom F3 Exit F8 Print F12 Cancel Fi4 Setup instructions PRINT1 PRINT9 User Parameters 3 Enter the name of the local output queue and library as shown in the above example The user may optionally enter a description Parameter Description Print Printer number OutQ Name Name of the local output queue OutQ Library Name of the local output queue s library Save Y yes N no Hold Y yes N no Description Optional text description 4 Enter the following command on any command line to direct output to the remote printer This assumes that the designated output queue has already been defined CHGOUTO OUTQ local outg library RMTSYS INTNETADR RMTPRTO outq on remote AUTOSTRWTR 1 CNNTYPE IP TRANSFORM NO INTNETADR IP of remote Parameter Description QUTQ Name of the local output queue RMTPRTQ Name of the remote print queue INTNETADR IP address of the remote system NOTE Press F14 for Setup instructions If the desired output queue has not yet been defined use the CRTOUTQ command to create it The command parameters remain the same Firewall 15 User Manual 166 Chapter Configuration and Main
66. RKREGINF Sign On iSecurity is the only iSeries security solution that checks all green screen signons both by IP address and by screen name Following is a list of the 53 security related exit points covered by iSecurity Note that some exit points are interconnected 1 QIBM TRANSFER 2 QIBM_QTMF_SVR_LOGON 3 QIBM_QTMF_SVR_LOGON 4 _ SVR LOGON 5 QIBM QTMF SERVER REQ 6 QIBM QTMF CLIENT REQ 7 QIBM QTOD SERVER REQ 8 QIBM_QTMX_SVR_LOGON 9 QIBM_QTMX_SVR_LOGON 10 QIBM QTMX SERVER REQ 11 QRQ SQL 12 QIBM QZDA 8011 13 QIBM QZDA SQL2 14 SC QUERY ROW SEC 15 QIBM QZDA NDBI 16 QIBM QZDA NDBI 17 QIBM QZRC 18 QIBM QPWFS FILE SERV 19 QIBM QTG DEVINIT 20 QIBM QTG DEVTERM 21 QIBM QWT JOBNOTIFY 22 QIBM_QTMT_WSG 23 QIBM DTAQ 24 QIBM QZHQ DATA QUEUE 25 QIBM QVP PRINTERS Firewall 15 User Manual Original File Transfer Function TRANO100 FTP Server Logon TCPLO100 FTP Server Logon TCPL0200 FTP Server Logon TCPL0300 FTP Server Incoming Request Validation VLRQ0100 FTP Client Outgoing Request Validation VLRQO100 TFTP Server Request Validation VLRQ0100 REXEC Server Logon TCPL0100 REXEC Server Logon TCPL0300 REXEC Server Request Validation VLRQO100 Original Remote SQL Server RSQL0100 Database Server SQL Access amp Showcase ZDAQO0100 Database Server SQL Access ZDAQ0200 Database Showcase SCRS0100 Da
67. SL Solution A Raz Lee customer wished to implement port restriction to separate unsecured and SSL and ODBC accesses for a specific IP range The customer has subsidiaries with specific IP ranges some of which are capable of communicating via SSL while others are not The customer wanted to allow normal port access for specific IP ranges for the subsidiaries which are not capable of using SSL and wanted to use SSL ports only for the SSL capable IP range All other IP addresses should be restricted The required solution must be implemented at the IP level and not at the user level and has to be implemented for ODBC In the future when the entire customer s subsidiaries use SSL they will want to fully block unsecured ODBC servers In short they are not able to restrict unsecured ODBC on the OS 400 level at this time The Customer s Testing Methodology In order to define their requirements the company used iSeries Navigator and Microsoft Excel with the iSeries Navigator Data Access plug in When Navigator was configured for non SSL connections and data was imported via Excel the customer saw the connections on the 15 OS with NETSTAT connections on ports 8470 8471 and 8476 These are the normal non SSL ports of host servers When Navigator was configured for SSL connections using the same data accessing method connections were made on ports 9470 9471 9476 The customer understood these to be the secured ports of the host
68. Security 1 To work with an existing rule type 1 in the Opt field or press F6 to create a new rule Use the PageUp and PageDown keys to scroll through the list Press Enter to continue 2 Enter parameters on the Add Modify Parameters screen and press Enter to confirm Modify User Security xPUBLIC Type choices press Enter Activity Time Time group XNEVER Use Group Authority Y Yes N No blank Default Enable Services based also 05 400 and XUSER Group profiles Ruthorities and Locations 2 Services FTP SQL NDB DDM 3 IP 4 Device Names SIGNON only Selection In product Special Object Authority 85 408 Native 1 xALLOBJ 2 xEXCLUDE 3 xO0BJAUT 1 xALLOBJ 2 xEXCLUDE 3 X0BJRUT F3 Exit F4 Prompt F8 Pr int F9 Object security Fi8 Logon security F12 Cancel Modify User Security Parameter or Option Description User Displays the user profile or user group name Activity Time Time Group type a time group name or press F4 to select from a list NEVER Use Group Authorities Y use a specific group authorities N don t use any specific group authorities Authorities and 2 Services specify authorities and location by Services name Locations 3 IP specify authorities and location by IP name 4 Device Names specify authorities and location by Device name In product Special Use this field to define object authority for the user group for Object Authority AS 400 N
69. Security 4 Disable 6 Reset count 7 Expire 9 New password Previous signon Days passed Planned action 31 07 06 17 37 170 7 01 07 14 27 10 24 01 06 19 59 358 17 01 07 22 09 06 17 01 87 18 19 16 06 19 29 F8 Print Fi5 fluto disable exceptions F1i1 fidditional parameters F12 Cancel Fi6 Signon times Work with User Status Sign on Description 1 Display all parameters for selected user profile 3 Enable user profile 4 Disable user profile 6 Reset invalid sign on attempt counter prevents automatic disabling of this user due to excessive sign on errors 7 Set password to expired this user must change password at next sign on Previous Sign on Date and time of previous sign on for this user profile Days Passed Days since previous sign on for this user profile Planned Action Displays the date of planned absence control actions Delete or disable for this user profile Screen 3 Work with User Status Password This screen displays the number of invalid sign on attempts and the expiration status of user passwords This information makes it possible for the security officer to verify that users change their passwords in accordance with the security policy Firewall 15 User Manual 62 Chapter User Security RAZ LEE The iSeries Security Experts Work with User Status Password Position to iSecurity Type options press Enter 1 Sel ect Opt Use
70. Security RAZ LEE iSecurity Modify WSG Logon Security Setting Type information press Enter IP Address q Address F4 for list 255 255 255 255 F4 for list Name F4 for list Y Yes Auto signon parameters for Logon Yes User JOHN Name F4 for list Password Password XPGM Program Program Menu Menu Current library Library F3 Exit F4 Prompt F12 Cancel Modify WSG Logon Security Setting IP Address Subnet IP address and subnet mask in decimal format Mask Time group Enter time group name or press F4 to select from list Logon Y Allow logon request and use auto sign on Blank Reject logon request User only if Logonis Automatically performs sign on with specified replacement user yes profile Password Requires the specified password for logon instead of the password in the user profile This is the password to be assigned to the alternate user PGM Use password presented by calling program for alternate user Program Automatically replace the default program to be run at sign on Initial menu Automatically replace the default initial user menu at sign on Current Library Automatically replace the default current library with specified library NOTE To work with WSG security select 11 Display WSG Logon Log from the Internet WSG Logon Security screen Firewall 15 User Manual 108 Chapter Logon Security RAZLEE iSecurity The iSeries Security
71. Select 1 for files Select 2 for libraries c Select 3 for data queues d Select 4 print files Select 5 for programs Select 6 for commands Select 7 command exceptions 3 appropriate Work with Object Security screen appears Refer to the appropriate rule type section for details regarding that screen 4 Type 1 to select an existing rule for editing or press F6 to create a new rule The relevant ADD Modify screen appears 5 Enter or modify the parameters for the appropriate rule type Refer to the appropriate rule type section for details and explanations regarding the screen and its parameters 6 Press Enter to confirm and return to the Work with Object Security screen 7T Press Enter to confirm and return to the main menu Firewall 15 User Manual 73 Chapter Object Security RAZLEE iSecurity The iSeries Security Experts Native OS 400 Objects This section describes the screens used to work with native OS 400 objects Select 21 Native AS 400 Objects from the main menu The Native AS 400 Object Security menu appears Native AS 400 Object Security Firewall System 720 Select one of the following Definitions Rule Wizard 1 Files 41 Create Working Data Set Libraries 42 Work with Rule Wizard Data Queues Printer Files Pre check Replacement for Validation Programs 61 Pre check Library Replacement Commands Command Exceptions Reporting 11 Display Native 5 400 Object Log Sele
72. UT Include all records not in time group Exclusive NONE Do not use time group even if included in query definition Filter by time group Name Name of time group Time group SELECT Select time group from list at run time Filter using query Use an existing query to filter Activity Log entries This is rules useful for applying complex filter criteria Name Name of an existing query None Do not use query rules Default TCP IP Port Restrictions Work with TCP IP Port Restrictions Transmission Control Protocol Internet Protocol is an industry standard non proprietary set of communications protocols that provide reliable end to end connections between applications over interconnected networks of different types In the world of TCP IP an IP address is necessary in order to reach a destination At the destination a port which serves as a virtual door or window is required In today s world it is imperative to protect and guard the ports in your system Thus Firewall restricts certain users to certain ports by defining the port range accessible to them Port information consists of a list of the ports or port ranges protocols and the user profiles You need to define port information only if you want to restrict the use of a port or range of ports to one or more users 1 To add display remove or print port restrictions select 21 Work with TCP IP Port Restrictions from the Work with Advanced Security
73. ZrO VAT 2 ronan he eee He HH TOW DOA 0c RS EL II cc M M e eo eee Dna cenana lt gt V p R T eo F6 Add user F7 Add group F8 Print list Work with User Security 1 Modify user profile or group The Modify User Security screen appears 3 Copy user profile or group definitions 4 Delete user profile or group 5 Edit the group s members Servers Displays the rule status for each server type User to service rule overrides the global server security rule Allow a user the access to a server and check for object authorizations V User to service rule overrides with verb command support Blank Global server security rule governs activity for this server S Allow a user to access a server and skip the check for object authorizations This simplifies the test for some users normally for batch applications which are playing the role of servers and the desire to save performance in such cases F6 Add a new user The Add User Security screen appears F7 Add a new group The Add User Group Security screen appears F8 Print user group definitions F3 Return to the main menu Firewall 15 User Manual 28 Chapter First Steps RAZLEE i
74. a Query 52 Run a Report Group Log Other reports 11 Display Log 61 Activity Statistics 19 Select from Menu 62 User Activity Statistics 65 Product Settings Reporting Aids System for Reporting 41 Group Items for Selection 71 Change System for Reporting 49 Time Groups 72 Systems Available in Real Time Selection or command zzz F3 Exit F4 Prompt F9 Retrieve F12 Cancel Fi3 Information Assistant F16 AS 400 main menu Reporting In addition the Activity Log display feature is available directly from several screens throughout Firewall as well as by using the DSPFWLOG command from any command line Query Wizard The powerful Query Wizard allows you to design custom output reports that show only the necessary data without programming and with no requirement for technical knowledge Firewall 15 User Manual 111 Chapter Queries Reports and Logs RAZLEE iSecurity The iSeries Security Experts Query definitions are created by using a series of simple parameter definition screens Output can be a printed report a screen display or a text file saved on the System i Highly detailed filter criteria enable selection of only the required records using Boolean operators as well as the ability to combine logical conditions You have full flexibility to specify the sort order according to multiple fields The wizard allows you to output only the relevant data fields and to specify the order in which they appear on th
75. activates your user limitation rules Information to Log 1 Do not log any activity 2 Log rejected transactions only 4 Log all activity Allow Action to React 1 No disables the Firewall real time detection rules for this server 2 Rejects only will activate Firewall real time detection rules only on rejections from this server 3 All will activate Firewall real time detection rules for all accesses from this server Run Server Specific Yes Run a specific exit program after passing Firewall rules User Exit Program for this server The program SMZTMPA UPyyyyyy will be called yyyyyy is the server short name Write your own SMZTMPA UPyyyyyy program according to the example in SMZS GRSOURCE FWAUT A The program that initiates the call is GRCLUER This program runs in USER authority and therefore the user i e every user in the system will have the authority to run the program SMZTMPA UPyyyyyy If the program SMZTMPA UPyyyyyy is not accessible the regular security applies No If there is a general exit program configured it will not be activated for this server Blank global setting Run in FYI Simulation 1 Enable FYI Simulation mode for this server only Mode Blank Use global parameter for all servers System Configuration Firewall 15 User Manual 41 Chapter Basic Security Using the Global Server Security Settings Feature The global server security settings feature is a real t
76. all data of FIREWALL RMVM SMZTMPA GSCALP ALL CLRPFM SMZTMPA GSSTTSP PRINT1 PRINT9 Setup 16 16 16 16 16 16 16 16 16 16 16 16 16 16 Firewall allows the user to define up to nine specific printers for printing output These may be local or remote printers PRINT1 PRINT9 are special values which can be entered in the OUTPUT parameter of any commands or options that support printed output Output to any of the nine remote printers is directed to a special output queue specified on the PRINT1 PRINT9 User Parameters screen which in turn directs the output to a print queue on the remote system You use the CHGOUT Q command to specify the IP address of the designated remote location and the name of the remote output queue By default two remote printers are pre defined PRINT1 is set to print at a remote location such as the home office PRINT2 is set to print at a remote location in addition to the local printer In addition PRINTS creates an excel file PRINT3 9 are user modifiable To define remote printers perform the following steps 1 Select 82 from the main menu Firewall 15 User Manual 163 Chapter Configuration and Maintenance RAZLEE iSecurity The iSeries Security Experts 2 Select 59 from the Maintenance menu The PRINT1 PRINT9 User Parameters screen appears Journal Product Definitions Add Journal Select option 71 Add Journal to record the system physical
77. allowed and Blank Activity rejected Public is the default rule for all users not explicitly covered by an object security rule Always make certain that the Public rule contains sufficient permissions for ordinary users to access objects Library Shows the libraries covered by the rule Create Y Users may create a new file Delete Y Users may delete the specified file Rename Y Users may rename the specified file Other Y Users may perform other actions on the specified file Press Enter to return to the Work with Native Object Security screen Firewall 15 User Manual 78 Chapter Object Security RAZ LEE iSecurity Data Queues 1 From the Native AS 400 Object Security screen select 3 Data Queues The Work with Native AS 400 Data Security screen appears This screen lists all the rules currently in effect 2 Type 1 to modify an existing rule or press F6 to create a new rule 3 Press Enter to return to the Native OS 400 Object Security menu Work with Native 85 480 Data Queue Security Type options press Enter 1 Select 3 Copy 4 Delete Opt Data Queue Library I xRLL Bottom F3 Exit F6 fidd neu F8 Print F12 Cancel Work with Native AS 400 Data Queue Security Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule F6 Add new rule F8 Print rules Subset Search a data qu
78. ample in the following procedure is taken from the Incoming IP Address wizard but is applicable to the other wizards as well 1 To define the working data set select 99 Advanced Options gt choose a wizard type to work with and select Create Working Data Set from the wizard menu The Summarize screen appears Samples from two of the wizards are shown below Refer to the table on the following page for an explanation of the required parameters Summarize Incoming IP Address CPRIIPSEC Type choices press Enter Al l owed SMa 25 2 Starting date and time Starting date Starting time Ending date and time Ending date Ending time Number of records to process Server ID Set to contain data Set name Soma Replace or add records Mizard type F3 Exit F4 Prompt FS Refresh F13 Hou to use this display NO xRLL XCURRENT Date XCURRENT xYESTERDRY 000000 Time XCURRENT Date xCURRENT xYESTERDRY 235959 Time XNOHRX Number XNOHRX xRLL XRLL xFTP xTELNET Name XUSER SELECT xS xRDD xREPLRCE xFRST XSTD NO Bottom Fi Additional parameters F12 Cancel F24 More keys Summarize Incoming IP Address Working with the Plan Security Wizard Screens The example described in this section refers to the outgoing IP address firewall activity type The same principles apply to the other rule wizards The Plan Incoming IP Security sc
79. an unidentified program is already assigned to it Such an entry is denoted by the word OTHER in the SECURE column A blank entry is equivalent to XRLL xSNR xDBSRV XPRT xDTRQ xLICNGT XCNTSRV xUSRPRF xRHTSGN XYES xNO XALLOW xREJECT XYES XYES xREJECTS xNO XYES xREJECTS xNO XYES xNO XYES xNO Global Server Security Settings NOTE In some cases a restart of QSERVER is required for FULL implementation This can be delayed until next IPL When QSERVER is restarted NETSERVER will be restarted automatically if it was active Using the Rule Wizards The unique Rule Wizards feature makes security rule definition a snap even for non technical system administrators This user friendly feature allows users to view historical activity together with the security rule currently in effect on a single screen One can even modify the existing rule or define a new rule without closing the wizard The Rule Wizards are an invaluable tool for defining the initial set of rules after installing Firewall for the first time Rule Wizards are available for the following types of rules Servers usage Native OS 400 object security IFS Object security Incoming IP Address Firewalls Outgoing IP Address Firewalls User to Service Security Firewall 15 User Manual 17 Chapter First Steps E The iSeries Security Experts RAZ LEE gt iSecurity Pro
80. and Maintenance RAZLEE Security The iSeries Security Experts Parameter or Option Description performance Disable this feature a week before upgrade in order to perform a hot upgrade allowing you to upgrade product without shutting down Y enable super speed processing N disable super speed processing Additional Settings Firewall can ensure that a proper password is entered even before performing any other checks and before allowing the operating system to validate that password If the parameter is set to N recommended at the Check FTP Logon PWD by product field the request might be rejected due to other reasons before ensuring that the password is valid The field Inherit In product DB2 authorities refers to optional Native Object Security inheritance Skip SQL parsing if final decision was taken at Eliminate SQL parsing when not needed This option can be activated separately based on the level on which the decision was taken and the type of the decision For example an organization whishes to eliminate parsing of an SQL which was rejected as it has been received from an unauthorized IP The request can still be logged for farther review Fireuall fidditional Settings Type options press Enter SQL Remote Cad FTP DDM Analyze cmds in CALL QCMDEXC QCAPCMD Gj Y Y Y SQL Remote Pgm Analyze calls to QSYS programs APIs Y Y Inherit In product DB2 authorities 1 1 No 2 Yes Inherit In p
81. assword Control Tools This section describes two tools that help you correct potential security risks caused by easy to guess passwords Analyze Default Passwords A profile is said to have a default password whenever the password is the same as the profile name Obviously this is dangerous because it is so easy to guess This feature allows users to print a report of all the user profiles on the system that have a default password and optionally disable those profiles or expire their passwords To perform the analysis select 61 Analyze Default Passwords from the User Management menu The Analyze Action Default Passwords screen appears Firewall 15 User Manual 70 Chapter User Security RAZLEE Security Analyze Action Dft Passwords Type choices press Enter Action taken against profiles XNONE XDISRBLE xPHDEXP Job description gt QBRTCH Name XNONE Library amo e XPRODUCT Name XxPRODUCT xLIBL Bottom F3 Exit X F4 Prompt F5 Refresh F12 Cancel Fi3 How to use this display F24 More keys Analyze Default Passwords The system prints the following report User profiles with default passwords 5769551 V4RtHO 970829 Action taken against profiles User Profile STATUS PUDERP Text AHARALE ENABLED TES ALLOB ENABLED Ni ANGUS DISRBLE ANGUS DISRBLE ANONYMOUS SABLE O LE LE CPUSCOPE SAB CouScope RDA DISAB ELIH ENABLED aN Eli Halel
82. ative and IFS objects F8 Print user to service security rules F9 Work with object security rules F10 Work with Logon security rules Add User profiles to a Group The Create Modify screen allows you to define the users belonging to the group A user group may contain individual user profiles or OS 400 group profiles Firewall 15 User Manual 29 Chapter First Steps RAZLEE iSecurity The iSeries Security Experts 1 To add a user to a group type 5 to add a member and type in the user profile name in one of the User fields or press F4 to select a user profile from a list window Modify Group of Users Type choices press Enter User Group ADMIN User Programmer of finti Virus QUSER Work Station User F3 Exit F4 User list F8 Pr int F12 Cancel Add a Member 2 Press Enter to accept the profiles and return to the Work with User Security screen NOTE A user can be in several Firewall user groups simultaneously Time Groups Overview Many of the Firewall rules and reporting features take advantage of the unique Time Group feature Time groups allow users to apply predefined sets of time based filters to different queries without having to define complex criteria for each one Time groups also work with the report scheduler and the display Activity Log features For example one may be using a number of different queries and reports to audit the activities of certain employees during normal working
83. brary Define user authority press Enter Y Yes Group FILE MANAGEMENT Group profile i Delete Rename PUBLIC DAVID F3 Exit X F4 Prompt F12 Cancel Modify Native AS 400 File Security In the Modify Native AS 400 File Security screen define permissions for one user profile profile group or Firewall user group on each line Use the PageUp and PageDown keys to scroll through a long list For each activity type Y Activity allowed and Blank Activity rejected Public is the default rule for all users not explicitly covered by an object security rule NOTE Always make certain that the Public rule contains sufficient permissions to allow access of ordinary users to objects Parameter or Option Description File Library File name and library path of the file s included in this rule User Group Enter user profile or press F4 to select a user profile or group name from list Read Y Users may read the specified file Write Y Users may write edit or update the specified file Create Y Users may create a new file Delete Y Users may delete the specified file Rename Y Users may rename the specified file Other Y Users may perform other actions on the specified file Press Enter to return to the Work with Native Object Security screen Firewall 15 User Manual 76 Chapter Object Security RAZLEE iSecurity Libraries 1 From the Native AS 400
84. cation program SMZ8 GSRSTDR should be called by GUI uith tuo parameters Application name CHAR 20 Identification key CHAR 50 Pre Power Down System NONE Name xNONE Library we Name LIBL This user program is called before system is powered down No parameters are passed to this program F3 Exit F12zPrevious Firewall User Exit Programs Parameter or Option Description After Firewall determines an action as legitimate or unauthorized it can perform an additional check which can override the first decision Allow Reject Request Name z name of user exit program NONE do not call any program Use this option when there is no exit program LIBL z library where program is located STD application security will be checked by the standard iSecurity Firewall program SMZ8 GSASTDR Enable Application To activate the Application Security feature ensure that this Level Security field has STD definition Name z name of custom made application security program NONE no application security check If you want to call a program before power down shutting down the AS 400 you must do it here Name name of user exit program Pre Power Down System Firewall 15 User Manual 149 Chapter Configuration and Maintenance RAZLEE iSecurity Parameter or Option Description NONE do not call any program Use this option when there is no
85. cedural Overview The basic procedure for working with the rule wizards is as follows 1 Select 41 from the main menu Several different types of rule wizards are available but the basic procedure is the similar for all of them GSHZRMNU Rule Wizards Firewall System S720 Mizards Helps you to 1 Servers Check usage of servers Recommended setting for unused servers is XREJECT This is a query only 2 Incoming IP For each IP range for example company branch 21 Re use specify permitted operations Outgoing IP Restrict target uhere data is sent to by IP ranges 31 Re use def ined Users Specify the services uhich a User Group Profile or 41 Re use Internal Group is permitted to use Native Objects Specify who can use specific objects FILES COMMANDS 51 Re use etc and hou Read Write Update IFS Objects Specify who can use IFS Objects folder filex and 61 Re use how Read Write Update 99 Advanced Options Wizards summarize recent activity compare it to current security setting and enable creating modifying rules Enter new setting in R Revised column Selection or command gt i F3 Exit F4 Prompt F9 Retrieve F12 Cancel F13 Information Assistant Fi6 AS 400 main menu Rule Wizards main menu 2 Select a wizard from one of the Rule Wizards to view summarize recent activity log for that rule type Options 1 6 on this screen initiate system commands Enter new or updated settings
86. cess has been granted Simply put whenever a higher less specific rule will suffice you do not need any more specific rules For example if you do not need to use FTP you simply reject all transactions at the FTP Server Exit Point level You do not need to define any rules that limit FTP access via specific IP addresses by specific users or to specific objects Multi Thread Support Calling programs from a thread that is not the main one forces various limitations on the called programs For example the command Override with Data Base File OVRDBF cannot be used This requires special programming in the called program Firewall secures network access by providing programs to be called by security related exit points Firewall modules have been specifically treated to improve their capability to work in secondary threads This support is not all encompassing also because it is related to system APT s abilities to function in such circumstances We recommend when possible working in single thread mode Otherwise perform a check such as checking the log in order to validate proper performance Firewall 15 User Manual 4 Chapter Introducing Firewall RAZLEE Security Firewall Rules and the Best Fit Algorithm Firewall is a rules based security product The user creates a wide variety of rules to cover many different situations and to counter different kinds of threats Some rules will likely apply globally to all or most activity
87. ction or command gt i F3 Exit F4 Prompt F9 Retrieve F12 Cancel Fi3 Information Assistant F16 AS 400 main menu Native AS 400 Object Security The specific details of each object type are discussed in the following sections Files 2 From the Native AS 400 Object Security screen select 1 Files The Work with Native AS 400 File Security screen appears This screen lists all the rules currently in effect 3 Type 1 to modify an existing rule or press F6 to create a new rule 4 Press Enter to return to the Native OS 400 Object Security menu Firewall 15 User Manual 74 Chapter Object Security RAZ LEE gt iS The iSeries Security Experts Q Work with Native AS 400 File Security Type options press Enter 1 Select 3 Copy 4 Delete Opt File Library xRLL QSECOFR RU DLT QSECOFR xRLL QGPL QSECOFR Qx QGPL SECGRP QCLSRC QGPL xPUBLIC GSEPNT J QTEMP JRVR GSCRSP SMZTMPA QUSER Bottom F3 Exit F6 Add new F8 Pr int F12 Cancel Work with Native AS 400 File Security Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule F6 Add new rule F8 Print rules Subset Search a file or library whose names contain the subset Firewall 15 User Manual 75 Chapter Object Security RAZ LEE iSecurity Add Modify Native AS 400 File Security Modify Native AS 400 File Security Type information press Enter Li
88. curity Fig Logon security F12 Cancel Modify User Security Firewall 15 User Manual 104 Chapter Logon Security RAZLEE iSecurity The iSeries Security Experts Work with Sign On IP Validation User Group xPUBLIC Type information press Enter 1 Al low IP Address Subnet Mask 2 Re ject Text xRLL 0 8 0 8 default record 1 1 1 83 299 299 2093 299 2 192 168 1 6 255 255 255 255 1 DRN IP address More F3 Exit F4 Prompt F8 Print Fil Alternate view F12 Cancel XSIGNON Transaction for user DAN IP 192 168 1 6 in job 521311 DAN QPADE Work with Sign on IP Validation IP Address Subnet IP address and subnet mask in decimal format Mask TIP Press F4 and select the subnet mask from a list Allow Reject 1 ALLOW Allow logon request 2 REJECT Reject logon request Text Descriptive text 4 Select 4 Device Names from the Modify User Security screen to add or modify sign on device names Firewall 15 User Manual 105 Chapter Logon Security RAZLEE iSecurity Work with Sign On Device Val idition User Group xPUBLIC Type information press Enter Y Yes Devicex Allow xRLL F3 Exit F8 Print F12 Cancel XSIGNON Transaction for user DAN IP 192 168 1 6 in job 521311 DAN QPADE Work with Sign on Device validation Internet WSG This server provides sign on for client browser such as Internet Explorer or Netscape Navigator bypassing AS 4
89. de Activ Modify Server Security Type choices press Enter Server FILTFR Original File Transfer Function Secure sw ewe v os v e A 1 Yes 2 No Security level gt 66 6 s s ss g 1 Allow All 2 Reject All 3 User to Service 9 Full User 0bject Information to log se sos 1 None 2 Re jects only 4 All Allow Action to react 1 No 2 Rejects only 3 All Run Server Specific User Exit Program 1 Yes 2 No blank Default See example in SNZ8 GRSOURCE FWAUT A Run in FYI Simulation mode 1 Yes blank Default F3 Exit F9 Object security Fi8 Logon Security Fii User security F12 Cancel Modify Server Security Firewall 15 User Manual 40 Chapter Basic Security IEE iSecurit RAZL Experts y Parameter or Option Description Server Server name Secure YES Secured NO Not secured Security Level This option is not available for exit points that deal with specific operations such as Change User Profile and Pre Power Down System 1 Allow all activity available for all other exit points 2 Reject all activity available for all other exit points 3 Allow activity subject to User to Service security rules not available for exit points that are supported until the Logon level i e Telnet and Remote Sign on 9 Full security differs in logon and user to object Logon activates the logon limitation rules user to system name IP and user name User to object
90. e Entry CHGJOBSCDE press Enter XSRME xHEEKLY Schedule date Date xSAME xCURRENT Schedule day XSRME NONE xRLL Schedule time Time XSAME xCURRENT Bottom F3 Exit F4 Prompt F5 Refresh F10 Additional parameters F12 Cancel Fi3 How to use this display F24 More keys Option Frequency Change Job Schedule Entry Description SAME Value does not change ONCE Run the report group once only WEEKLY Run on the same day or days of each week MONTHLY Run on the same day or days of each month Schedule Date Date The specific day on which the report will run SAME Value does not change CURRENT The current date day the report runs MONTHSTR First day of the next month MONTHEND Last day of the current month NONE Use day of week value in the Schedule Day field below Schedule Day ALL Run every day Overrides frequency parameter MON TUE WED THU FRI SAT SUN NONE Use day of week value in the Schedule Date field above Schedule Time Time of day using the 24 hour clock HH MM SS Firewall 15 User Manual 135 Chapter Queries Reports and Logs RAZ LEE iSecurity The Schedule Date and Schedule Day fields are mutually exclusive If one is used the other must be set to the value Other fields may appear on this screen which is associated with the OS 400 CHGJOBSCDE command These fields are not
91. e Sign on Schedule Parameter or Option Description Enable Disable Time of day using a 24 hour format This rule is in effect Everyday Type Y to apply schedule to every day of the week Specified days Type Y on the desired week days Apply Schedule to User profile Enter user profile name or a generic text string to create a schedule for all user profiles beginning with the text string preceding the i e R applies to all users beginning with the letter R All users in group profile Enter a group profile name to create a schedule for all users contained in the group profile Select users from list Enter a generic text string to select user profiles from a list of all user profiles beginning with the text string preceding the i e R displays all users beginning with the letter R You may then select one or more of them User Absence Security Another common security risk occurs when an authorized user is away on temporary leave e g vacation sick leave maternity leave business trips etc or leaves the organization Action allows you make certain that nobody can sign on with specific user profiles during such scheduled absences by disabling or deleting user profiles automatically on a specific date To work with user absence security 1 Select 41 Work with Schedule from the User Management menu The following screen appears Firewall 15 User Manual 68 Chapter User Security
92. e and data screens are the same for both activity types Rules control activity for individual IP addresses or ranges of IP addresses using standard subnet mask notation For each address or range of addresses one can choose to allow or reject activity for any of the following servers FTP REXEC includes FTPLOG REXLOG Telnet Internet WSG DB Server includes SQLENT SQL NDB OBJINF TCP Sign on Server Remote Command Program Call RMTSRV DDM includes DDM DRDA To create or modify IP address firewall rules 1 Select 2 from the main menu The Work with Dynamic Filtering menu appears 2 Select 1 Incoming IP Addresses from the Work with Dynamic Filtering menu To work with Outgoing activity select 2 from the Work with Dynamic Filtering menu In either case the Dynamic Filtering screen appears This screen lists all existing rules showing which communication protocols are allowed or rejected 3 Type 1 to select an existing rule or press F6 to create a new rule Firewall 15 User Manual 46 Chapter Dynamic Filtering Security RAZLEE lt iSecurity Dynamic Filtering Incoming IP Address Security Type options press Enter 1 Select 4 Delete Te H D In S D Opt IP Address Subnet Mask et G M Text xRLL 0 0 0 0 Y M doti 255 255 255 128 1 99 295 255 255 255 RULE SET BY HIZRRD 1 161 255 255 255 255 RULE SET BY HIZRRD 14173 255 255 255 255 y 1 196 255 255 255 255 3 4 255 255 255 255 Bottom FTP
93. e eee esee esee ee eee senes sense 56 User E 58 Work with USers iei pee ve Rege gir e i ee haere eee 56 Dong cm 63 Disable Inactive Users 65 Restricting User Sign on Times 4 eee e e eee eee tees e entes eene tn sensns 66 User Absence SOCULILY lt csccicessssonsssstessescsssscssetesesensessesensssennescnsssansicossesntsocsesssascseessssnnsossassseecedensesstessonssese 68 Password Control Tools ssscscsscsscssssssssssssssscsscsscssessssssssssssssscoscessssssssssssessssssssessssssssssssessessossessoss 70 Analyze Default Passwords eee eret et UU e Seda Ep dear ee Ra pede aec nne 70 Password Statistical Report Orator td i eies 71 Chapter 5 Object Securlly rettet ntn in ettet ax iain 73 Procedural Overview 73 Native OS 400 74 74 IARE
94. e iSeries Security Experts 3 Press Enter to run the print Working with the Activity Log You can use the Display Firewall Log DSPFWLOG command to display the contents of the Activity Log quickly and easily in a standard format using basic filter criteria You can even use previously defined queries as filter criteria for the log display This feature is best suited for investigating immediate problems such as program failures errors or suspicious activity Firewall includes many ready to use log display sets Just enter a few parameters on a simple data screen and the specified data appears in seconds A hard copy of the Activity Log results can be printed as well The Backward Glance Feature This unique feature lets the user view the last several minutes of activity without having to define specific time or date parameters The user can specify a period in minutes press Enter and transactions occurring that period of time quickly appear Backward Glance really comes in handy when assisting users with error massages that pop up or verifying that a batch job has successfully been completed Using Time Groups The Activity Log display makes full use of the convenient time group feature This timesaving feature further enhances the ability to get to important data quickly Basic Procedure A few simple steps are all that is necessary in order to view your data 1 Select 43 Log Reports Queries from the main menu The Reporting me
95. e report You can design tabular summary reports showing one line for each record or detail reports showing record data on multiple lines Procedural Overview The procedure for defining queries consists of the following steps 1 2 5 6 Select an existing query to work with or create a new query Define general query parameters specifying the activity type s to be included and the output format Define the record selection filter criteria Select the data fields to be included in the report and the order in which they appear Define the record sort criteria according to one or more data fields Run the query with the option to specify additional run time filter criteria Working with Queries 1 To work with queries select 1 from the Reporting menu The Work with Queries screen appears Type the desired option next to a query Type 1 to modify a query 3 to copy or press F6 to create a new query Press Enter to proceed to the definition screens Work with Queries Position to Type options press Enter 1 Select 3 Copy 4 Delete 5 Run 6 Print 7 Rename 8 Run as batch job Opt Query Server Description Z6IPOUT 08 11 Outgoing IP addresses Z6LICHGT 080 xFirewallx License Management Z6NATIVE 00 xXFirewallx Native Z6REJECTS 00 xFirewallx Rejects Z6RIMSRV 00 xFirewall x Remote Server Z6SNA 00 11 SNA 76501 00 xFileuall SQLx Z6SQLPIERR 80 xFilewall SQLx Z6USER 00
96. e unlimited or limited to a group of users License Management This option enables users to supervise and therefore allow and restrict the use of licensed copies of their software 1 To work with License Security select 41 License Management from the Work with Advanced Security screen The Work with License Security screen appears 2 Set parameters according to the following table and press Enter Select F6 to add a new user or option 1 to modify Firewall 15 User Manual 143 Chapter Advanced Security Features The iSeries Security Experts RAZLEE iSecurity Work with License Security Type options press Enter 1 Select 4 Delete Opt User Product Feature Allowed PUBLIC XALL XALL Y PGMR 5T15PU1 5050 PGMR 5769ST1 5050 PRGMR 5716RG1 5050 A B AA B QSYSOPR 5716PT1 RICH 5769001 5769KF1 Bottom F3 Exit F6 Add new F8 zPrint F12 Cancel Work with License Security User User working with particular software Product Software in question Feature The feature that the user has access to ALL all features Allowed Y User is allowed to access this software Modify License Security Type choices press Enter Usot sn awe xe GPUBL IC Name genericX User Group XPUBLIC F4 for list Products s as REL Name F4 for list Feattrew v cms 25 Name XALL F4 for list Allowed w s an Y Yes F3 Exit F4 Prompt F12 Cancel Modify License Security Firewall 15 Use
97. ecurity components AUDIT All users with AUDIT special authority By default this group has only Read authority to Audit SECADM All users with SECADM special authority By default this group has only Read authority to Firewall iSecurity related objects are secured automatically by product authorization lists named security1P This strengthens the internal security of the product It is essential that Work with Firewall 15 User Manual 12 Chapter First Steps RAZLEE iSecurity The iSeries Security Experts Operators be used to define all users who have SECADM AUDIT or AUDZSECAD privileges but don t have all object authority Work with Operators screen has Ussr user management and Adm for all activities related to starting stopping subsystems jobs import export and so on iSecurity automatically adds all users listed in Work with Operators to the appropriate product authorization list Users may add more operators delete them and give them authorities and passwords according to their own judgment Users can even make the new operators definitions apply to all their systems therefore upon import they will work on every system Password BLANK for the default entries Use DSPPGM GSIPWDR to verify The default for other user can be controlled as well If the organization wishes to have a the default to be BLANK than they have to enter CRTDTAARA SMZTMPC DFTPWD char 10 NOTE When installing iSecurity
98. ecurity screen Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user group 4 Delete this rule 5 Modify group members Servers Displays the rule status for each server type User to service rule overrides the global server security rule Allow a user the access to a server and check for object authorizations V User to service rule overrides with verb command support Blank Global server security rule governs activity for this server S Allow a user to access a server and skip the check for object authorizations This simplifies the test for some users normally for batch applications which are playing the role of servers and the desire to save performance in such cases Firewall 15 User Manual 54 Chapter User Security E RAZ LEE iSecurity The iSeries Security Experts F6 Create a rule for a new User F7 Create a rule for a new Group F8 Print user to service security rules 4 Enter parameters on the Add Modify Parameters screen and press Enter to confirm Modify User Security xPUBLIC Tupe choices press Enter Activity Time Time group XNEVER Use Group Authority Y Yes N No blank Default Enable Services based also 05 400 and XUSER Group profiles Ruthorities and Locations 2 Services SQL NDB DDM 3 IP 4 Device Names SIGNON only Selection gt In product Specia
99. ed as a whole rather than by the ways in which it accesses the Database Commands and Program calls Once the application is verified for use by a specific user including Group Supplemental profiles from a specific IP within a specific time frame etc all the network access activities of this application will be considered authorized requiring no specific detailed authority to be defined Client Access Security is indeed a revolution in defining and benefiting from network access security In order to activate the Client Application Security feature select option 81 gt 3 User Exit Programs and ensure that the Enable Application Level Security field is set to STD Firewall User Exit Programs Type options press Enter Allow Reject request Name xNONE Library 6 ee ew we on on Name xLIBL This user program is called at the end of the auhorization verification and may override the decision See example in SMZ8 GRSOURCE FWAUTH A Enable Application Level Security xSTD Name XNONE xSTD Wee Nero ee Name xLIBL GUI product identifies itself and continues uithout farther inspections For xSTD value initial identification program SMZ8 GSASTDR should be called by GUI uith tuo parameters lt Appl ication name gt xCHRR 20 Identification key gt xCHRR 50 Library Pre Power Down System Library 6 soe on n Name This user
100. een appears screen and parameters are the same as Modify FTP REXEC Logon User seen on the following page 4 Set parameters according to the following table and press Enter FTP rules are according to user and IP Work with FTP REXEC Logon Security Type options press Enter 1 Select 3 Copy 4 Delete Subset Opt User Group Userx addresses and authorities q PUBLIC xALL 2 NEWY ORK xRLL 1 4eROME xRLL 2 JOHN XRLL 2 1 1 1 100 1 F3 Exit F6 Rdd neu F8 Print F12 Cancel Work with FTP REXEC Logon Security Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule F6 Add new rule F8 Print rules Subset Search a user group user or IP addresses authorities whose names contain the subset User Group User User and or user group for whom the rules are set Firewall 15 User Manual 96 Chapter Logon Security RAZ LEE iSecurity IP addresses and 1 Allowed authorities 2 Rejected 3 Alternative Sign on see Alternative Logon in the following table for more details Modify FTP REXEC Logon User Type information press Enter XPUBLIC 12xRLLOH 2 xREJECT IP Address Subnet Mask 3 xALTLOGON GALL 0 0 0 0 1 TT For XRLTLOGON alternative logon Validation password Password XNOCHK xSYS Alt User Name XSRME F4 for list RIt Passuord Password XSRME xBY
101. efer to the appropriate rule type section for details of the screen e Type 1 to select an existing rule for editing or press F6 to create a new rule The Add Modify screen appears The screen parameters and options are the same e Enter modify the parameters for the appropriate rule type Refer to the appropriate rule type section or for details and explanations regarding the screen and its parameters e Press Enter to confirm and return to the Work with Logon Security screen 5 Choose your desired reporting logs option by selecting options 11 and optionally 12 and 13 for display logs 6 Press Enter to confirm and return to the main menu Basic options for screens are given in the table below Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule 5 IP Range WSG Only F6 Add new rule F8 Print rules F9 Add new rule F11 Alternate view changes display by reducing the amount of lines on screen Firewall 15 User Manual 95 Chapter Logon Security FTP REXEC Incoming This server is called when clients make requests to connect to the AS 400 by FTP or REXEC server 1 To set Logon security rules for FTP REXEC select 31 FTP REXEC from the main menu 2 From the FTP REXEC Logon Security screen select option 1 The Work with FTP REXEC Logon Security screen appears 3 To add a new rule press F6 The Add FTP REXEC Logon User scr
102. ejections to Select Y Yes or N No to send rejections to the Audit journal security audit journal Password Exit Programs This option provides an additional check for FTP passwords It is a security risk to code passwords which are kept for later use Whenever a password has to be validated and the PGM is written as the validation parameter the program mentioned here will be called to verify that the entered password is the correct one 1 To work with Password Exit Programs select 6 Password Exit Programs from the iSecurity part I Global Parameters screen 2 Set correct parameters and press Enter Firewall 15 User Manual 152 Chapter Configuration and Maintenance RAZLEE iSecurity The iSeries Security Experts Firewall Password Exit Programs Type options press Enter Incoming Password Validation Name Library 4 oe 9 99 Name XLIBL This program validates the incoming passwords for if is specified Example program SMZ8 GRSOURCE PHPHDESR 05 400 Actual Password supplier XNONE Name XNONE LIDERU eo mmm oem oom Name XLIBL This program supplies the system password for FTP HSG if is specified Example program SMZ8 GRSOURCE PWPHDE A F3 Exit F12 Previous Firewall Password Exit Programs Enable ACTION CL Script More This feature enables Action to respond automatically to security events generated by Firewall and Screen
103. eneral Query Parameters Add Modify Screen eese rennen nennen 113 Defining Output Fields iae erreur bosse e eie eee ER Seen 117 Sort Criteri oniinn iinn 118 Running Queries E 119 Print Query to Output File and Send Via Email esses enne nennen 122 Working with the Activity Log eese 123 d OHOon0 127 Group Items for Selection eerie eee senatus tns enses etas 128 Using the Report Scheduler 4 eeeeee esee esee sette etes eese enses stas ta sess eas 131 ea C 131 Ihe Definition Process ee eet pete eet E etaneeels 131 Working with Report Groups eet eerte teer on a da e eL Ane pea pe tae ctae 132 Working with Individual Reports aee ttt trit ire rerit trier i e AT ER ere 136 R nnine Repor Sesinin taret PIDE 136 Chapter 9 Advanced Security nnna 138 DDM 5 138
104. enete testen sensn 1 New Features for Firewall 15 0 4 eee eee senatus enses sse 1 Chapter 1 Introducing Firewall sce 5 cose ce casos cea cae tetas aad cee esses 2 What is Firewall sises 2 Why is Firewall Necessary 1 seen stessa sense n stas tts sts stas etas e ease 2 Feat re t M 3 Top Down Security Design ceca cete 3 Multi Thread Support s etie e tede m RR e ue eo ee Ee 4 Firewall Rules and the Best Fit Algorithm esee eene enne rennen nnne 5 FYI Simulation Mode siirsin ni eR sites ene Hts A ER ER ARE oa 5 Emergency OVerride o e Go Re te i IE ER Re Ue o m eat 5 Rule Wizards iiic tem tete re eee e RUE cde tee E e ee ds E 5 p D 5 O ery WIZ rd ehe nito teet terres ele ee 6 The User Centric Approach 4 eere eese eese eese eee eene tense tn stas tna sens etas east 6 US OPS CCUTTEY C 6 EDEN m 7 Intrusion DOLE CHON mU 7 Native OS 400 Text Based Use
105. ent ways GSCNTMN ATEOS iSecurity CntAdm System S720 Select one of the follouing Definitions Use SYSTEM in the reporting menu to run reports on the netuork 1 Hork uith netuork definitions Log Copy Add a 3 character extension of your choice to data library name 11 Run Reports on a Copy of Remote System Log Transfer Log Copy 21 Export Product Log 22 Import Product Log Collect from Remote Transfer Definitions Communication Log 31 Export Definitions Update Remote Systems 71 Current Job Cntfdm Messages 32 Import Definitions 72 All Jobs CntRdm Messages Selection or command F3 Exit F4 Prompt F9 Retrieve F12 Cancel F13 Information Assistant F1i6 AS 400 main menu iSecurity Central Administration Firewall 1 To get current information from existing report or query Adjusting the system parameters only to collect information from all the groups in the system to output file that can be sent via email select option 1 Define Communication Attributes The Work with Network Systems screen appears 2 Press F6 to define a new network system to work with and press Enter to confirm Firewall 15 User Manual 168 Chapter Configuration and Maintenance RAZLEE iSecurity The iSeries Security Experts Add Network Type choices press Enter System 4 ss amama i Description Group uhere include Communication Details ais cums om ommo XSNR IP or remote name Pa
106. eport will run The Report Scheduler can print several different types of reports such as Queries Firewall Activity Logs reports Action Activity Logs which contain records of actions actually performed User Profile Reports The Report Scheduler is based on the native OS 400 scheduling facility but with added support for the report group feature and an improved user interface The Definition Process The Report Scheduler incorporates a wizard based interface to make the definition process simple and user friendly To define and schedule reports to run automatically perform the following steps in order 1 Create any queries to be included in the relevant report group 2 Create or modify the report group as follows e Assign a report group name and description e Enter schedule data and run time parameters for the group 3 Create the individual reports to be included in the report group as follows e Assign a report name and select the report type e Define the run time parameters for each the report Firewall 15 User Manual 131 Chapter Queries Reports and Logs RAZLEE iSecurity The iSeries Security Experts 4 Run the report group if desired These steps are explained in detail in the following sections Working with Report Groups The first step in the Report Scheduler definition process is to define the report group The report group definition consists of a group name description and several run time paramete
107. eps Firewall 15 User Manual 36 Chapter First Steps RAZ LEE Security The iSeries Security Experts Chapter 3 Basic Security Server security is the topmost level and most basic level of security provided by Firewall Server security rules determine how each server is to be protected and what level of access control is desired Rules include the following parameters Enabling or disabling protection for each server Specifying the level of access control allow all activity reject all activity or allow activity subject to more specific rules regarding users objects or logon parameters Determining which transactions are to be recorded in the Activity Log Determining whether or not Action can respond automatically to specific events by sending messages to key personnel or running proactive command scripts to prevent security breaches Allowing custom user exit programs to perform specific actions Whether the FYI simulation mode is active for each server Firewall server security rules control access to the servers on a global basis for all users You can also define User to Service security rules to control access to the servers for specific users or groups of users User to Service security rules are discussed in Chapter 5 User to Service Security About Servers amp Exit Points Exit Points are components of the OS 400 API that manage the interface with various system resources These Exit Points are gover
108. er Manual 80 Chapter Object Security RAZ LEE iSecurity Printer Files 1 From the Native AS 400 Object Security screen select 4 Printer Files The Work with Native AS 400 Print File Security screen appears This screen lists all the rules currently in effect 2 Type 1 to modify an existing rule or press F6 to create a new rule 3 Press Enter to return to the Native OS 400 Object Security menu Work with Native 85 488 Print File Security Type options press Enter 1 Select 3 Copy 4 Delete Opt Print File Library I xRLL xRLL Bottom F3 Exit F6 fidd neu F8 Print F12 Cancel Work with Native AS 400 Print File Security Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule F6 Add new rule F8 Print rules Subset Search a print file or library whose names contain the subset Firewall 15 User Manual 81 Chapter Object Security RAZ LEE iSecurity Add Modify Print File Security Modify Native AS 400 Print File Security Type information press Enter Print File Library Define user authority press Enter Y Yes Userx Group Open Print Group profile File xPUBLIC 4G SALETEAM FRED KATE F3 Exit F4 Prompt F12 Cancel Modify Native AS 400 Print File Security Define permissions for one user profile profile group or Firewall user group on each line Use the PageUp and PageDow
109. er s limited capabilities Firewall 15 User Manual 63 Chapter User Security RAZ LEE The iSeries Security Experts File 24435565 QPSECUSR Control Find Display Spooled rm 5722551 V5R2M0 Report type 020719 Select by Special authorities User Group Profile Profiles AARRR XNONE ABA XNONE AHARALE QSECOFR SALE XNONE QSECOFR SRLE DHBRNKRLL F3 Exit F12 Cancel F18 Left re edu at es S acis User Profile Information xRUTINFO XSPCRUT xIO xAUD SYS xJOB xSAV xSEC xSER IT CFG CTL SYS ADM VICE F28 Right F24 More keys xSPL CTL xUSER xSECOFR Owner XUSRPRF xUSRPRF GRPPRF XUSRPRF xGRPPRF User Profile Information Special Authorities Report Option 6 Print Environment Information the Environment Info report shows environment details including the current library and various default libraries 5760551 V4R1H 970029 Report type Select by Special authorities User Profile Information ENVINF SPCRUT User Profile ADVERTISE RHRRRLE RLLOBJ RNRUSZ RNONYHOUS To print these reports select 5 or 6 from the User Management menu Enter the report type and Current Library Initial Progran Library N NE ob Description Library FTJOBD Hessage Queue Library VERTISE SRSYS RRRLE 5 L 5 NG 5 52 SRSYS ANONYMOUS 0 0 0 Al 0 0
110. esh F1 Additional parameters F24 More keys Display Firewall Log Description Selects only the events occurring within the previous number of minutes as specified by the user Number Enter the desired number of minutes BYTIME According to starting and ending times specified below Starting date amp time Ending date amp time Starting date amp time Ending date amp time Continued Selects only the events occurring within the range specified by the starting and ending date time combination Date and time Enter the appropriate date or time CURRENT Current day YESTERDAY Previous day WEEKSTR PRVWEEKS Current week Previous week start MONTHSTR PRVMONTH Current month Previous month start YEARSTR PRVYEARS Current year Previous year start SUN SAT Day of week IP generic address Filter by IP address Type Server type All All server types F4 Select server type group from a list UP lists all output operations over files WRITE CREATE MOVE DELETE RENAME DOWN lists all Read operations over files Allowed YES Allowed NO Rejected ALL All activity Number of records to process Maximum number of records to process NOMAX No maximum Default Firewall 15 User Manual 124 Chapter Queries Reports and Logs RAZ LEE The iSeries Security Experts iSecurity Parameter or Option Description Output PRINT
111. eue or library whose names contain the subset Firewall 15 User Manual 79 Chapter Object Security RAZ LEE iSecurity Add Modify Object Data Queue Security Modify Native AS 400 Data Queue Security Type information press Enter Data Queue Library Define user authority press Enter Y Yes Userx Group DQ MANAGEMENT Group profile i Create Delete PUBLIC Y Y XJRVR Y Y JIM DRNNY E F3 Exit F4 Prompt F12 Cancel Modify Native AS 400 Data Queue Security Define permissions for one user profile profile group or Firewall user group on each line Use the PageUp and PageDown keys to scroll through a long list For each activity type Y Activity allowed and Blank Activity rejected Public is the default rule for all users not explicitly covered by an object security rule Always make certain that the Public rule contains sufficient permissions for ordinary users to access objects Parameter or Option Description Data Queue Shows the data queue s included in this rule User Group Enter user profile or press F4 to select a user profile or group name from list Read Y Users may read the specified file Write Y Users may write edit or update the specified file Create Y Users may create a new file Delete Y Users may delete the specified file Press Enter to return to the Work with Native Object Security screen Firewall 15 Us
112. everal powerful security tools that Firewall shares with Action These control the ability of users to sign on to the system and enhance active system security by allowing users to perform the following tasks View and modify security parameters in user profiles using a convenient wizard interface Automatically disable inactive users Restrict user sign on to specific hours and days Prevent user sign on during planned absences or following termination Analyze default passwords for effectiveness To work with the user sign on control tools select 15 User Management from the main menu The User Management Sign on menu appears Select the desired function from this menu RUUSRHN User Management iSecurity Action System 720 Select one of the following Active User Authorized Signon Times 1 Work with Users WRKACUSR 21 Work with Schedule 22 Display Schedule 5 Print Special Authorities 6 Print Environment Information User Absence Security 41 Work with Schedule Disable Inactive Users 42 Display Schedule 11 Work with Auto Disable 15 Exceptions Password Control 61 Analyze Default Passwords 62 Password Report Selection or command gt fi F3 Exit F4 Prompt F9 Retrieve F12 Cancel F13 Information Assistant F16 8S 400 main menu User Management Work with Users The Work with Users Wizard enables viewing and modifying several security related parameters in the user profile by using a user friendly w
113. exit program NOTE You may also set exit program behavior for each server see Modifying Server Security Firewall 15 User Manual 150 Chapter Configuration and Maintenance RAZ LEE iSecurity Transaction Post Processing This option informs particular data queues of accepted rejected transactions The user can send all rejected transactions to one data queue all accepted transactions to another or send them both to the same message queue 1 To use Transaction Post Processing select 4 Transaction Post Processing from the iSecurity part I Global Parameters screen The Firewall Transaction Post Processing Data Queues screen appears 2 Set correct parameters and press Enter Fireuall Transaction Post Processing Data Queues Type options press Enter Post Processing Data Queues Name Library Rejected Transactions NONE Accepted Transactions These Data Queues enable users to bind Fireuall uith external products such as pager systems These Data Queues are created automatically Entries are formatted according to the standard log file SHZ8 GSCRLP F3 Exit F12 Previous Firewall Transaction Post Processing Data Queues Intrusion Detection This option is related to Transaction Post Processing but involves message queues instead of data queues Intrusion Detection lets particular message queues know of accepted rejected transactions Users can send all rejected transactions t
114. f reports RUNRPTGRP Print user profile information report PRTFWUSRP Data Entry Screens Data entry screens include many convenient features such as Pop up selection windows Convenient option prompts FHasy to read descriptions and explanatory text for all parameters and options Search and filter with generic text support The following table describes the various data entry screen options Firewall 15 User Manual 8 Chapter Introducing Firewall fre D RAZ LEE e The iSeries Security Experts Q Desired Procedure Required Steps Entering data in a field Type the desired text and then press Enter or Field Exit Moving from one field to another Press the Tab or Shift Tab keys without changing the contents Viewing options for a data field together Press F4 with an explanation Accepting the data displayed on the Press Enter screen and continue Function Keys The following function keys may appear on data entry screens Function key Description F1 Help Display context sensitive help F3 Exit End the current task and return to the screen or menu from which the task was initiated F4 Prompt Display a list of valid options for the current field or command For certain data items a pop up selection window appears F6 Add New Create a new record or data item F8 Print Print the current report or data item F9 Retrieve Retrieve the previously entered c
115. files changes in the data library The screen Create Journal Confirmation appears Press Enter to confirm GSMINTM Maintenance Menu iSecurity Part 1 System 5720 Select Create Journal Confirmation iSecuri L EX You are about to start journaling the product files uage 2 Im The journal receivers will be created in library nguage 5 Di 5 SMZ8JRND If this library does not exist it will Operato be automatically created Data 11 Wo 12 Wo If you wish to create the Library in a specific ASP you should press F3 Exit create this library and Firewal run again this option 21 Sa 22 Se Press Enter to start journaling F3 to Exit Screen 31 De F3 Exit Selecti 71 F3 Exit F4 Prompt F9 Retrieve F12 Cancel Fi3 Information Assistant F16 AS 400 main menu Create Journal Confirmation Remove Journal Select option 72 Remove Journal to end the journaling of changes in the system physical files The End Journal Confirmation screen appears Press Enter to confirm Firewall 15 User Manual 164 Chapter Configuration and Maintenance RAZ LEE iSec The iSeries Security Experts GSMINTM Maintenance Menu iSecurity Part 1 System 720 Select End Journal Confirmation iSecuri 1 You are about to end journaling the product files uage 2 Im The journaling will stop in library SMZ8JRND nguage 5 Di Operato Press Enter to end journaling Data 11 Wo 12 Wo F3 Exit
116. for all audit types Fields appearing in green on the screen are specific to the Activity Log record for the currently selected audit type Select Sort Fields Z6LICHGT xFireuallx License Management Generic entry type 88 99 Type choices press Enter Seq Description Rttribute Server name 10 A Function 18 Allowed Rejected 1 XFYI mode simulation 1 Decision level 5 Name of job 18 User of job 18 Number of job 6 User profile name 18 Ob ject 10 Object library 10 DDDDDDDDDD More F5 Display values F12 Cancel F21 Select all F23 Invert selection Select Sort Fields Parameter or Description Option F5 Displays field values F21 Selects all options F23 Invert selection All selected items will be deselected and all items that are not selected will become selected NOTE You may wish to change the sequence numbers after using this command Seq Enter a number representing the sort sequence Firewall 15 User Manual 118 Chapter Queries Reports and Logs RAZLEE Security Running Queries The final screen in the definition procedure allows you to run your query immediately If you do not wish to run your query at this time press F3 to exit All query definition parameters will be preserved Firewall provides you with several different options for running queries During Query Definition You can run queries as the final step in the definition procedure This is useful for te
117. for the first time certain user s might not have access according to the new authority method Therefore the first step you need to take after installing is to edit those authorities To modify operators authorities follow this procedure 1 Select 82 Maintenance Menu from the main menu The Maintenance Menu appears 2 Select 11 Work with Operators from the Maintenance Menu The Work with Operators screen appears Work with Operators Type options press Enter 1 Select 4 Delete Authority level 1 xUSE 9 xFULL Opt User System FH Scr Pwd AV Rud Act Cpt Jrn Vu Vsl Usr Adm xAUD SECAD 5720 1 9 9 9 9 9 9 9 9 9 9 9 xRUDIT 720 9 9 9 9 xSECRDM S728 ELI 720 FER 720 FERNANDO 720 GS 720 IMA 720 JRVR1 720 NANDO 720 O O O O Omm 0 q Q o O O O O O m 9 FH Fireuall PudzPassuord Aud Audit Cpt Capture Vu View Scn Screen AV AntiVirus Act Action Jrn Journal Vsl Visual izer Usr User Mgt ADM Admin F3 Exit F6 Add new F8 Print Fiil xSECADM xAUDIT authority F12 Cancel Work with Operators 3 Type 1 next to the user to modify his authorities or press F6 to add a new user The Modify Operator screen appears Firewall 15 User Manual 13 Chapter First Steps RAZ LEE The iSeries Security Experts Type choices press Enter Operator System Password Authorities by module
118. formation DTAQ Original Data Queue Server as Data Queue Server 1 Select F22 Global setting from the Work with Server Security screen The Global Server Security Settings screen appears 2 Press Enter to accept Firewall 15 User Manual 42 Chapter Basic Security RAZ LEE The iSeries Security Experts Global Server Security Settings Type choices press Enter Exit point group XRLL SNA xFILTFR xDBSRV XPRT xDTRQ xCHD xLICNGT XCNTSRV xUSRPRF xRMTSGN xYES xNO XRLLOH XREJECT xNO XYES xNO xNO Allow fiction to react XYES xNO Skip Other exit points XYES xNO An Other exit point is one which an unidentified program is already assigned to it Such an entry is denoted by the uord OTHER in the SECURE column A blank entry is equivalent to XSRME F3 Exit F12 Cancel Parameter or Option Description Exit point group Global Server Security Settings Enter an exit point group from the list to the right Secure YES Secured NO Not secured Check ALLOW Allow all activity REJECT Reject all activity MAX Full security allow activity subject to user to service object and login security rules as appropriate Filter IP SNA YES Secured NO Not secured Log YES Log all activity REJECTS Log rejected transactions only NO Do not log an
119. g IP address whose names contain the subset Outgoing IP addresses and authorities IP of the system that the user tries to communicate from your AS 400 1 Allowed 2 Rejected Modify FTP Client User Type information press Enter Outgoing IP Address ALL 1 1 1 1 xPUBLIC 1 Al low Subnet Mask 2 Re ject 8 0 0 8 1 255 255 255 255 1 Text Headquarters F3 Exit Parameter User F4 Prompt Fil Alternate view F12 Cancel Modify FTP Client User Description Enter the user profile Outgoing IP Address Subnet Mask Enter the outside system IP address and subnet mask in decimal format Enter which IPs this user can connect to and which are to be rejected from your AS 400 TIP Press F4 and select the subnet mask from a list Allow Reject 1 Allow logon request 2 Reject logon request Text Enter descriptive text Firewall 15 User Manual 99 Chapter Logon Security E The iSeries Security Experts RAZLEE iSecurity Telnet and Sign on This logon control manages two features Option Description Telnet Logon option 1 Auto Sign on configuration as well as IP address and password type restrictions This entry is used only on the first time a device connects the system for example when PC emulation software starts Sign on Validation Sign on configurations per user with IP terminal name and option 5 number of sessions rest
120. his feature defines the level of authority for both native and IFS Object Authority objects OBJAUT Object authority is subject to object security rules EXCLUDE All object authority is denied for this user ALLOBJ Users are granted ALLOBJ for IFS object F3 Return to the main menu Firewall 15 User Manual 33 Chapter First Steps RAZLEE iSecurity 3 Press Enter to accept the definition Location Groups Overview Location Groups are collections of users whose access to certain location is defined by IP and device name s For example create a Chicago group in which all users have access to the System i only from the Chicago branch IP range The location group which even supports each Telnet sign on may be used only from OS V4R5 and fully complies on all the servers from OS V5RI You can define object level rules in location groups as well Perform the following steps to define and or modify location groups Defining and or Modifying Location Groups 1 Select 13 Locations from the main menu The Work with Location Groups screen appears as below Headquarters Work with Location Groups Type options press Enter 1 5 1 3 Copy 4 Delete 5 Members Opt Location 4 CHICAGO Chicago Office 4eNEHYRK Neu York Office 4 HEADQ Headquarters Bottom F3 Exit F6 Add new F8 Print list Work with Location Groups Option Description Opt 1 Modify a location group 3 Copy an existing location g
121. i EMAL DISABLE YES RENT DISRBLE REN SRBLE GENT DISABLE GENT DISABLE GENT DISABLE User Profiles with Default Passwords Password Statistical Report This feature allows users to print a report showing information similar to that displayed on the Work with Users Wizard Firewall 15 User Manual 71 Chapter User Security RAZ LEE The iSeries Security Experts Print Profile PRTAUUSRP Type choices press Enter Type of information xPHDINFO XRLL xRUTINFO xENVINFO MSPCRUT XSPCRUT XUSRCLS XPRINT XPRINT XxPRINT1 XPRINTS9 QBRTCH Name XNONE XPRODUCT Name XPRODUCT xLIBL Select by Output Job description Library Additional Parameters Special authorities XRLL xRLLOBJ for more values User class for more values xRLL XRLL XUSER xSYSOPR Bottom F3 Exit F4 Prompt F5 Refresh F12 Cancel Fi3 How to use this display F24 More keys Parameter or Option Print User Profile Description Select by SPCAUT User profiles will be selected for the report based on special authorities USRCLS User profiles will be selected for the report based on user class MISMATCH User profiles will be selected for this report only if their special authorities are not the same as the default authorities assigned to their user class Job description Batch job subsystem and library Special au
122. ide This option is explained in full detail in Chapter 4 Using the ALL Security setting Emergency Override Feature 0 Disable emergence override all rules function normally 1 Allow all activity 2 Allow and log all activity 3 Reject all activity 4 Reject and log all activity Work in FYI This option is explained in full detail in Chapter 4 FY7 Simulation Mode Simulation Mode Global Setting Y Enable FYI globally N Do not enable FYI profile Check OS 400 Group Firewall checks permissions the same way the system does and Supplemental First it checks the permissions of the user and if there are none it checks the group profile If there are still no permissions it checks its supplemental group profile iSecurity follows IBM s method of requiring up to 17 checks to examine user permissions NOTE The more checks Firewall performs the lengthier the validation process The unique algorithm upon which this product is based guarantees a highly rapid process This option configures how you check users for access Y Check user for access if not allowed check group supplemental profile for access N Check user for access if not allowed reject access without checking group supplemental profile Enable Super Speed Super Speed Processing keeps the most useful commands in the Processing Firewall CPU memory therefore improving product Firewall 15 User Manual 147 Chapter Configuration
123. ified Likewise NITEM GROUP TYPE GROUP can be used to include only those transactions which do not contain the GROUP TYPE GROUP defined In addition special GROUPS such as groups of users already defined on the system all of which have a common identifying characteristic For example the group profile of the system group profiles defined in Firewall and virtual groups of users named SECADM SAVESYS etc which are the users who have this particular privilege defined in their special authority 1 To define Groups and Items select option 43 Log Reports Queries from the main menu and option 41 Group Items for Selection from the Reporting menu The Work with Classes of Groups screen appears Firewall 15 User Manual 128 Chapter Queries Reports and Logs RAZ LEE iSecurity The iSeries Security Experts GSRPTMNU Reporting Firewall Hork with Classes of Groups Type options press Enter Position to 1 with 2 Edit 4 Remove Subset Opt Class Description Item Length XGRPPRF 05 400 Group profiles 18 XSPCRUT Users by their Special Authority 18 XUSRGRP User groups in iSecurity Firewal 18 B hhhhhhhhh 1 COMMANDS Commands of various types 10 FFF 5 III 1 ILRN 1 JJJ 1 More XCLRSSes are automatically defined by the system Press F6 for instructions F3 Exit F6 Add Neu plus instructions F12 Cancel Fi3 Information Assistant F16 AS 400 main menu Work with Classes of Groups 2 Press F6 to add a new class o
124. ime saver that allows users to modify server security rules quickly for all servers or for predefined server groups Server groups include several related servers enabling definition of rules for all on a single screen The following table describes the members of the server groups To work with server security rules globally Description Description IP FTP Server Logon CMD REXEC Server Request FTP Server Incoming Rqst Validation Validation Remote FTP Client Outgoing Rqst Command Program Call Validation SNA DDM request access LICMGT Original License Mgmt DRDA Distributed Relational DB Server access Central Server license Remote sign on Passthrough mgmt FILTFR Original File Transfer Function CNTSRV Central Server license FTP Server Logon mgmt FTP Server Incoming Rqst Central Server Validation conversion map FTP Client Outgoing Rqst Central Server client Validation mgmt TFTP Server Request Validation Original Remote SQL Server Database Server SQL access amp Showcase Database Server data base access File Server DBSRV Database Server entry USRPRF Change User Profile Database Server object Create User Profile information Delete User Profile after delete Delete User Profile before delete Restore User Profile PRT Network Print Server entry RMTSGN Remote sign on Network Print Server spool file Passthrough Database Server entry Database Server object in
125. in the R Revised column Options 2 Incoming IP and 3 Outgoing IP on this screen offer a new value FAST for the Wizard Type option FAST automatically brings up the following screen when the IBM command completes The Re use options 21 31 41 51 and 61 reuse the output of the IBM command initiated by options 1 6 to save processing time Firewall 15 User Manual 18 Chapter First Steps RAZ LEE iSecurity The iSeries Security Experts 3 Select option 99 Advanced Options to customize the wizards rules GSHZRMNE Rule Wizards Extended Firewall System S720 Select one of the following Native Objects Incoming IP Address Firewall 1 Display Log 21 Display Log 2 Create Working Data Set 22 Create Working Data Set 3 Work with Rule Wizard 23 Work with Rule Wizard 4 Update Rules 24 Update Rules IFS Objects Outgoing IP Address Fireuall 11 Display Log 31 Display Log 12 Create Working Data Set 32 Create Working Data Set 13 Work with Rule Wizard 33 Work with Rule Wizard 14 Update Rules 34 Update Rules 41 Display Log 42 Create Working Data Set 43 Work with Rule Wizard 44 Update Rules Selection or command sz _ F3 Exit F4 Prompt F9 Retrieve F12 Cancel Fi3 Information Assistant Fi6 AS 400 main menu Rule Wizards Advanced Options 4 Select Display Log to view summarize recent activity log for that rule type Select Create Working Data Set to define the scope of the historical activi
126. ing rule or press F6 to create a new rule 4 Press Enter to return to the IFS Security menu NOTE File names for IFS objects may be entered with upper or lower case letters Work with IFS Security Type options press Enter 1 Select 3 Copy 4 Delete Subset Opt File System Root Dir Directory File name XALL xRLL CDx qibm xRLL rami rami csv Bottom F3 Exit F6 Add new F8 Pr int Fii Un Fold F12 Cancel Work with IFS Security Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule F6 Add new rule F8 Print rules Subset Search a print file or library whose names contain the subset Firewall 15 User Manual 91 Chapter Object Security RAZLEE iSecurity Add Modify IFS Security Modify IFS Security File System Root Dir rami Directory File name rami csv Define user authority press Enter Y Yes User Group Userx Read Write Rename Delete Move PUBLIC JAVA _ F3 Exit F4 Prompt F8 Print F9 Print File System F12 Cancel Modify IFS Security Define permissions for one user profile profile group or Firewall user group on each line Use the PageUp and PageDown keys to scroll through a long list For each activity type Y Activity allowed and Blank Activity rejected Public is the default rule for all users not explicitly covered by an object security rule You should always make cer
127. ion Date Date on which the user profile will be disabled or deleted Action 1 Disable user profile 2 Delete user profile The following parameters apply to scheduled deletions only Owned object action profile nor the objects are deleted Specify the action to be performed when a user profile scheduled for deletion owns one or more objects NODLT If the user profile owns any objects neither the user DLT Both the user profile and any objects owned by it are deleted CHGOWN The user profile is deleted and ownership of all objects is transferred to the alternate user profile specified in the New Owner parameter New owner User profile name of the new owner when object ownership is transferred by the CHGOWN parameter New primary group Name of the user profile that will become new the primary group New primary group authority OLDPGP The new primary group inherits the same authority as the old primary group PRIVATE The new primary group inherits the same private authority as previously defined for all owned objects ALL The new primary group assumes the ALL authority CHANGE The new primary group assumes the CHANGE authority USE The new primary group assumes the USE authority EXCLUDE The new primary group assumes the EXCLUDE authority NOTE Refer to IBM documentation for a complete discussion regarding the concepts of object ownership and primary groups P
128. irewall 15 User Manual 10 Chapter Introducing Firewall RAZLEE Security Chapter 2 First Steps This chapter covers the steps necessary to begin using Firewall for the first time Also covered in this chapter are the basic procedures for configuring the product for day to day use Initial Setup and Definition Overview Firewall is easy to set up and use right out of the box The factory default parameters are adequate for many installations You will likely need to configure only a few parameters to meet the specific needs of your organization It should be noted that by default protection is disabled for all servers users and objects following initial installation You must enable protection and define your security rules in order to begin enjoying the benefits of Firewall protection As with any computer security product careful consideration should be given to defining security rules that will maximize protection for your organization against intrusion and user abuse without adversely affecting legitimate user access and or system response time Before beginning the steps below the user should complete the process of identifying which specific servers and objects are to be protected and which users should be granted access rights thereto This section is intended to help you with the process of configuring Firewall and defining your first security rules according to your organization s security policies The process entails the fo
129. irewall Emergency Override Type options press Enter Emergency override ALL Security setting Q No change Use this option for short periods only 1 Al low Use 1 to eliminate business impact 2 Al 1 owtLog while you are reseting the rules 3 Re ject Use 1 to react amp trace an intrusion 4 Re ject Log F3 Exit F12 Cancel Database Server data base access Changing the Secure parameter requires restarting Host Server or IPL Modify data or press Enter to confirm F3 Exit F8 Print F9 0bject security F1Q Logon security Fii User security F12 Cancel F22 Global setting F23 FYI F24 Emergency Work with Server Security Firewall Emergency Parameter Parameter or Option Description Setting 0 Disable emergence override all rules function normally 1 Allow all activity 2 Allow and log all activity 3 Reject all activity 4 Reject and log all activity Firewall 15 User Manual 45 Chapter Basic Security RAZLEE Security Chapter 4 Dynamic Filtering Security Firewall rules control activity originating from or outbound to specific IP addresses Inbound activity from specific SNA system names may likewise be controlled Firewall also supports SSL restrictions on access to FTP Telnet Data Base Server including ODBC Sign on Remote Access and DDM servers IP Address Firewall Rules IP address firewall rules can apply to outbound and inbound activity The definition procedur
130. isplay License Management Log DHCP Security 15 Display DHCP Security Log TCP IP Port Restrictions 21 Work with TCP IP Port Restrictions Selection or command zzz I F3 Exit F4 Prompt F9 Retrieve F12 Cancel Fi3 Information Assistant F16 AS 400 main menu Work with Advanced Security DDM DRDA Security Distributed Data Management DDM is a function of the operating system that allows an application program or user on one system to use database files stored on a remote system The system must be connected by a communications network and the remote system must also use DDM The term also applies to the underlying communications architecture Distributed Relational Database Architecture DRDA 9 is the architecture that defines formats and protocols for providing transparent access to remote data DRDA defines two types of functions the application requester function and the application server function Both of these are integrated into the Firewall advanced security features Pre Check User Replacement This feature applies to both DDM and DRDA Firewall performs a pre check whenever a certain user enters from a certain location Firewall invents an entity that does the checking To work with Pre Check User Replacement 1 Select 1 Pre check user replacement from the Work with Advanced Security screen The Work with DDM DRDA Pre check User Replacement screen appears 2 Set the correct parameters and p
131. izard interface One can view and work with many different users at once and compare settings between different users The security officer can use this tool to review all users at a glance and immediately disable suspicious users One key access is provided to many of the other user sign on tools To start the Work with Users wizard follow this procedure 1 Select 1 from the User Management menu The Action Work with Users screen appears offering you several options to display filtered subsets of users Firewall 15 User Manual 58 Chapter User Security RAZ LEE The iSeries Security Experts Action Work with Users Type choices press Enter User disabled User has password Name generick XYES xNO XYES XNO Days since last signon is GE Number XALL Invalid signon attempts is GE Number F3 Exit F4 Prompt F24 More keys Bottom FS Refresh F12 Cancel F13 How to use this display Action Work with Users Description Parameter or Option User ALL Display all users Generic Display all users beginning with text preceding the Name Display a specific user profile User enabled YES Display enabled users with passwords who can sign on NO Display disabled users and those who cannot sign on ALL Display users irrespective of status User has password YES Display only users whose password has expired NO Display only users whose passwo
132. k Enter the subnet mask using standard decimal format to define a range of IP addresses Refer to the examples or press F4 to select an appropriate subnet mask range Text Descriptive text Secure value Y Yes Type Y to allow activity or leave the field Blank to reject activity for each individual server S SSL Type S to set SSL restrictions for the various types of access protocols A Allow always B SSL Skip checks L Allow always and log M SSL Skip checks Log Use of B and L can dramatically improve performance for situations such as high volume of requests that come from an already confident well secured IP that uses SSL which doesn t require checking of the requests An example can be a server connected via SSL which issues many SQL ODBC and or Program calls Equivalent IP Range Displays the range of IP addresses as defined by the subnet mask F10 Work with Logon security rules Firewall 15 User Manual 48 Chapter Dynamic Filtering Security RAZ LEE iSecurity The iSeries Security Experts SSL Support iSecurity Firewall now supports SSL restrictions on access to FIP Telnet Data Base Server including ODBC Sign on Remote Access and DDM servers This feature is unique and unequaled in the System i security network access market The benefits of this feature are 1 Simple easy to use interface for defining SSL restrictions for the various type
133. l Object Authority AS 400 Native 1 xALLOBJ 2 xEXCLUDE 3 x0BJRUT 1 xALLOBJ 2 xEXCLUDE 3 x0BJRUT F3 Exit F4 Prompt F8 Pr int F9 0bject security Fi Logon security F12 Cancel Modify User Security Parameter or Option Description User Displays the user profile or user group name Activity Time Time Group type a time group name or press F4 to select from a list Use Group Authorities Y use a specific group authorities N don t use any specific group authorities Authorities and 2 Services specify authorities and location by Services name Locations 3 IP specify authorities and location by IP name 4 Device Names specify authorities and location by Device name In product Special Use this field to define object authority for the user group for Object Authority AS 400 Native and IFS objects F8 Print user to service security rules F9 Work with object security rules F10 Work with Logon security rules Firewall 15 User Manual 55 Chapter User Security E RAZLEE iSecurity The iSeries Security Experts Client Application Security Client Application Security is an alternative way to set network security Until now most IBM i network access products focused on the Database being accesses Commands and Program calls in order to determine if the access should be accepted or rejected Client Application Security provides the ability to allow a Client Application to be authoriz
134. l be allowed and a N indicates that transactions will be rejected The background color of each letter indicates whether the rule currently in effect is specific to this line IP Address or is generic meaning that the current rule applies to more than one line For example the rules for the first line 1 1 1 53 are relevant for this IP address only The second line 1 1 1 55 is covered by a generic rule that applies to several IP addresses This generic rule could be a default rule that covers all IP addresses that are not covered by a specific rule or it could be single rule that covers multiple IP addresses via the use of the subnet mask Background Color Rule Source Green Black at the white display or Red Specific rule Cyan Blue at the white display or Pink Generic rule Use the R column to modify the rule in effect for that line If the line is covered by a generic rule an entry in the R column has the effect of creating a new rule specific to that line Firewall 15 User Manual 22 Chapter First Steps Option Description C Columns Display the rule currently in effect for each activity type column Refer to the previous page for a more detailed explanation Y allowed rejected R Columns Type Y Allow or N Reject to modify the rule currently in effect for each activity type Refer to the previous page for a more detailed explanation Opt 4 Delete this ru
135. lar to the ones available on the Action module but less flexible Those responses such as notification about intrusions to the admin by MSGQ and email are general easy to use yet important See Chapter 10 Maintenance Firewall 15 User Manual 7 Chapter Introducing Firewall RAZLEE Security Native OS 400 Text Based User Interface Firewall is designed from the ground up to be a user friendly product for auditors managers security personnel and system administrators The user interface follows standard System i CUA conventions All product features are available via the menus so users are never required to memorize arcane commands Many features are also accessible via the command line for the convenience of experienced users Menus Product menus allow easy access to all features with a minimum number of clicks Menu option numbering and terminology is consistent throughout this product and with other Raz Lee products To select a menu option simply type the option number and press Enter The command line is available from nearly all product menus If the command line does not appear and your user profile allows use of the command line press F10 to display it Commands Many Firewall features are accessible from any command line simply by typing the appropriate commands Some of the most commonly used commands appear below Display Firewall log DSPFWLOG Run a Firewall query RUNFWQRY Run a predefined group o
136. le 5 Display the detailed Activity Log for this rule 9 Create a new rule based on an existing one F6 Create a new rule covering activity NOT shown on any line For example use F6 to create a new rule for an IP address that does not appear on this screen F8 Print all activity and rules shown in this wizard F11 Displays additional data for each line with fewer lines per screen Native OS 400 Objects Log Options 4 5 and 6 on Firewall Option 41 screen have a Group by parameter for summarizing log output data Value GRPPRF summarizes by system group profiles plus all users not defined in group profiles Value USRGRP summarizes by user groups and value GROUP first causes the product to attempt to associate the user with a relevant user group and then to attempt to associate the user with a relevant group profile If both fail the user profile name appears in the report 1 To see the Summarize Native AS 400 Log select option 1 Create Working Data Set from the Native OS 400 Object Security menu 2 The Summarize Native AS 400 Log CPRNTVSEC screen appears Firewall 15 User Manual 23 Chapter First Steps Summarize Native AS 400 Log Type choices press Enter Object apa ys GALL Name genericX XRLL Library jbg 4 5555 xRLL Name Object Type ss es ew as xRLL xALL xFILE xLIB xDTRQ esr s tat Yes S BWR oW xRLL Name XRLL Graup By ps v9 9 69 ewi 93 xGR
137. le name appears in the report Allowed YES Include allowed transactions only NO Include rejected transactions only ALL Include all transactions Starting date amp time Ending date amp time Selects only the events occurring within the range specified by the start and end date time combination Date and time Enter the date and time or one of the following constants CURRENT Current day YESTERDAY Previous day WEEKSTR PRVWEEKS Current week Previous week start MONTHSTR PRVMONTH Current month Previous month start YEARSTR PRVYEARS Current year Previous year start SUN SAT Day of week Server ID Press F4 to select a server ID from a list window or type ALL to include activity for all servers Set name Enter a name for this data set or use one of the following constants USER Use your user profile as the data set name SELECT or S Select a data set from the pop up list Replace or add records ADD Add records to an existing data set of one exists REPLACE Replace an existing data set of the same name Wizard type FAST default which allows to initiate a rule wizard immediately by pressing Enter STD standard NO Firewall 15 User Manual 25 Chapter First Steps RAZ LEE iSecurity The iSeries Security Experts 2 Enter the required parameters and press Enter to begin the selection process and return to the Wizard menu Plan Secu
138. llowing steps in sequential order 1 Obtain and enter the authorization code temporary or permanent if you have not already done so Start Firewall 3 Change the iSecurity product password Enable the FYI Simulation Mode on a global basis using the System Configuration option on the main menu 5 Review the basic system configuration parameters and change those necessary to meet your organizational needs 6 Enable protection and logging for all activity on all servers Make certain that the security level is set to 1 Allow for all servers 7 After a suitable period of activity several days or weeks use the Rule Wizards to analyze the logged activity and to define security rules based upon your organizational security policies 8 Use the Activity Log and the Query Wizard to analyze activities not covered by the Rule Wizards Define appropriate rules based on this analysis 9 Create User Groups and Time Groups according to your organizational requirements 10 After a suitable period of further activity use the Rule Wizards Activity Logs and queries to ensure that your new rules are effectively blocking unauthorized access while not preventing legitimate user access Firewall 15 User Manual 11 Chapter First Steps RAZ LEE iSecurity The iSeries Security Experts 11 Disable the FYI Simulation Mode From this point forward unauthorized user access will be blocked Starting Firewall for the First Time
139. lnet from the Firewall main menu The Telnet Security screen appears 2 Select 1 Telnet Logon to access the Work with TELNET Logon Security screen 3 Press F6 to access the Add TELNET Logon Security Setting screen Sign on Firewall Telnet Sign on feature enables limiting a user to sign on from a specific IP or terminal name for each sign on as well as limiting the number of sessions the user will be allowed to work in To work with sign on security select 15 Display SIGNON Log from the Telnet Security screen Firewall 15 User Manual 102 Chapter Logon Security RAZ LEE iSecurity The iSeries Security Experts 1 Set the parameters and press Enter The Display Firewall Log screen appears with all the transactions that used the Sign On server Display Firewall Log 22 01 07 22 01 07 XSIGNON Denied for DAN from 192 168 1 6 in job 521311 DAN QPADEVG0G2 XSIGNON XFYIX Denied for DAN from 192 168 1 6 in job 521312 DRN QPRDEV8082 Bottom F3 Exit F6 Modify rule F7 Rdd action F10 Details 11 5 entry 12 F17 Top F18 Bottom Display Firewall Log 2 Select F10 for additional message information or F6 to modify the rule Additional Message Information System S720 Message ID GRE6422 Transaction Date sent ani 22 01 07 Time sent 4 sus 01 05 45 SERVE sua 8 Sign On Completed Decision taken on level GSSGN Signon logon Operation mode
140. ministrators This user friendly feature allows the user to view historical activity together with the security rule currently in effect on a single screen One can even modify the existing rule or define a new rule without closing the wizard The Rule Wizards are an invaluable tool for defining the initial set of rules after installing Firewall for the first time Log The activity log provides complete details for every transaction captured as a result of a security rule The user can select the activities to be included in the Activity Log and the conditions under which they are logged average of 800 bytes per SQL statement Users can display or print selected records from the Activity Log by entering the Display Firewall Log DSPFWLOG on any command line or from numerous locations on Firewall menus and data screens For REJECTS The log entry shows the first level where the request is a violation to the Firewall rules For ALLOWED The log entry shows the last test that was taken and found valid as well as any other user CANNOT update or delete records from the file that contains the log This is true even when using SQL DFU and CHGFC command and so on Firewall 15 User Manual 5 Chapter Introducing Firewall e Users that are authorized to option 82 11 as Administrators can setup the number of days that data is kept online e Users that are authorized to option 82 11 as Administrators can use STRFW 82 51 Wo
141. n Description Command Library Name and library path of the command s included in this rule User User Group Enter user profile or press F4 to select a user profile from list Command Y Users may execute OS 400 commands FTP REXEC Y Users may execute commands via FTP or REXEC DDM Y Users may execute commands via DDM Press Enter to return to the Native OS 400 Object Security screen Work with Pre check Library Replacement In case there are many libraries that require the same authorities select option 61 to create one library of authorization rules to be applied to the list of libraries Firewall 15 User Manual 88 Chapter Object Security RAZ LEE The iSeries Security Experts Type options 1 Select Source Library Ax Bx Cx CCCC DDx DDDDDD FFF 777777 Work with Pre check Library Replacement press Enter 4 Delete Target Library REUT RV1 CVTPFXLS DLT AUGS YYYYYY BBB ZION Use this screen to eliminate repetitive rules Subset Bottom in cases where there is a set of libraries which require similar Native Object rules For testing purposes only the check will be conducted on the Target Library F3 Exit F6 Add neu F8zPrint Fi2 Cancel Work with Pre check Library Replacement Press F6 to add a new library of rules This will be the Target Library Type choices Source Library Cd uus Pre check Lib
142. n exploit these profiles to gain access to critical data via FTP ODBC connectivity or other methods even without knowing the password For this reason it is always a good idea to periodically audit your system and disable any users who have not signed on recently The Work with Users Wizard discussed in the previous section is an excellent tool for performing such a review and manually disabling inactive users Action includes the Auto Disable feature which allows for disabling of inactive user profiles automatically after a specified period Automatic disabling applies to any user who has not signed on for the specified number of days One can also designate specific users as exceptions who cannot be disabled automatically OS 400 system generated profiles prefixed by the letter Q are never automatically disabled To enable the Auto Disable feature select 11 Work with Auto Disable from the User Management menu Set the Auto Disable inactive users parameter to YES and specify the number of days of inactivity in the appropriate field To disable this feature set the Auto Disable inactive users parameter to NO Firewall 15 User Manual 65 Chapter User Security RAZLEE iSecurity The iSeries Security Experts Ruto Disable Inactive Type choices press Enter Auto Disable inactive users Days of inactivity 6 Users who have not signed on for the specified period will be disabled automatically
143. n keys to scroll through a long list For each activity type Y Activity allowed and Blank Activity rejected Public is the default rule for all users not explicitly covered by an object security rule You should always make certain that the Public rule contains sufficient permissions to allow access to objects by ordinary users Parameter or Option Description Print File Library Shows the print file s and library path included in this rule User Group Enter user profile or press F4 to select a user profile or group name from list Open Print file Y Users may use the specified file Press Enter to return to the Work with Native Object Security screen Firewall 15 User Manual 82 Chapter Object Security RAZ LEE iSecurity Programs 1 From the Native AS 400 Object Security screen select 5 Programs The Work with Native AS 400 Program Security screen appears This screen lists all the rules currently in effect 2 Type 1 to modify an existing rule or press F6 to create a new rule 3 Press Enter to return to the Native OS 400 Object Security menu Work with Native RS 480 Program Security Type options press Enter 1 Select 3 Copy 4 Delete Opt Program Library xRLL CLRPFH QSYS Bottom F3 Exit F6 Add new F8 Pr int F12 Cancel Work withAS 400 Program Security Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user
144. n the interface between the System i and various external access protocols and methodologies such as FTP Telnet ODBC database access DRDA database access etc OS 400 employs a variety of logical Servers sometimes referred to as Function Servers that control activity between applications and the exit points Each server controls one or more specific exit points Exit Programs are scripts or programs that run automatically whenever activity occurs via a particular exit point Customized exit programs can provide additional security or functionality for specific types of activity Firewall 15 User Manual 37 Chapter Basic Security E RAZLEE iSecurity The iSeries Security Experts Working with Server Security Rules Firewall uses only one security rule for each server Working with server security consists of modifying these rules By default protection is disabled for all servers and all activity is allowed To work with server security rules 1 Select 1 Activation and Server Setting from the main menu Select option 1 Work with Servers the Work with Server Security screen appears The Work with Server Security screen lists the current rules for each server The number of servers available is dependent on the version of OS 400 installed on the system This screen displays the current status of each server security rule One can select one or more rules for modification The user can also view an explanation and displa
145. name LIST 5720 S158 Ob ject START PAYROLL Object library Object type User F3 Exit F4 Prompt F6 Insert F12 Cancel Filter Conditions Parameter or Option Description And Or Aor Blank And O Or Field Data field in the Activity Log Test Comparison test type see table on following page for details Value Value to be used as the comparison test FA Displays explanatory information and or options applicable to the data field on the line where the cursor is located F6 Select another comparison test from a pop up window and insert it at the current cursor position Comparison Test Operators Several different types of comparison test operators are available as shown in the following table Test Description EQ NE Equal to Not equal to Value LT LE Less than Less than or equal to Value GT GE ric than Greater than or equal Value LIST NLIST Included in list Not included in list Values separated by a space LIKE NLIKE Substring search preceded and or followed by ITME NITEM Item in a group checks if the value USER Check that the value is a is among the groups members The user in a 9 GROUP of users General group is an external value GRPPRF Check that the value list that can be extended by creating is a user in an OS 400 Group Firewall 15 User Manual 115 Chapter Queries Repo
146. ncoming Terminal Name Terminal name assigned by the System i or emulation software Minimum Pwd Validation This is the method used to validate the incoming user profile Apply rule according to password validation level 0 No password validation 1 Use password 2 Use encrypted password 3 Connection is using SSL Time group Enter time group name or press F4 to select from list group p Logon 1 Accept logon request 2 Reject logon request 3 Sign on automatically if permitted by System i configuration 4 Force sign on even if System i is configured for automatic sign on Assigned terminal name Enter the name to optionally replace the incoming terminal name Generic Text before plus sequentially assigned number SAME or Blank Do not replace the income terminal name SYSTEM Use terminal name assigned by OS 400 Set new Define Code page Character set and Keyboard layout Alt User Automatically sign on with specified replacement user profile Alt Current Library Automatically replace the default current library with specified library Alt Program Automatically replace the default program to be run at sign on Alt Initial menu Automatically replace the default initial user menu at sign on SSL Control in Firewall Firewall can be set up to request SSL on Telnet and FTP session based on the IP or User To set up SSL control in Firewall follow this procedure 1 Select 32 Te
147. ng and or Modifying Time Groups Perform these steps to define a time group 1 Select 49 Time Groups from the main menu The Define Time Groups screen appears Define Time Groups Type options press Enter 1 Select 4 Delete Opt Time Group Description NIGTH Night Shift time group SUMMER The Work Hours During Summer WINTER Work Hours During Winter F3 Exit F6 Add new F8 Print list Fi2 Cancel Define Time Groups 2 Select a time group to modify or press F6 to add a new group 3 Press Enter to accept the definition and return to the Define Time Groups screen Firewall 15 User Manual 31 Chapter First Steps RAZ LEE The iSeries Security Experts Option Description Opt 1 Modify a time group The Change Time Group screen appears 4 Delete a time group F6 Add a new time group F3 Return to the main menu Application Groups Overview Application Groups consist of users whose access to certain applications is defined to be identical The name of the group is the application itself 1 e Excel OPSNAYV etc Define which servers are being used by the application and then select its members Upcoming releases will include predefined application groups for widely used applications such as OPSNAV and FILE SERVER Object level rules can be defined for application groups as well Defining and or Modifying Application Groups Perform these steps to define an application group 1 Select 12
148. ng date amp time Continued Select only the events occurring within the range specified by the start and end date time combination Date and time Enter the appropriate date or time CURRENT Current day YESTERDAY Previous day WEEKSTR PRVWEEKS Current week Previous week start MONTHSTR PRVMONTH Current month Previous month start YEARSTR PRVYEARS Current year Previous year start SUN SAT Day of week User or Group Filter records by user profile or group Object Filter records by object Name Specific object by name Generic All objects libraries beginning with the text string preceding the ALL All types as specified in the query definition Firewall 15 User Manual 141 Chapter Advanced Security Features RAZ LEE iSe The iSeries Security Experts Parameter or Option Description Object Type Filter records by object type Type Server type All All server types F4 Select server type group from a list Allowed YES Allowed NO Rejected ALL All activity Number of records to Maximum number of records to process process NOMAX No maximum Default Output PRINT prints to local printer PRINT1 prints to remote printer PRINT2 prints to both remote and local printers PRINT3 9 user modifiable Additional Parameters Filter by Time Group IN Include all records in time group Inclusive Relationship O
149. nu appears 2 Select 19 Select from menu and choose one of the many pre defined log display options Examples of these selections are e 1 Entire Log Display all entries in the Activity Log This option is useful when examining all activities over a period of time perhaps in conjunction with the Backward Glance feature e 2 Rejects Only Display only activities that have been rejected e 5 Entire Log Display only occurrences from the last 5 minutes 3 Enter run time filter and other parameters on the Display Firewall Log Entries screen Firewall 15 User Manual 123 Chapter Queries Reports and Logs RAZ LEE The iSeries Security Experts Displau Fireuall Log Type choices press Enter Display last n minutes xBYT IME Number Starting date and time Starting date Starting time gt PRVYEARS 000000 Date Time XCURRENT XYESTERDRY Ending date and time Ending date Ending time Userx or XGROUP Ob ject Library Object Type XCURRENT 235959 Date Time XCURRENT xYESTERDRY Name Name xRLL generick XRLL genericX XRLL xSYS XFILE xLIB xDTRQ IP generic address Type Al lowed Number of records to process F3 Exit Parameter or Option Display last n minutes F4 Prompt F13 How to use this display XSELECT NATIVE XIFS XYES XNO Number XNOMRX X XPRINT xPRINTS xOUTFILE Bottom F12 Cancel FS Refr
150. number of rules in order to achieve maximum security and the System i has to process apply rules to far fewer transactions than many similar products This saves planning and maintenance time as well as valuable system resources Top down security offers a simple hierarchy of rule types When a higher level rule type fully meets a situation s security requirements the user doesn t have to formulate any more rules for the said situation The following drawing illustrates this concept Firewall Layered Security Design 4 Reject FYI Simulation Mode ae Paint 5 4 Mu x Emergency Override evel of Control x j IPI SNAN IP SNA Firewall te Servia Subnet Mask Support Firewall User Groups 5 7 User to Service and Verb IBM Group Profiles User to Object Management Rights GenericNames Data Rights Firewall 15 User Manual 3 Chapter Introducing Firewall Firewall Layered Security Design 2 EXT EON CONO Standard kirewall FTP Authorities Based on IP amp User Telnet Terminal based on IP Automatic Signon Remove Logon Internet WSG User to IP address Passthrough User to System name SNA System i security is based on five basic levels Server Exit Point Security TCP IP Address Firewall Security User to Service Security Object Security Logon Security provides additional security features once ac
151. o continue Mork uith Server Security Firewall xFYIX Simulation Mode Type options press Enter Work in simulation mode While in this mode Firewall simulates the application of rules without rejecting transactions Activity is recorded in the log with the xFYIx designation xFYIX is an acronym of For Your Information F3 Exit F12 Cancel x Changing the Secure parameter requires restarting Host Server or IPL Modify data or press Enter to confirm F3 Exit F8 Pr int F9 Object security X Fi8 Logon security Fil User security X F 2 Cancel F22 Global setting F23 FYI F24 Emergency Work with Server Security Firewall FYI Parameter Using the Emergency Override Feature The Emergency Override feature allows users to override all existing security rules temporarily by allowing or rejecting all activity This feature is useful in order to respond quickly to emergencies such as critical transactions being rejected due to problems with Firewall security rules or a sudden security breach To work with emergency override follow the following procedure 1 Press F24 from the Work with Server Security window The Firewall Emergency Parameter pop up window appears 2 Type a setting according to the below table 3 Press Enter to confirm and return to the Work with Server Security window Firewall 15 User Manual 44 Chapter Basic Security e EE iSecurit Hork with Server Security F
152. o one message queue all accepted transactions to another or send them both to the same message queue 1 To use Intrusion Detection select 5 Intrusion Detection from the iSecurity part I Global Parameters screen The Firewall Intrusion Detection screen appears 2 Set correct parameters and press Enter Firewall 15 User Manual 151 Chapter Configuration and Maintenance RAZ LEE iSecurity The iSeries Security Experts Firewall Intrusion Detection System Type options press Enter Setting up an Intrusion Detection System Name Library Enter a message queue name or QSYSOPR Qsysopr XLIBL Rt the monitoring workstation enter CHGMSGQ DLVRY XBRERK SEV 8 This causes rejection messages to break in uith a beep When intrusion is detected Real Mode End the offending interactive session Send message to the user Disable user F15 for Send Email to the user Send Email to Security Email udi razlee com Run fiction If fiction installed Write to QRUDJRN security audit N N Rudit journal code is U Journal entry bns is FH Data format SMZ8 GSCRLP Screening of Allowed Activity Enter a message queue name F3 Exit F12 Previous Fi5 Disable exceptions Firewall Intrusion Detection System Parameter or Option Description Monitoring message Name name of user queues Library location of message queue Write r
153. og This option allows the user to view and inspect that log 1 Select 15 Display DHCP Security Log from the Work with Advanced Security screen The Display Firewall Log screen appears 2 Type options and press Enter Display Firewall Log DSPFHLOG Type choices press Enter Display last n minutes Starting date and time Starting date Starting time Ending date and time Ending date Ending time QBYT INE XCURRENT XCURRENT 000000 235959 XGROUP Number Date xCURRENT xYESTERDAY Time Date xCURRENT xYESTERDAY Time xRLL Library _ Object Type xRLL IP generic address xRLL Name Name XRLL xSYS XRLL xFILE xLIB xDTRQ Type xDHCP Al lowed xRLL Number of records to process XNOMRX x XSELECT xNATIVE XIFS XYES xNO xRLL Number XNOMRX X XPRINT XPRINT9 xOUTFILE F3 Exit Parameter or Option Display last n minutes F4 Prompt Fi3 How to use this display More F5 Refresh F1Q Additional parameters 12 F24 More keys Display Firewall Log Description Select only the events occurring within the previous number of minutes as specified by the user Number Enter the desired number of minutes BYTIME According to starting and ending times specified below Starting date amp time Ending date amp time Starting date amp time Endi
154. ommand F12 Cancel Return to the previous screen or menu without updating Firewall 15 User Manual 9 Chapter Introducing Firewall RAZ LEE iSecurity The iSeries Security Experts Other iSecurity Products Assessment checks your ports sign on attributes user privileges passwords terminals and more Results are instantly provided with a score of the current network security status with its present policy compared to the network if iSecurity were in place Audit is a security auditing solution that monitors System i events in real time It includes a powerful query generator plus a large number of predefined reports Audit triggers customized responses to threats via the integrated script processor contained in Action Action automatically intercepts and responds to security breaches system activity events QHST contents and other message queues Inquiring messages can be automatically answered Alerts are sent by e mail SMS pagers or the message queues Easy to use Rule Wizard helps define rules and actions Capture silently captures and documents user screens for tracking and monitoring without any effects on system performance Capture can run in playback mode and can be used to search within texts It also preserves job logs for subsequent review Screen captures can be according to user name IP address time of day and more View is a unique patent pending field level solution that hides sensitive field
155. only activity associated with a specific user profile Run time filter criteria will not extract data that is not included in the query definition itself For example if a query definition includes filter criteria only for the user profile RICH and one enters run time criteria for the user GEORGEW no records will be displayed Firewall 15 User Manual 133 Chapter Queries Reports and Logs RAZLEE iSecurity Define FH Report Group Params Type choices press Enter Starting date and time Starting date gt MYESTERDRY Date xCURRENT xYESTERDAY Starting time gt 068008 Time Ending date and time Ending date gt XCURRENT Date xCURRENT xYESTERDRY Ending time gt 055959 Time Userx or GROUP Server ID XALL XRLL xRMTSRV System to run for XCURRENT Name XCURRENT XRLL Output XPRINT XPRINT XxPDF xHTML Print format XSHORT XSHORT xFULL Rdditional Parameters Job description QBRTCH Name XNONE Library xPRODUCT Name XPRODUCT XLIBL More F3 Exit F4 Prompt F5 Refresh F12 Cancel F13 Hou to use this display F24 More keys Define FW Report Group Details Option Description Starting Ending Enter a fixed date or use one of the following constants Date CURRENT The current date day the report runs YESTERDAY The day before the current date WEEKSTR Beginning of the current week PRVWEEKS Beginning of the previous week MONTHSTR Beginning of the
156. ose of minimizing security rules and query filtering Since OS 400 group profiles are used for many other administrative tasks they may not be as efficient for grouping users together for security purposes Firewall proprietary user groups are always identified by the symbol as the first character e g YSALES These user groups are defined within Firewall and they may include both individual user profiles and OS 400 group profiles The following section describes the procedures for defining Firewall user groups Defining User Groups 1 To work with Firewall proprietary user groups select 11 Users and Groups from the main menu The Work with User Security screen appears Firewall 15 User Manual 27 Chapter First Steps RAZ LEE The iSeries Security Experts Work with User Security Subset Type options press Enter Read top gt douwn Servers securing 1 Select User System Group group Members PUBLIC AABBCC XRRVVV ADMIN DEMO F3sExit Option Description Opt 3 Copy 4 Delete S Members 6 Groups User Level only Netuork Servers R RFO D R pjo MJA e ee He lt gt 009 gt gt 2 e re 71 900270z lt lt 000 e gt oo ere e mz 00o 0070 7 HVAT
157. program is called before system is pouered doun No parameters are passed to this program F3 Exit F12 Previous Firewall User Exit Programs 1 To work with Client Application Security go to option 18 Client Application Security from the main menu Firewall 15 User Manual 56 Chapter User Security The iSeries Security Experts Work with Client Rpplication Security Subset Type options press Enter 1 5 1 3 Copy 4 Delete Opt Application Active JAVARAZLEE Y Definitions for Java AX DD nnxx Test for EVG2 sdsdfsfs frete Bottom Client Application Security is an alternative to user object security See Help F3zExit F6 Add neu F8zPrint Fi2 Cancel Work with Client Application Security 2 Press F6 to add a new client application Add Client Appl ication Security Type information press Enter Application lj Text o ew ww Retivesm wm awe Y Y Yes NzNo A Administrators only Setting the Active for an application controls the level of service that users can get from this application While Active N or Active A the product will still identify the request as such which falls in the category of the application but will recognize that the application cannot be used Fi2 Cancel Add Client Application Security Firewall 15 User Manual 57 Chapter User Security T The iSeries Security Experts RAZLEE iSecurity User Management This chapter presents s
158. r ILAN ISAAC JAVA JAVAGBI JAVA3 JOHN JR KIRK LENNY F3 Exit Parameter or Option 3 Enable F7 Subset Fi4 Absence Security 4 Disable Expiration Interval 6 Reset count 7 Expire Expiration Date 9 New password Days Days In use Left 178 10 10 10 10 286 847 20 328 Inval id Attempts xNOHRX xNOHRX F8 Print F15 Ruto disable exceptions Fii fdditional parameters F12 Cancel Fi6 Signon times Work with User Status Password Description Opt 1 Display all parameters for selected user profile 3 Enable user profile 4 Disable user profile 6 Reset invalid sign on attempt counter prevents automatic disabling of this user due to excessive sign on errors 7 Set password to expired this user must change password at next sign on Invalid Attempts Blank User profile is enabled No User profile is disabled Expiration Interval Number of days between required password changes Expiration Date Next password expiration date Days in Use Number of days the current password has been in use Days Left Number of days before the current password expires Reports User Management offers two reports that show user profile information Option 5 Print Special Authorities the Special Authorities report shows details of special authorities assigned to users individually or as part of a group authority Another parameter that is displayed is a us
159. r Interface ssscssssssssssscssscssssssscsesscsscsesscssesesscssesesscssssessessesessessesesees 8 Other iSecurity Products eere eee e etie eee estne tn sensn sensns tns en senses states sensns en senses essen sno 10 Chapter 2 First Steps uices tiers tan tien ac abian 11 Initial Setup and Definition Overview 1 eee ee eee estes eene ene tn etna enses enses sese tn 11 Starting Firewall for the First Time eeeeee eee ee esee e sette eese ense tn sete senes inae tastes 12 Modifying Operators Authorities eene tenetis sense en setas eas 12 nn 14 Enabling Protection for all Servers 4 eeeeeee eee eerte tn sensns ens esses etn suue 16 Using the Role Wizards P 17 18 Analyzing Historical Activity 19 Defining the Working Data Set E e 21 Working with the Plan Security Wizard Screens essent eene 21 Native OS 4OO Objects
160. r Manual 144 Chapter Advanced Security Features RAZLEE Security Display License Management Log This feature provides information about every transaction generated by the License Management server 1 To display the log select 45 Display License Management Log from the Work with Advanced Security screen The Display Firewall Log screen appears 2 Set parameters according to the table in the DHCP Security section earlier in this chapter and press Enter Firewall 15 User Manual 145 Chapter Advanced Security Features RAZLEE Security Chapter 10 Configuration and Maintenance System Configuration This section reviews the process of setting general configuration for Firewall To reach this screen select 81 System Configuration from the main screen The iSecurity part 1 Global Parameters screen appears xFYIx Mode Active iSecurity part I Global Parameters Select one of the following Firewall Screen 1 General Definitions 11 General Definitions Additional Settings 12 Customize Messages User Exit Programs Transaction Post Processing Password Intrusion Detection System 21 Password Dictionaries Password Exit Programs Enable ACTION CL Script more System Configuration SYSLOG 81 iSecurity Base Log Retention 2 3 4 5 6 T 8 9 General 91 Language Support Selection gt 99 Copyright Notice Release ID 15 0 09 11 12 4465D5A 720 206A Authorization code
161. r to display all the parameters for a single user type 1 in the Opt field to the left of the desired user The following screen appears Work with User Status Details iSecurity John Smith IT Team Disabled Password Previous signon 11 05 87 Days passed Planned action Invalid attempts Expiration interval Expiration date Days in use Days left F3 Exit F7 Enable F8 Disable F9 Reset password count F10 Expire password F12 Cancel Work with User Status Details Use the function keys to modify parameters as shown at the following table Parameter or Option Description F7 Enable user profile F8 Disable user profile F9 Reset invalid sign on attempt counter prevents automatic disabling of this user due to excessive sign on errors F10 Set password to expired user must change password at next sign on Screen 2 Work with User Status Sign on This screen displays recent sign on statistics for each user profile In addition the scheduled date of any automatic actions disable or delete by the Action absence control feature is displayed Firewall 15 User Manual 61 Chapter User Security RAZ LEE gt The iSeries Security Experts Work with User Status Signon iSecurity Position to Type options press Enter 1 Select Opt User ILRN ISRRC JRVR JRVRO1 JRVR3 JOHN JR KIRK LENNY F3 Exit Parameter or Option Opt 3 Enable F7 Subset F14 Absence
162. r type 1 to modify an existing class to your needs GSRPTHNU Reporting Firewal Add Class Type choices press Enter J e g USERS IP COMMANDS FILES Text Maximum item length 1 28 Group Classes such as USERS IPS FILES consist of individual Groups For example Group Class USERs could consist of groups HR ERP etc These groups are useful when you want to limit a report or a rule to only the USERS listed in USERS HR uho accessed files listed in FILES SENSITIVE To use enter ITEM or NITEM item of or not item of in the TEST column of the report s Filter Conditions then press F4 in VRLUE column F12 Cancel F13 Information Assistant F1i6 AS 400 main menu Add Class 3 Press Enter The Work with Groups screen appears Firewall 15 User Manual 129 Chapter Queries Reports and Logs RAZ LEE iSecurity The iSeries Security Experts GSRPTMNU Reporting Firewall Type options press Enter Position to 1 with 2 Edit 4 Remove Subset Opt Group Description No data found to construct list F3 Exit F6 Add New Fi2 Cancel Work with Groups 4 Press F6 to add a new Group or 1 to modify items in existing group to your needs GSRPTMNU Reporting Firewall Work with Group Items Type COMMANDS Commands of various types Group USRCOMMAND User commands Type information press Enter Item Description BHGUSRPRF CRTUSRPRF DSPUSRPRF RTVUSRPRF WRKUSRPRF
163. racking of remote access requests real time auditing and Action proactive responses Overriding default system settings to force the appearance of the sign on screen Logon security rules are available for the following server types Incoming FTP requests Outgoing FTP requests REXEC Remote Command Execution Telnet Sign on requests via the Internet WSG Passthrough Subsequent sections discuss the options and parameters for each individual rule type NOTE The Security Level parameter in the server security rule must be set to 9 full in order to enable logon security for the appropriate servers Refer to Firewall 15 User Manual 93 Chapter Logon Security Chapter 3 for details Firewall 15 User Manual 94 Chapter Logon Security Procedural Overview The basic procedure for defining any of the logon security rules is similar The following sections provide details and explanations regarding the specific parameters and definitions for each type of logon security rule 3 Choose the logon type from the main menu e Select 31 for FTP and REXEC e Select 32 for Telnet and Sign on e Select 33 for Internet logon WSG e Select 34 Passthrough 4 Set definitions e Each Logon Security menu follows the same principles Select the definition you want to set For example in the FTP REXEC Logon Security screen choose 1 for Incoming FTP and 2 for Outgoing FTP The appropriate Work with Logon Security screen appears R
164. rary Replacement press Enter Target Library F3 Exit Fi2 Cancel Name xgeneric Name F4 Prompt F4 Prompt Add a new Target Library Enter the Source Library of the objects you wish to apply the authorization rule Enter a Target Library that will contain a single set of rules to be applied Firewall 15 User Manual 89 Chapter Object Security In the specific object screen option 1 9 define the original rules to be applied trough the Target Library The massage will appear in the Firewall log as follows Additional Message Information ystem Message ID GRE6OS1 Transaction Date sent 27 04 10 Time sent 17 20 43 Server Remote Command Program Call Decision level OBJCT Object authority Menu opt 21 Operation mode Your Information action NOT performed or F6 xRMTSRV xFYIx Denied for QSECOFR to TZION GSEPHDR xPGM IP address 1 1 1 164 The examined security rule uas for object TZION ALL user xPUBLIC operation RUN F3 Exit F6 Modify decision rule F7 Add action F12 Cancel Firewall 15 User Manual 90 Chapter Object Security RAZLEE iSecurity IFS Objects To work with IFS Object Security 1 Select 22 from the main menu The IFS Security menu appears 2 Select 1 from the IFS Security menu The Work with IFS Security screen appears 3 This screen lists all the IFS rules currently in effect Type 1 to work with an exist
165. rd has not expired ALL Display users irrespective of password expiration Days since last sign on is GE Number Display only users who have not signed on for at least the specified number of days ALL Display users irrespective days since last sign on Invalid sign on attempts is GE Number Display only users who have not signed on for at least the specified number of days ALL Display users irrespective days since last sign on 2 The Work with Users Wizard consists of three screens Basic Sign on and Password Each containing several related parameters The same function key options are available on all screens On each of these screens users that cannot sign on to the system are displayed in pink Use F11 to navigate between screens Screen 1 Work with User Status Basic This screen shows whether individual users can sign on to the System i In order to sign on users must be enabled and have a valid non expired password Firewall 15 User Manual 59 Chapter User Security RAZLEE iSecurity Work with User Status Basic iSecurity Position to Type options press Enter 1 Select 3 Enable 4 Disable 6 Reset count 7 Expire 9 New password Users displayed in pink are not eligible to sign on Opt User Disabled Password ILAN Yes IT Team ISAAC Marketing Department JAVA Java Team JRVRG1 VAJava for AS 400 Lab Programmer JRVR3 GUI Testing JOHN John Smith IT Team JR Marketing
166. reen displays activity statistics for the current working set together with currently defined rule settings Column C and a place to enter revised rule settings Column Enter revised rule setting as desired and press Enter to continue Firewall 15 User Manual 21 Chapter First Steps RAZLEE iSecurity The iSeries Security Experts Plan Incoming IP Security Type choices press Enter Opt 4 Delete 5 DSPFHLOG C gt R Current to Revised 9 Create Security Al lowed Y Al low Specify revised authority in the R column Rejected N Re ject Press Enter to apply revised authority Allowed by genericX rule FTP Rejected by genericx rule RE Tel DB RMT Number of Logged Entries EXEC net Srv SGN Srv FTP REXEC Telnet DB Opt IP Address CR CR CR CR TCPSGN RHT DDM 1 1 148 Y Y 1 1 149 NI Y 2 1 151 1 155 1 1 183 1 1 1 196 81 191 64 89 192 168 1 1 192 168 1 3 lt 3 lt Z lt lt lt lt lt lt Y F3 Exit F6 Add New F8 Print Fii Rlt vieu F12 Cancel Plan Incoming IP Security Each line in this screen represents activity for a single IP address The quantities represent the number of actual transactions for each activity type for this IP address Press F11 to display the statistics for the bottom row of activity types NDB RMT REXEC and WSG The C column shows the rule currently in effect for activity type on a line A Y indicates that transactions wil
167. ress Enter Firewall 15 User Manual 138 Chapter Advanced Security Features RAZ LEE iSecurity The iSeries Security Experts Work with DDM DRDA Pre check User Replacement Tupe options press Enter 1 Select 4 Delete Source Source User to pt Location Userx Check XALL XALL QUSER 544K1246 MICHAEL EVEGENY 544K1246 RICH QSECOFR 544K1245 THEBOSS QSECOFR Bottom F3 Exit F6 Rdd new F8zPrint F12 Cancel Work with DDM DRDA Pre check User Replacement Parameters Description Source Location System name of remote server Source User User profile name of target DDM job User to Check User for which internal check is performed NOTE Add DDM DRDA Pre check User Replacement and Modify DDM DRDA Pre check User Replacement share the same settings Modify DDM DRDA Pre check User Replacement Type choices press Enter Source location 2 1 Name Source user co ewa cu s Name XRLL Perform internal checks for user DEVELOPER Name F4 for list F3 Exit F4 Prompt F12 Cancel Firewall 15 User Manual 139 Chapter Advanced Security Features RAZLEE iSecurity Modify DDM DRDA Pre check User Replacement Source location System name of remote server Source user User profile name of target DDM job Perform internal Name name of user being checked checks for user F4 for list press this option to DRDA Post Check User Replacement Thi
168. rictions This entry is used for each time a user attempts Sign On from the Telnet server for example when the Enter Password screen is used Telnet Logon 1 To work with Telnet and Sign on select 32 Telnet from the Firewall Main menu The Telnet Security screen appears GSTELMNU Telnet Security Firewall System S728 Select one of the follouing Def initions 1 Telnet Logon This entry is used only on the first time a device connects the system For example uhen a PC emulation softuare starts To control the Sign On screen which might be used several times during a single Telnet session use Mork uith Users to specify alloued IPs and device names Reporting 11 Display Telnet Log 12 Display Telnet Logon Log 13 Display Telnet Termination Log 15 Display SIGNON Log Selection or command F3 Exit F4 Prompt F9 Retrieve F12 Cancel F13 Information Assistant F16 8S 400 main menu Telnet Security 2 Select 1 Telnet Logon from the Telnet Security screen The Work with TELNET Logon Security screen appears Firewall 15 User Manual 100 Chapter Logon Security RAZ LEE iSecurity The iSeries Security Experts Work with TELNET Logon Security Type options press Enter Subset 1 Select 3 Copy 4 Delete 5 IP range Min Incoming pud Rssigned Opt IP fiddress Subnet Mask Terminal vid Logon Terminal xRLL 8 8 9 xRLL xRCCEPT xSRME 295 255 0 XRUTOSIGNON 128 8
169. rity for Native Objects Type choices press Enter Opt 4 Delete S DSPFWLOG C gt R Current to Revised 7 WRKOBJ 8 EDTOBJAUT 9 Create Security Allowed Y Al low Specify revised authority in the R column Rejected N Re ject Press Enter to apply revised authority M Allowed from higher level Rejected from higher level Rd Urt Crt Dit Rnm Otr User Group Opt COR COR COR COR COR Type Object Library xUser Entries CMD ADDLIBLE QSYS GLIORA 1 CMD CALL Qsvs CRTEST 53 CMD CALL Qsvs INNR 19 CMD CALL Qsvs QSECOFR 5695 CMD CHGAUT Qsvs GILANITK 19 CMD CHGAUT Qsvs GLIORR 8 CMD CHGAUT Qsvs GHRSSRB CMD CHGAUT Qsvs GSHARONA CMD CHGAUT Qsvs GYRFIT F3 Exit F6 Rdd Neu F8zPrint F12 Cancel Plan Security for Native Objects Update Rules The final step is to apply the new and revised security rules that were created via the wizards 1 To update rules select Update Security Rules from the wizard menu The Update screen appears Samples from two of the wizards are shown below Refer to the table on the following page for an explanation of the required parameters Native AS 400 Objects Update UPDNTVSEC Type choices press Enter Sel o8 wow won vow ASER XUSER xSELECT xS Object Library Object Type s os ma sw XFILE XCHD xPGM ww oe ws ew ont s xRLL Delete set after processing xNO Bottom F3 Exit F4 Prompt FS5 Refresh F12 Cancel F13 Hou to use this display F24
170. rk with Collected Data and remove data of full days QSECORR as well as any other user who is authorized can change the logging option in Firewall per service exit point Type STRFW 1 1 QSECOFR as well as any other user who is authorized can change the logging option per user in Firewall Type STRFW 1 11 Query Wizard The powerful Query Wizard allows users to design custom output reports that show exactly the necessary data without programming or technical knowledge One can create query definitions by using a series of simple parameter definition screens Output may be a printed report a screen display or a text file saved on the System i Highly detailed filter criteria enables users to select only the necessary records by using Boolean operators and the ability to combine complex logical conditions Firewall s flexibility enables users to specify the sort order according to multiple fields All reports can run automatically and be e mailed to the system administrator as HTML PDF or CSV files The User Centric Approach Firewall has a user centric approach set in the top down model which helps the security administrator to manage user security easily and efficiently and reduces the number of security rules Raz Lee Security has created two new user groups in addition to the existing general Firewall group Together they form three groups that enable organization of the users General Groups Application Groups
171. rking conditions without adversely affecting user access Firewall 15 User Manual 14 Chapter First Steps RAZ LEE iSecurity Users can enable the FYI Simulation Mode globally for all activity regardless of server or user One can also enable FYI individually for specific function servers as a parameter in server security rules In this manner one can test security rules for specific servers without affecting rules that apply to other servers To enable FYI globally for all servers and users perform the following steps 1 Select 81 System Configuration from the main menu The Global Parameters screen appears 2 Select 1 from the Global Parameters screen The General Definitions screen appears Firewall General Definitions Type options press Enter Emergency override ALL Security setting 8 8 Regular no override 1 Al low 3 Re ject 2 Al owtLog 4 Re ject Log Work in XFYIX Simulation mode Y N XFYIX is an acronym for For Your Information In this mode security rules are fully operational but no action is taken Check 05 400 Group and Supplemental profile Y Y Enable Super Speed Processing N YN The functionality of the product is not affected by this setting Set this value to N well before you plan a Hot Upgrade of the product This will enable temporary suspension of the activity during installation Hot upgrade is safe Y See manual F3 Exit F12 Previous Firewall General Definitions
172. roduct IFS authorities 1 1 No 2 Yes from higher dir 5 3zYes from higher dir or filex Skip SQL parsing if final decision uas taken at leave blank for parsing Global level 1 Always 2 Allow 3 Reject IP level 1 Always 2 Rllou 3 Reject User level 1 Al ways Check FTP Logon PWD by product N Y Yes not recommanded N No Y provides messages aboul invalid passuord in Fireuall log F3 Exit F12zPrevious Firewall Additional Settings Firewall 15 User Manual 148 Chapter Configuration and Maintenance RAZ LEE iSecurity The iSeries Security Experts User Exit Programs User Exit Programs are an option for the user to access a program after Firewall filters have rejected a particular authorization attempt 1 To work with Firewall User Exit Programs select 3 User Exit Programs from the iSecurity part I Global Parameters screen The Firewall User Exit Programs screen appears 2 Set parameters and press Enter Fireuall User Exit Programs Tupe options press Enter Allow Reject request NONE Name NONE Library 66 Name LIBL This user program is called at the end of the auhorization verification and may override the decision See example in SMZ8 GRSOURCE FWAUT A Enable Application Level Security xSTD Name NONE xSTD Libh rd o cers 446698 Name xLIBL GUI product identifies itself and continues uithout farther inspections For STD value initial identifi
173. roup 4 Delete a location group 5 Edit the group members OS400 Users and Group profiles Location Location name F3 Return to the main menu F6 Add a new location group F8 Print location group definitions Firewall 15 User Manual 34 Chapter First Steps RAZ LEE Sec The iSeries Security Experts Up to two separate time periods can be defined per day Please note that if the To time is earlier than the From time it will be considered to roll over to the following day This is illustrated in the following screenshot Modify Location Group Security Type choices press Enter Location Group CHICAGO 4 name Chicago Office Activity Time WINTER Time group xNEVER Locations 1 IP 2 Device Names SIGNON only Selection gt F3 Exit F4 Prompt F8 Print F9 Object security F1Q Logon security F12 Cancel Modify Location Group Security Parameter or Option Description Location Group Name of location group Text Enter descriptive text Activity Time Time Group Select a time group NEVER If this option is selected members of this group are disabled and cannot log in Locations IP The IPs that are allowed to be accessed by this Location group Device names Device names which are allowed to be accessed to telnet sign on Selection Enter which of the above are being defined IP or device name Firewall 15 User Manual 35 Chapter First St
174. rs that apply to each report in the group 1 Select 51 from the Log Reports Queries menu The Work with Report Scheduler screen appears 2 Press F6 to create a new report group or type 1 to select an existing group Work with Report Scheduler Subset by name Position to Type options press Enter 1 Select 2 Add 3 Copy 4 Delete 5 Run Opt Group Seq Description DRILY Daily Scheduled Report Display Fireuall Log Activity of the Security Officer Change User Profiles Payroll File AccessLog MONTHLY Monthly Scheduled Report Sales Library Access Log WEEKLY Weekly Scheduled Report Run Firewall Log Payroll File AccessLog xFilewall SQLx Bottom F3 Exit F5 Refresh F6 Add Neu Group F8 Print F12 Cancel Work with Report Scheduler Report groups appear on the screen sorted in alphabetical order by the group name The individual reports contained in each group appear directly below the group name arranged according to a user modifiable sequence Parameter or Description Option F6 Create new report group Opt 1 Select group for modification 2 Add a new report to the selected group 3 Copy the group along with all its reports or Copy an individual report from one group to another 4 Delete the group along with all of its reports or Delete an individual report 3 The Modify Report Group screen appears Assign a name to the report group and enter a brief description Firewall 15 User Manual 13
175. rts and Logs RAZLEE Security Test Description Value Field Data new types Profile USRGRP USER and all user profiles which are members of same user groups as USER ALL For both GRPPRF and USRGRP cases If the TYPE is missing USER or USRGRP is assumed based on the appearance of 96 sign as the first character in the GROUP SPCAUT Check that the value is in the users Special Authority START Starts with Starting characters of string And Or Boolean Operators You may combine multiple filter conditions in one query using Boolean AND OR operators This allows you to create complex queries that produce precise results When using Or operators in your filter conditions the order in which each condition appears in the list conditions is critical The Or operator allows you to group several conditions together because it includes all the And conditions that follow it until the next Or operator or until the end of the list The following example illustrates this principle This query will apply to all events meeting either the conditions listed in Group 1 or the conditions listed in Group 2 Group 2 includes the Or condition and all of the And conditions that follow it Filter Conditions Server 04 xSQL Database Server SQL access Sequence 1 0 Type conditions press Enter Specify OR to start each new group Tests EQ NE LE GE LT GT LIST NLIST LIKE NLIKE IT
176. rver Security screen appears 5 View a description of the server 6 View the Activity Log for the server Secure YES Secured Not secured Level This option is not available for exit points that deal with specific operations such as Change User Profile and Pre Power Down System 1 Allow all activity available for all other exit points 2 Reject all activity available for all other exit points 3 Allow activity subject to User to Service security rules not available for exit points that are supported until the Logon level i e Telnet and Remote Sign on 9 Full security differs in logon and user to object Logon activates the logon limitation rules user to system name IP and user name User to object activates your user limitation rules Log FYI FW Action Shows if FYI mode is currently being logged for Firewall and Action Server Name description of server User Exit Pgm Name of custom user exit program for this server F8 Print all server security rules F9 Work with object security rules F10 Work with logon security rules F11 Work with user to service security rules F22 Define server security rules globally for predefined groups of servers or for all servers F23 Enable or disable the FYI simulation mode globally for all servers F24 Use the Emergency Override feature Firewall 15 User Manual 39 Chapter Basic Security Global Mo
177. rvers for individual users or groups of users Group based rules may be defined for OS 400 group profiles or Firewall User Groups User to service rules override the global server security rules providing that the Security Level parameter is set to 3 or above For example if the Security Level parameter in the server security rule for the FTP server is set to 3 user to service user to server rules may allow activity for certain users and reject access for others The PUBLIC user profile serves see screen example below as a default user to server rule for all users not explicitly covered by a rule Verb Support User to server rules can also restrict activity on certain servers according to specific remote commands known as Verbs in the System i world This feature enables limiting user ability to execute specific remote commands For example members of the user group PGMR are not permitted to execute the SQL delete command as shown in the following screen Modify User Security Type choices press Enter User cmo 6 PUBLIC gt gt Set 1 fllou 2 Reject 3 By Verb V 4 RlloutSkip object check S Log blank No change 1 None 2 Rejects 4 Al General User Verb Short Setting Setting Set Log Support Name None Yes Original File Transfer Function FILTFR None Yes FTP Server Logon FTPLOG None Yes FTP Server Incoming Rqst Validation FTPSRV None Yes FTP Client Outgoing Rqst Validation FTPCLN None Yes REXEC Server Logon REXLOG
178. s and records from restricted users This innovative solution hides credit card numbers customer names etc Restricted users see asterisks or zeros instead of real values View requires no modification to existing applications Anti Virus provides virus detection and prevention Anti Virus scans validates and checks IFS files as they are enrolled or modified authenticates them and erases quarantines infected files Includes an updateable database and a simple interface Screen protects unattended terminals and PC workstations from unauthorized use It provides adjustable terminal and user specific timeout capabilities Screen locking and signoff periods may be defined according to variable criteria such as date time of day or user profile Password is a general purpose password management product that ensures user passwords cannot be easily guessed or cracked Password allows the user to manage a variety of password security parameters and maintains a history log of attempts to create passwords This log can easily be displayed or printed AP Journal automatically manages database changes by documenting and reporting exceptions made to the database journal Visualizer is an advanced data warehouse statistical tool with state of the art technology It provides security related analysis in GUI and operates on summarized files hence it gives immediate answers regardless of the security data amount being accumulated F
179. s is a post check only applicable for DRDA In this option Firewall replaces restricted users with someone who has the correct authority 1 To work with DRDA Post Check User Replacement select 5 DRDA post check user replacement from the Work with Advanced Security screen The Work with DRDA Post check User Replacement screen appears 2 Set your desired parameters and press Enter To modify select 1 To add select F6 Work with DRDR Post check User Replacement Tupe options press Enter 1 Select 4 Delete Source Source User for 057400 Location User Security checks ALL QUSER 544K1245 ACCT RICH 544K1245 PRGMR EVEGENY 544 1246 QSECOFR QSECOFR 544K1245 THEBOSS QSECOFR Bottom F3 Exit F6 Add new F8 Print Fi2 Cancel Work with DDM DRDA Post check User Replacement Parameters Description Source location System name of remote server Source user User profile name of target DRDA job DHCP Security DHCP Dynamic Host Configuration Protocol is a communications protocol that is used to centrally manage configuration information For example DHCP automatically assigns IP addresses to computers in a network DHCP is defined by the Internet Engineering Task Force Firewall 15 User Manual 140 Chapter Advanced Security Features RAZ LEE The iSeries Security Experts The AS 400 may essentially play the role of a DHCP server If so it records the activities and transactions in a l
180. s of access protocols see Figure 1 below 2 Full integration with iSecurity Firewall s capabilities providing a one stop solution for all of your company s security network access requirements see Figure 2 below 3 The ability to test SSL connectivity before live implementation using FYI for your information simulation mode see Figure 3 below Dynamic Filtering Modify Incoming IP Address Type choices press Enter IP Address saa ws a 1 1 1 Address Subnet mask 255 255 255 128 F4 for list Text FTP Tel DB Rmt REXEC net WSG Srv SGN Srv DDM Y Yes S SSL only Y Equivalent IP range 1 1 1 8 1 1 1 3127 S SSL requires that the connection is encrypted Checked from V5R1 FTP includes FTPLOG REXLOG DDM includes DDM DRDA DB Server includes SQLENT SQL NDB OBJINF F3 Exit F4 Select Subnet Fig Logon security F12 Cancel Secure access protocols with SSL Firewall 15 User Manual 49 Chapter Dynamic Filtering Security RAZLEE gt iSecurity Firewall xFYIx Simulation Mode Type options press Enter Work in XFYIX simulation mode Y N Hhile in this mode Fireuall simulates the application of rules without rejecting transactions Activity is recorded in the log with the xFYIx designation xFYIX is an acronym of For Your Information F3 Exit F12 Cancel Test SSL connectivity while using FYI mode Why Raz Lee developed the S
181. servers Based on these findings the customer wanted to define IP address ranges that could access System i data only in secured mode Firewall 15 User Manual 50 Chapter Dynamic Filtering Security RAZLEE iSecurity The iSeries Security Experts SNA Firewall Rules SNA firewall rules govern incoming activity from other IBM systems conforming to the SNA system name protocol Rules control incoming activity for individual system names For each system name you can choose to allow or reject activity for any of the following servers e DDM e DRDA e Passthrough To work with SNA firewall rules 1 Select 2 from the main menu 2 Select 11 Incoming Remote System Names from the Work with Dynamic Filtering menu The Dynamic Filtering Incoming Remote System Names Security menu appears This screen lists all existing rules showing which communication protocols are allowed or rejected 3 Type 1 to select an existing rule or press F6 to create a new rule Dynamic Filtering Incoming Remote System Names Security Type options press Enter 1 Select 4 Delete PASS Opt Systemk DDM DRDA THROUGH Text xRLL 54455778 Y Y Y my software house F3 Exit F6 Rdd neu F8 Print Fi8 Logon security F12 Cancel Work with Firewall Incoming Remote System Names Parameter or Option Description F6 Create a new firewall rule F8 Print list of firewall rules F10 Work with Logon security rules Opt 1 Modify an existing rule
182. ssword This is the password to be assigned to the alternate user Use the specified password for logon instead of that in the user profile Same or Blank Do not replace password for alternate user BYPASS Bypass password validation at sign on for alternate user PGM Use password presented by calling program for alternate user Alt Current Library Automatically replace the default current library with specified library Client FTP Outgoing This server is used when the AS 400 issues FTP sub commands as a client to another system 1 To work with Client FTP Security select 2 Client FTP Outgoing from the FTP REXEC Logon Security screen The Work with Client FTP Security screen appears 2 Set parameters according to the following table and press Enter Select F6 to add a new rule or option 1 to modify Mork uith Client FTP Securitu Type options press Enter 1 Select 3 Copy 4 Delete Subset Opt User Group Userx Outgoing IP addresses and authorities xPUBLIC xRLL 2 QSECOFR xRLL 2 192 168 100 108 2 Bottom F3 Exit F6 Rdd neu F8 Print F12 Cancel Work with Client FTP Security Firewall 15 User Manual 98 Chapter Logon Security RAZ LEE The iSeries Security Experts Parameter or Option Opt Description 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule F6 Add new rule F8 Print rules Subset Search a user group user or outgoin
183. sting and debugging queries Work with Queries Screen Run a query by typing 5 to the left of one or more queries in the list This option is especially useful for running several queries sequentially Report Scheduler This powerful feature automatically runs queries according to a pre defined schedule This option is typically used for generating periodic audit reports Query Menu Select one of the following options from the Query menu e 11 Display Display query results on the screen e 12 Print Print a hard copy of the query as an interactive job e 13 Submit as Batch Job Submit the query as a batch job This is recommended for large resource intensive queries Command Line Enter the Run Firewall Query command RUNFWQRY from any command line This allows you to run a query at any time even if you are working on other tasks Display Log Queries can also be used to filter data when viewing Activity Log data This is useful for applying sophisticated filter criteria that are unavailable with the display log command You may specify run time filter criteria that apply only to the current instance of the query Run time filter criteria allow you to display or print only a subset of the data extracted by the query definition For example if your query definition does not filter records according to user profile you may specify run time criteria that will display activity only for specific user However run
184. t Printed report PDF Print report to PDF outfile HTML Print report to HTML outfile CSV Print report to CSV outfile Outfile Print report to view from the GUI User Profile Filter records by user Filter by Time Group Filter records by time group Relationship IN Include all records in time group OUT Include all records not in time group NONE Do not use time group even if included in query definition QRY Use time group as specified in query definition Type Filter records by audit type All All types as specified in the query definition F4 Select server type from a list Program Name Filter records by the name of the program that created the journal record Filter by Time Group Name Name of time group Time Group SELECT Select time group from list at run time Press Enter to continue You may press F18 at any time during the data retrieval process to display a pop up status window This window continuously displays the number of records processed and selected Press Esc at any time to halt retrieval and immediately display the query or log Firewall 15 User Manual 121 Chapter Queries Reports and Logs The iSeries Security Experts E Security Print Query to Output File and Send Via Email NOTE To ensure you always receive iSecurity reports emails please add DONOT REPLY COM and NOREPLY ISECURITY COM to your email contact list 1 Select preferred Output file type PDF
185. tabase Server data base access ZDADO0100 Database Server data base access ZDAD0200 Remote Command Program Call CZRCO100 File Server PWFS0100 Telnet Device Initialization INITO100 Telnet Device Termination TERMO100 Sign on Completed NTFY0100 WSG Server Sign On Validation QAPPO100 Original Data Queue Server DTAQ0100 Data Queue Server ZHQ00100 Original Virtual Printer Server PRNTO100 172 Appendix List of Firewall Exit Points RAZ LEE The iSeries Security Experts 26 QIBM QLZP LICENSE 27 QIBM QZSC LM 28 DDM Original License Mgmt Server LICMO100 Central Server License Mgmt ZSCL0100 Network Attribute DDM Requested Access DDMACC 29 DRDA Network Attribute Display Requested Database Access DDMACC 30 QIBM_QZSC_NLS 31 QIBM_QZSC_SM 32 QIBM_QNPS_ENTRY 33 QIBM_QNPS_SPLF 34 QIBM_QMF_MESSAGE 35 QIBM_QZDA_INIT 36 QIBM_QZDA_ROI1 37 QIBM_QZDA_ROT1 38 QIBM_QSY_CHG_PROFILE 39 QIBM_QSY_CRT_PROFILE 40 QIBM_QSY_DLT_PROFILE 41 QIBM_QSY_DLT_PROFILE 42 QIBM_QSY_RST_PROFILE 43 QIBM_QZSO_SIGNONSRV 44 QIBM QWC PWRDWNSYS 45 QIBM QTOD DHCP ABND 46 QIBM QTOD DHCP ARLS 47 QIBM QTOD DHCP REQ 48 QRMTSIGN 49 QPWDVLDPGM 50 QIBM QPOL SCAN OPEN 51 _ QPOL SCAN CLOSE 52 QINACTITV 53 QINACTMSGQ Firewall 15 User Manual Central Server Conversion Map ZSCNO0100 Central Server Client Mgmt ZSCS0100 Network Printer Server entry ENTRO100 Network Printer Server spool file
186. tain that the Public rule contains sufficient permissions to allow access to objects by ordinary users Parameter or Option Description File System Shows the IFS file system to which this rule apples Directory File Shows the file name s and directory path s included in this rule User User Group Enter user profile or press F4 to select a user profile from list Read Y Users may read the specified file Write Users may write edit or update the specified file Delete Y Users may delete the specified file Rename Y Users may rename the specified file Other Y Users may perform other actions on the specified file Press Enter to return to the Work with IFS Object Security screen Firewall 15 User Manual 92 Chapter Object Security EE iSecurit Chapter 7 Logon Security Logon security rules define logon attributes for specific combinations of IP addresses or SNA names and user profiles In addition logon security rules can control what a user is permitted to do subsequent to logon For example Modify a logon request by automatically assigning an alternate user profile having different presumably more restrictive permissions and authorities Assign different initial menus current libraries and initial auto run programs than those specified in the user profile Telnet only Rename Telnet terminal names to and thereby the system job name in order to facilitate easy t
187. te a Distribution Package The Export iSecurity Part 1 Defns EXPS1DFN screen appears Export iSecurity Part 1 Defns Type choices press Enter Target library xSYSNRM Character value Fireuall options xREPLRCE xRDD xREPLRCE xBYSUBJECT Screen options xREPLRCE xRDD XxREPLRCE xBYSUBJECT General options xREPLRCE xRDD REPLACE xBYSUBJECT Bottom F3 Exit F4 Prompt F5 Refresh Fi2 Cancel Fi3 Hou to use this display F24 More keys Export iSecurity Part 1 Defns EXPSIDFN 5 To restore a distribution package of the definitions created import select options 22 Restore a Distribution Package The Import iSecurity Part 1 Defns IMPS1DFN screen appears Firewall 15 User Manual 170 Chapter Configuration and Maintenance Import iSecurity Part 1 Defns Type choices press Enter From library Keep backup in library S1BRCKUP Name Firewall options REPLACE XRDD xREPLRCE xBYSUBJECT Screen options xREPLRCE XRDD xREPLRCE xBYSUBJECT General options xREPLRCE XRDD xREPLRCE xBYSUBJECT Bottom F3 Exit 4 FS Refresh F12 Cancel F13 How to use this display F24 More keys Import iSecurityPart 1 Defns IMPSIDFN Firewall 15 User Manual 171 Chapter Configuration and Maintenance RAZ LEE The iSeries Security Experts Appendix List of Firewall Exit Points iSecurity for System i protects all the security related exit points In order to display all the exit points use command W
188. tenance RAZLEE iSecurity The iSeries Security Experts For example PRINTI in the above screen the following command would send output to the output queue MYOUTOQ on a remote system with the IP address 1 1 1 100 as follows CHGOUTQ OUTQ CONTROL SMZTMPA RMTSYS INTNETADR RMTPRTQ MYOUTQ AUTOSTRWTR 1 CNNTYPE IP TRANSFORM NO INTNETADR 1 1 1 100 Uninstall Choose 91 Uninstall Product from the Maintenance Menu and follow the directions on the screen Uninstall SECURITY1P You are about to uninstall this product RII program files data and definitions uill be deleted You are advised to print this screen for further reference Before proceeding ensure that o The product has been entirely de activated o IPL uas done o No user or batch job is uorking or intends to uork uith this product To run uninstall procedure you should do the following o Exit from the current session o Open a neu session using QSECOFR or equivalent user profile o Enter CALL SHZ8 GRRHVPRD Once the uninstall is completed enter DLTLIB 5 28 Backups of previous releases might exist under the name QGPL P SMZx To confirm proper uninstall use DSPUSRPRF SECURITY1P TYPE xOBJOWN F3 Exit Uninstall SECURITY1P Firewall 15 User Manual 167 Chapter Configuration and Maintenance RAZLEE iSecurity The iSeries Security Experts iSecurity Central Administration Option 83 Central Administration allows running reports in 2 differ
189. the Activity Log record for the currently selected audit type only Select Output Fields xFirewallx License Management Generic entry type 88 99 Type choices press Enter Description Attribute Allowed Rejected A XFYI mode simulation User profile name Product Id for license request Feature Id for license request Function Decision level Server name Name of job User of job Number of job DDDDDDD DDD More F5 Display values F12 Cancel F21 Select all F23 Invert selection Select Output Fields Option Description F5 Displays field values F21 Selects all options F23 Invert selection AII selected items will be deselected and all items that are not selected will become selected NOTE You may wish to change the sequence numbers after using this command Seq Enter the sequence in which you wish this field to appear in the query output Lower numbers appear toward the left and higher numbers appear toward the right Firewall 15 User Manual 117 Chapter Queries Reports and Logs RAZLEE iSecurity Sort Criteria You may sort records in your query output according to any combination of fields in the Activity Log record The lowest sequence number normally 1 0 represents the primary sort field The second lowest number normally 2 0 represents the secondary sort field and so on Fields shown in pink are part of the generic header and are common to the Activity Log record
190. thin the previous number of minutes as specified by the user Number Enter the number of minutes BYTIME According the starting and ending time specified below Starting Date amp Time Ending Date amp Time Select only the records occurring within the range specified by the start and end date time combination Date or Time Enter the appropriate date or time CURRENT Today Current Date YESTERDAY Previous date WEEKSTR PRVWEEKS Current week Previous week start MONTHSTR PRVMONTH Current month Previous month start YEARSTR PRVYEARS Current year Previous year start SUN SAT Day of week Type Filter records by audit type All All types as specified in the query definition F4 Select server type from a list User or Group Filter records by a user profile or group name System to run for The system to report information from CURRENT the current system Name a group of systems as defined in STRAUD 83 1 ALL all the systems defined in STRAUD 83 1 Job Name User Filter records by OS 400 job name Job Name Number Filter records by OS 400 job number Firewall 15 User Manual 120 Chapter Queries Reports and Logs RAZLEE The iSeries Security Experts Parameter or Option Description Number of Records to Maximum number of records to process Process NOMAX No maximum Default Output Display Prin
191. thorities Filter according to one or more special authority types User class Filter according to one or more user class types Firewall 15 User Manual 72 Chapter User Security RAZLEE iSecurity The iSeries Security Experts Chapter 6 Object Security Object security controls access to objects originating from specific external sources such as FTP ODBC etc The user can specify the operations an external user is allowed to perform on these objects Rules may be defined for the following object types files libraries data queues printer files programs commands and IFS objects Firewall can restrict a user s ability to perform specific actions such as read write create delete rename and run etc on protected objects Firewall offers an efficient system in which the user needs to create only a small number of general rules restricting the use of commands for all or most users and then creates a few exceptions to these rules This feature is discussed later on in its own section Procedural Overview The basic procedure for defining any of the object security rules is similar The following sections provide details and explanations regarding the specific parameters and definitions for each type of logon security rule 1 Select 21 from the main menu The Native AS 400 Object Security menu appears 2 Choose the object type from the Native AS 400 Object Security menu a b e f g
192. tion A report can be run manually at any time Firewall 15 User Manual 136 Chapter Queries Reports and Logs RAZLEE iSecurity The iSeries Security Experts To run a report manually 1 Select 52 from the Log Reports Queries menu The Run Report Group screen appears 2 Set parameters according to the following table Run Report Group RUNRPTGRP Tupe choices press Enter Report group Name Job description QBRTCH Name Library xPRODUCT Name XPRODUCT Bottom F3 Exit F4 Prompt F5 Refresh Fi2 Cancel F13 Hou to use this display F24 More keys Run Report Group Parameters Description Report Group Enter the report group name Job Description Your batch job subsystem normally QBATCH Library Name Library name Product SMZ4 or the default product library LIBL Current library list CURLIB Current Library Firewall 15 User Manual 137 Chapter Queries Reports and Logs RAZ LEE gt Security Chapter 9 Advanced Security Features The Work with Advanced Security Screen enables the user to configure powerful security settings To access these settings select 42 Advanced Security Features from the Firewall main menu The Work with Advanced Security screen appears GSSPMNU Work with Advanced Security Select one of the following DDM DRDA Security License Management Security 1 Pre check user replacement 41 License Management 5 DRDA post check user replacement 45 D
193. ty data to be examined by the wizard 6 Select Work with Rule Wizard to display the Plan Security screen for the appropriate wizard Use this screen to compare historical activity with the security rule currently in force and to revise this rule if appropriate 7 Select Update Security Rules to apply the rule changes The example in the following procedure is taken from the Servers wizard but is applicable to the other wizards as well Analyzing Historical Activity The Rule Wizard enables the user to review the Activity Log as a first step in the process of analyzing activity The Activity Log allows users to view details of historical activity This step is optional and may be performed at any time during the wizard process To display the Activity Log follow this procedure 1 Select option 1 Servers from the wizards menu The Display User Activity screen appears Firewall 15 User Manual 19 Chapter First Steps RAZLEE iSecurity The iSeries Security Experts Display User Activity DSPFHUSRR Type choices press Enter Name Display last minutes xBYTIME Number XBYTIME Starting date and time Starting date XCURRENT Date XCURRENT xYESTERDRY Starting time 000000 Time Ending date and time Ending date XCURRENT Date XCURRENT XxYESTERDRY Ending time 235959 Time Server ID XFILTFR XFTPLOG XFTPSRV x XPRINT XPRINT9 Bottom F3 Exit F4 Prompt F5 Refresh F12 Cancel F13 Hou to use this display F
194. types while others will cover very specific situations The user can enable the FYI Simulation Mode globally for all activity regardless of server or user The user can also enable FYI individually for specific function servers as a parameter in server security rules In this manner security rules can be tested for specific servers without affecting rules that apply to other servers FYI Simulation Mode FYI Simulation Mode allows the user to simulate the application of security rules without physically rejecting any activity All rejected transactions are recorded in the Activity Log as such but the activity is allowed to proceed without interruption This feature allows you to test your rules under actual working conditions without adversely affecting user access The FYI Simulation Mode may be enabled globally for all activity or enabled for individual function servers In this manner one can test security rules for specific servers without affecting rules that apply to other servers Emergency Override The Emergency Override feature allows the user to override all existing security rules temporarily by allowing or rejecting all activity This feature is useful in order to respond quickly to emergencies such as critical transactions being rejected due to problems with Firewall security rules or a sudden security breach Rule Wizards The unique Rule Wizards feature makes security rule definition a snap even for non technical system ad
195. utomatically appears allowing you to add and work with server types NOTE Jn Multiple server type queries you can only display the fields that are common to all server types You must use a single server type query to display the fields which are specific to a particular server type 3 Press Enter from the Modify Query screen to add a server type or select an existing filter type to modify You may add the same server type more than once with different record selection criteria The Filter Conditions screen appears immediately afterwards You may include multiple filter conditions in your definition Each filter condition consists of a comparison test applied to one of the fields in the Activity Log record Define filter criteria and press Enter NOTE Filter conditions are optional If no filter conditions are defined your query will include all events for the specified audit type or types Firewall 15 User Manual 114 Chapter Queries Reports and Logs ERD r RAZ LEE e The iSeries Security Experts Q Filter Conditions Server XSQL Database Server SQL access Sequence 1 0 Type conditions press Enter Specify OR to start each new group Tests EQ NE LE GE LT GT LIST NLIST LIKE NLIKE ITEM NITEM START And For LIKE NLIKE use as any string Field Test Value Date amp Time yyyy mm dd hh mm B Time hh mm ss LT 20 30 00 Name of job User of job Number of job User profile name EQ JOHN System
196. vious section 2 Select 9 from the Native AS 400 Object Security menu The following screen appears 3 This screen lists all the rules currently in effect Type 1 to work with an existing rule or press F6 to create a new rule Work with Command Exceptions Type options press Enter 1 Select 3 Copy 4 Delete Opt Command ROWR RUNFTP Bottom F3sExit F6 Add neu F8 Print F11 Un Fol d Fi2 Cancel Work with Command Exceptions Parameter or Option Description Opt 1 Select this rule for modification 3 Copy this rule for another user 4 Delete this rule 4 Press Enter to return to the Native OS 400 Object Security menu Firewall 15 User Manual 87 Chapter Object Security Modify Command Exception Modify Command Exception Command TEST Define user authority press Enter Y Yes User Group Userx Cmd REXEC DDM xPUBLIC SPCLAUTH Y RUNFTP F3 Exit F4 Prompt F8 Print F12 Cancel Modify Command Exception Define permissions for one user profile profile group or Firewall user group on each line Use the PageUp and PageDown keys to scroll through a long list For each activity type Y Activity allowed and Blank Activity rejected Public is the default rule for all users not explicitly covered by an object security rule You should always make certain that the Public rule contains sufficient permissions to allow access to objects by ordinary users Parameter or Optio
197. without first terminating Firewall When Enable Super Speed Processing is set to Y this may leave programs in memory between system IPLs Therefore a Hot Upgrade should not be attempted if Hot Upgrade is Safe is set to N 8 Press Enter twice to return to the main menu Enabling Protection for all Servers In order to gather activity data for subsequent analysis users should enable protection for all servers if only temporarily and enable logging of all transactions into the Activity Log To accomplish this perform the following steps in order 1 Select 1 Activation and Server Setting from the main menu and 1 Work with Servers The Work with Server Security screen appears Press F22 The Global Server Security Settings screen appears Make certain that ALL appears in the Exit point group field Type YES in the Secure field Type YES in the Log field Press Enter twice to return to the main menu Make absolutely certain that the FYI Simulation Mode is enabled as described above Firewall 15 User Manual 16 Chapter First Steps The iSeries Security Experts Exit point group Secure Check ra Filter IP SNA Log vow oH Allow Action to react XFYI mode server level Skip Other exit points F3 Exit 12 Type choices press Enter RLL xYES Global Server Security Settings xMAX xNO xYES xYES xNO xYES Rn Other exit point is one uhich
198. www razlee com Record your Product Authorization Code Here Computer Model Serial Number Authorization Code Firewall 15 User Manual i About This Manual About This Manual Who Should Read This Book This user guide is intended for system administrators and security administrators responsible for the implementation and management of security on System i However any user with basic knowledge of System i operations will be able to make full use of this product after reading this book Product Documentation Overview Raz Lee takes customer satisfaction seriously Our products are designed for ease of use by personnel at all skill levels especially those with minimal System i experience The documentation package includes a variety of materials to familiarize the user with Firewall quickly and effectively Printed Materials This user guide is the only printed documentation necessary for understanding Firewall It is available in user friendly PDF format and may be displayed or printed using Adobe Acrobat Reader version 4 0 or higher Acrobat Reader is included on the product CD ROM Firewall includes a single user guide that covers the following topics Introduction Installation Start up and Initial Configuration Using Firewall This manual contains concise explanations of the various product features as well as step by step instructions for using and configuring the product Online Help
199. y activity Allow Action to React Allow Action to respond automatically to specific events by sending messages to key personnel or running proactive command scripts to prevent security breaches YES Allow Action to respond for this server only REJECTS Allow Action to respond for rejected transactions only NO Do not allow Action to respond for this server only Skip other exit points An Other exit point is one to which an unidentified program is already assigned Such an entry is denoted by the word OTHER in the SECURED column YES skip NO Do not skip NOTE iSecurity Firewall and other Network Security products can work in parallel For more information please contact Support Firewall 15 User Manual 43 Chapter Basic Security RAZLEE iSecurity The iSeries Security Experts FYI Simulation Mode Global Setting The FYI Simulation Mode may be enabled or disabled globally for all activity or enabled for individual function servers In this manner users can test security rules for specific servers without affecting rules that apply to other servers In addition administrators can selectively activate FYI mode for individual function servers To change the global setting for the FYI Simulation Mode 1 Press F23 from the Work with Server Security screen The Firewall FYI Parameter pop up window appears 2 Type Y to enable FYI globally or type N to disable FYI Press Enter t
200. y the Activity Log for each server directly from this screen 2 Set rules according to the following table To modify a rule select 1 3 Press Enter to confirm and return to the Work with Server Security screen CR Work with Server Security Type options press Enter 1 Select 5 About Server 6 Display FH Log User Log FYI Exit Opt Secure Level IP Act Server Pgm No Original File Transfer Function FILTFR No FTP Server Logon x FTPLOG No FTP Server Incoming Rqst Validation x FTPSRV No FTP Client Outgoing Rqst Validation x FTPCLN No TFTP Server Request Validation TFTP No REXEC Server Logon REXLOG No REXEC Server Request Validation REXEC No Original Remote SQL Server RHTSQL No Database Server SQL access amp Showcase SQL No Database Server data base access NDB More X Changing the Secure parameter requires restarting Host Server or IPL Modify data or press Enter to confirm F3 Exit F8 Print F9 Object security 10 1 security Fll User security X F12 Cancel F22 Global setting F23 FYI F24 Emergency Work with Server Security NOTE In some cases a restart of QSERVER is required for FULL implementation This can be delayed until next IPL When QSERVER is restarted NETSERVER will be restarted automatically if it was active Firewall 15 User Manual 38 Chapter Basic Security Option Description Opt 1 Select a rule for modification The Modify Se
Download Pdf Manuals
Related Search