Firewall End-to-End Network Access Protection for System i.
-
Upload
eleanor-parsells -
Category
Documents
-
view
219 -
download
1
Transcript of Firewall End-to-End Network Access Protection for System i.
FirewallEnd-to-End Network AccessProtection for System i
Overview
Firewall
A solution which secures every type of access to and from System i, within & outside the organization
Market Need
Hacking• Open TCP/IP environment has increased System i risks
• Many remote activities are now easy• Initiating commands• Installing programs• Changing data• Moving files
• Limited ability to log/block unauthorized access
Internal Fraud
• FBI Study: the most significant threat to an organization's information systems comes from inside
• Control and follow-up on user access - a necessity
Firewall Features
Airtight protection from both internal and external threatsCovers more exit points than any other productProtection from User Level to Object LevelProtects both incoming and outgoing IP addresses
Unique layered architecture - easy to use and maintain
Excellent performance - especially in large environments
User-friendly Wizards streamline rule definitionsHistorical data statistics enable effective rule definition
Best-Fit feature formulates rule to suit each security event
Detailed log of all access and actions
Simulation ModeTests existing Firewall rulesEnables defining rules based on the simulation
Reports in various formats: e-mail, print-out, HTML/PDF/CSV
Firewall Scenario
Monday, Midnight
“OK, I’m bored…Let’s do some quick hacking…”
Rob BlackHacker
5 Minutes Later
“Got it! I’m inside IronTrust Bank systems. I really need a new sports car…
Let’s extract a few hundred thousands...
Tuesday, Midnight
“OK, now let’s try SMART Insurance… this should take about 5 minutes!
Rob BlackHacker
One Minute Later
Glenda Wright,Information Security Manager,
SMART Insurance
“Our Firewall just blocked a break-in attempt.I’ll have the identity, time and IP address in a minute.”
5 Hours Later
“Hey, what are all those security layers? And all these protected exit points…I can’t get through… there goes my new car!”
Rob BlackHacker
Firewall Info
Firewall Gateways
i5 server
Other products’ Gateways• IP Address
Oth
er p
rodu
cts
iSecurity Firewall Gateways • IP Address• User• Verb• File • Library• Commands
iSec
urity
Fire
wal
l
Firewall Adds Another Security Layer
• Native IBM System i security – suitable for stand-alone systems
• External access bypasses IBM security• System i is vulnerable in network
environments
Firewall
System i
FTP Internet
Network PC Telnet ODBC
Before FirewallWith Firewall
Native IBM System i Security
Firewall - Layered Security Design
Exit Point SecurityExit Point Security
IP / SNA Nameto Service
Subnet Mask Support
User-to-ObjectManagement Rights
Data RightsUser/Group/
Supplemental/ internal groups & Generic Names
User-to-Service/Verb/IP/Device/
Application
Firewall User GroupsIBM Group Profiles
RejectAllow
Level of Control
FYI Simulation ModeEmergency Override
User/VerbUser/Verb
ObjectObject
IP/SNA FirewallIP/SNA Firewall
• FTP: Authorities Based on IP & User
• Telnet: Terminal based on IP-Automatic Signon
• Internet (WSG): User to IP address
• Passthrough: User to System name (SNA)
RemoteRemote LogonLogon
Firewall - Layered Security Design (2)
Exit Point ControlExit Point Control
Standard FirewallStandard Firewall
User/VerbUser/Verb
ObjectObject
• FTP: Authorities Based on IP & User, Home dir, CCSID, Encrypt…
• Telnet: Terminal based on IP-SSL, Automatic Signon, Naming…
• Internet (WSG): User to IP address…
• Passthrough: User* to System (SNA), Replace user…
Client Access File Transfer
3 Ways to Steal Your Data
Network NeighborhoodDrag & Drop
Firewall GUI
GUI Example
User Management
21
Generate Firewall Query
22
Edit a Firewall Query
23
Edit a Firewall Query
24
Results
(historical log entries)
Current FW definitions
Firewall Suggests an Appropriate New Rule based on Log Entry
25
From Log: Get an Appropriate Rule Definition
26
From Log: Create Real-Time Detection Rule
27
From Log: “Create Detection rule” Populates the Filter with Data from Request
Visualizer for Firewall
29
• Tool for presenting at-a-glance graphic views of log data from Firewall • Immediate response to queries for any database size• Analyzes network access activity (Firewall) and system journal events
(Audit) to pinpoint breaches and trends
VisualizerVisualizer
30
Night Maintenance Job Audit
Statistics File
FirewallStatistics
File
Firewall Audit
Visualizer
How Visualizer obtains Firewall & Audit Data
Daily Log Files Daily Log Files
Visualizer – Analysis of Firewall Log
32
Example: Select Object…
33
Or: Select the Server
34
And Continue investigating, filtering by Directory & down to the SQL Verb level!
Please visit us at www.razlee.com
Thank You !