EditWYSIWYGAttach PDF Raw View►More Actions▼More Actions


Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in CBI_ComputerSecurity web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in CBI_ComputerSecurity web only

Revision Date Username Comment
1718 Dec 2014 - 17:09ThomasMisa 
1618 Dec 2014 - 13:17ThomasMisa 
1518 Dec 2014 - 13:08ThomasMisa 
1418 Dec 2014 - 13:08ThomasMisa 
1318 Dec 2014 - 13:06ThomasMisaAttached file IBM_AS-400-family2.jpg 
1218 Dec 2014 - 12:33ThomasMisa 
1118 Dec 2014 - 12:28ThomasMisa(minor)  
1018 Dec 2014 - 11:12ThomasMisa 
912 Nov 2014 - 15:18ThomasMisa 
803 Oct 2013 - 15:39norqu036? 
earlier first

Render style:     Context:


 History: r17 | r15 < r14 < r13 < r12
[X] Hide this message.
Notice: On June 30, 2016, UMWiki service will be decommissioned. If you have information in UMWIki that needs to be preserved, you should make plans to move it before that date. Google Sites is anticipated to be the most popular and appropriate alternative for users because it offers a more modern and user-friendly interface and unlimited capacity. To learn more about the features of Google Sites and other alternatives, and to identify which one best fits your needs, see the University’s Website Solution Selection Guide. If you have concerns or would like help regarding this change and your options, please contact Technology Help at help@umn.edu
You are here: UMWiki>CBI_ComputerSecurity Web>Systems>SystemsAS400 (revision 13)

Current Activitieslock Who is Who?lock People Programs Publications CSHW_2014 Systems Events Mechanisms

AS/400

 

The Application System/400 (AS/400) was a "mid-range" family of IBM computers meant for small and intermediate-sized companies.(1) Introduced in 1988, the AS/400 replaced the System/38, while featuring compatibility with IBM's successful System/36 line of minicomputers.(2)(3)

Developed internally at IBM, the AS/400 originally included six processor models, and doubled the performance of the System/38 line it replaced.(4) In 1995 the AS/400 line moved from a custom, 48-bit IBM CISC CPU architecture, to a 64-bit POWER-based RISC CPU, which increased the address space. With more than 1,000 software packages released upon its launch, the AS/400 became a popular business system. "During 1998, IBM (delivered) an AS/400 to a customer every 12 minutes of every workday."(5)(6)(7) In 2000, the AS/400 was renamed as the iSeries, which remains in production with around 400,000 installations.(8)

The AS/400 originally shipped with three levels of security -- levels 10, 20, and 30 -- with level 10 providing no security, 20 requiring users to sign-on with a password, and level 30 giving differential levels of access, depending upon the user's permission level for accessing resources. Level 30 was the minimum level of security IBM recommended for users. IBM subsequently added levels 40 and 50, with level 40 restricting the range of instructions users and programs were allowed to use, depending upon the class-level of the user and program. Level 50, announced with OS/400 V2R3, added additional features to meet the NSA C2 certification standard, including "discretionary," need-to-know protection for system resources.(9)

A 2008 article from ISACA outlined several security features of the AS/400 and System i. One security strength of the i5/OS at the time was its object-based architecture, which made it "extremely resistant" to viruses. The i5/OS identified "programs" that were valid to be executed and distinguished these from "files" which were not valid. A number of security weaknesses -- routinely observed during in-field security audits -- could be traced to inattentive or sloppy practices by systems administrators. In a typical system installation, for instance, fully ten percent of users were granted the most powerful of eight special security authorities, giving each of these users root- or administrator-level access to the system. The most-common password setting permitted a maximum password length of just 10 upper case letters. The security levels noted above (10-50) frequently allowed the use of the low-level 30, with "numerous known exploits." Even several valuable features had worrisome security implications. Built in to the i5/OS operating system was a powerful database, which facilitated the system's wide use in such fields as banking, retail, and health care. But the consequence was that "every user who has a valid user ID and password . . . can access the database system." For instance, typically "every (bank) teller can read and modify every account" while in retail establishments each and every valid user "can read and use credit card numbers" stored in the database. The introduction of built-in TCP/IP networking support, with factory settings "ready to talk with the outside world," had vast security implications. Remote users could log in and use such software applications as FTP (File Transfer Protocol) or ODBC (Microsoft Excel Open Database Connectivity) to view and access essentially all data. (A hold-over from the earlier required use of "dumb terminals" meant that, with TCP/IP software, common users could easily "wonder around" the system and even change the 'permissions' of files.) (10)

  • AS 400 family:
    IBM_AS-400-family2.jpg

Notes

1 , 7 , 8 : external http://www-03.ibm.com/ibm/history/exhibits/rochester/rochester_4010.html

2 : lock B. J. Pine, II, "Design, Test, and Validation of the Application System/400 Through Early User Involvement," IBM Systems Journal 28, no. 3 (1989), 376-377. (Login required)

3 : lock William Berg, Marshall Cline, and Mike Girou, "Lessons Learned from the OS/400 OO Project," Communications of the ACM 38, no. 10 (October 1995), 54-55. (Login required)

4 , 6 : lock as400.pdf, p. 1. - IBM AS/400 PDF (Login required)

5 : lock Arthur Norberg and Jeffrey R. Yost, IBM Rochester: Half Century of Innovation (IBM, 2006), 37-39. (Login required)

9 : Frank G. Soltis, "Chapter 17 - Security in a Web World". Fortress Rochester: The Inside Story of the IBM iSeries. (Loveland, CO: NEWS/400 Books, 2001) (ebook available http://www.books24x7.com/marc.asp?bookid=5707 )

10 : John Earl, "Auditing IBM AS/400 and System i," ISACA Journal Online (2008)


Topic attachments
I Attachment Action Size Date WhoSorted ascending Comment
jpgjpg IBM_AS-400-family2.jpg manage 24.7 K 18 Dec 2014 - 13:06 ThomasMisa AS 400 family
Edit | WYSIWYG | Attach |  PDF |  History: r17 | r15 < r14 < r13 < r12 |  Backlinks |  Raw View | More topic actions...
Topic revision: r13 - 18 Dec 2014 - 13:06:06 - ThomasMisa
 
Signed in as lewi0740 (NicLewis) | Sign out
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback