Edit WYSIWYGattachfile Attach PDF Raw View►More Actions▼More Actions


Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in CBI_ComputerSecurity web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in CBI_ComputerSecurity web only

Revision Date Username Comment
1718 Dec 2014 - 17:09ThomasMisa 
1618 Dec 2014 - 13:17ThomasMisa 
1518 Dec 2014 - 13:08ThomasMisa 
1418 Dec 2014 - 13:08ThomasMisa 
1318 Dec 2014 - 13:06ThomasMisaAttached file IBM_AS-400-family2.jpg 
1218 Dec 2014 - 12:33ThomasMisa 
1118 Dec 2014 - 12:28ThomasMisa(minor)  
1018 Dec 2014 - 11:12ThomasMisa 
912 Nov 2014 - 15:18ThomasMisa 
803 Oct 2013 - 15:39norqu036? 
earlier first

Render style:     Context:


 History: r17 < r16 < r15 < r14 < r13
[X] Hide this message.
Notice: On June 30, 2016, UMWiki service will be decommissioned. If you have information in UMWIki that needs to be preserved, you should make plans to move it before that date. Google Sites is anticipated to be the most popular and appropriate alternative for users because it offers a more modern and user-friendly interface and unlimited capacity. To learn more about the features of Google Sites and other alternatives, and to identify which one best fits your needs, see the University’s Website Solution Selection Guide. If you have concerns or would like help regarding this change and your options, please contact Technology Help at help@umn.edu
You are here: UMWiki>CBI_ComputerSecurity Web>Systems>SystemsAS400 (18 Dec 2014, ThomasMisa)

Current Activitieslock Who is Who?lock People Programs Publications CSHW_2014 Systems Events Mechanisms

IBM AS/400 (iSeries)

 

The Application System/400 (AS/400) was a "mid-range" family of IBM computers meant for small and intermediate-sized companies.(1) Introduced in 1988, the AS/400 replaced the System/38, while featuring compatibility with IBM's successful System/36 line of minicomputers.(2)(3)

Developed internally at IBM, the AS/400 originally included six processor models, and doubled the performance of the System/38 line it replaced.(4) In 1995 the AS/400 line moved from a custom, 48-bit IBM CISC CPU architecture, to a 64-bit POWER-based RISC CPU, which increased the address space. With more than 1,000 software packages released upon its launch, the AS/400 became a popular business system. "During 1998, IBM (delivered) an AS/400 to a customer every 12 minutes of every workday."(5)(6)(7) In 2000, the AS/400 was renamed as the iSeries, which remains in production with around 400,000 installations.(8)

The AS/400 originally shipped with three levels of security -- levels 10, 20, and 30 -- with level 10 providing no security, 20 requiring users to sign-on with a password, and level 30 giving differential levels of access depending upon the user's permission level. Level 30 was the minimum level of security IBM initially recommended for users. IBM subsequently added levels 40 and 50, with level 40 restricting the range of instructions that users and programs were allowed to access, depending upon the class-level of the user and program. Level 50, announced with OS/400 V2R3, added additional features to meet the NSA C2 certification standard of C2, including "discretionary," need-to-know protection for system resources.(9)

A 2008 article from ISACA described several security features of the AS/400 and iSystem as well as some security problems. One security strength of the i5/OS at the time was its object-based architecture, which made it "extremely resistant" to viruses. The i5/OS identified "programs" that were valid to be executed and distinguished these from "files" which were not valid. A number of security weaknesses -- observed during in-field security audits -- could be traced to inattentive or sloppy practices by systems administrators. In a typical system installation, for instance, fully ten percent of users were granted the most powerful of eight special security authorities, giving each of these users root- or administrator-level access to the system. The most-common password setting permitted a maximum password length of just 10 upper case letters. The security levels noted above (10-50) frequently allowed the use of the low-level 30, with "numerous known exploits."(10)

Several valuable features created worrisome security implications. Built in to the i5/OS operating system was a powerful database, which facilitated the system's wide use in such fields as banking, retail, and health care. (There were 16,000 installations in the banking industry alone.) But the consequence was that "every user who has a valid user ID and password . . . can access the database system." For instance, typically "every (bank) teller can read and modify every account" while in retail establishments each and every valid user "can read and use credit card numbers" stored in the database. The introduction of built-in TCP/IP networking support, with factory settings "ready to talk with the outside world," had vast security implications. Remote users could log in and use such software applications as FTP (File Transfer Protocol) or ODBC (Microsoft Excel Open Database Connectivity) to view and access essentially all data. The earlier era of these systems presumed that all users logged in through heavily restricted "dumb terminals." Such terminals, with deliberately limited keystroke inputs, permitted access only to specifically identified data -- effectively preventing any user from "wandering about the system and peering into places they should not be." These default settings were retained even with the shift to logging in through more flexible TCP/IP software, and so common users could now easily "wonder about" the system and even change the 'permissions' of files, a major security breach.(11)

Notes

1 , 7 , 8 : external http://www-03.ibm.com/ibm/history/exhibits/rochester/rochester_4010.html

2 : lock B. J. Pine, II, "Design, Test, and Validation of the Application System/400 Through Early User Involvement," IBM Systems Journal 28, no. 3 (1989), 376-377. (Login required)

3 : lock William Berg, Marshall Cline, and Mike Girou, "Lessons Learned from the OS/400 OO Project," Communications of the ACM 38, no. 10 (October 1995), 54-55. (Login required)

4 , 6 : lock as400.pdf, p. 1. - IBM AS/400 PDF (Login required)

5 : lock Arthur Norberg and Jeffrey R. Yost, IBM Rochester: Half Century of Innovation (IBM, 2006), 37-39. (Login required)

9 : Frank G. Soltis, "Chapter 17 - Security in a Web World". Fortress Rochester: The Inside Story of the IBM iSeries. (Loveland, CO: NEWS/400 Books, 2001) (ebook available http://www.books24x7.com/marc.asp?bookid=5707 )

10 , 11 : John Earl, "Auditing IBM AS/400 and System i," ISACA Journal Online (2008)


Topic attachments
I AttachmentSorted descending Action Size Date Who Comment
jpgjpg IBM_AS-400-family2.jpg manage 24.7 K 18 Dec 2014 - 13:06 ThomasMisa AS 400 family
Topic revision: r17 - 18 Dec 2014 - 17:09:50 - ThomasMisa
 
Signed in as lewi0740 (NicLewis) | Sign out
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback