Endpoint security has been a hot topic in the technology and corporate sectors for a few years. Especially with the emergence of bring-your-own-device practices, it has become even more critical to put safeguards in place to ensure the security of sensitive information.
Many challenges can creep up when it comes to endpoint security, including those connected with malware, untrained employees, and not having the proper protection measures in place. That’s why our security experts recently crafted a new browser interface for Network Security, which can bolster an organization's endpoint security capabilities. Before we take a look at the new features, let's examine the current state of endpoint security in global businesses.
What is Endpoint Security?
Endpoint security is a network protection strategy that deploys certain standards to grant access to computing devices. Although some believe endpoint security is solely about the safeguards in place on the devices themselves, this is not the case.
According to TechTarget contributor Margaret Rouse, endpoint security techniques hinge on the use of a client/server system that centrally manages all access requests from the devices employees use, including PCs, smartphones, tablets, and laptops.
"When a client attempts to log onto the network, the server program validates user credentials and scans the device to make sure that it complies with defined corporate security policies before allowing access to the network," Rouse wrote.
These standards can include a range of specifications agreed upon by company decision makers, and will likely vary from business to business. However, endpoint security requirements often include checking for an approved operating system as well as the presence of updated virtual private network systems and anti-virus software. The main goal of endpoint security is to ensure that anyone attempting to access the network from a noncompliant device is unable to do so. This approach can combat cybercriminal attacks and infiltrations from other malicious groups or individuals.
Common Endpoint Security Techniques
Organizations can leverage a number of techniques and technologies as part of their endpoint security, including personal firewalls, individual credentials, or two-factor authentication and device- and network-level anti-virus software. As the threats to endpoint security continue to rise, businesses are bolstering their data protection with other intrusion detection strategies, Rouse noted. These can include the use of behavior-block and monitoring components that examine devices for actions typically carried out by rootkits to pinpoint an infection. However, the backbone of these processes is the central server that controls access to the network and the sensitive content present there.
"To allow access to the network, the server recognizes the device and lets it continue, therefore only recognized devices can access the server," noted Wikibon contributor Emma Brown.
The overarching goal of any endpoint security strategy is to keep a watchful eye on network activities, ensuring that devices that don't comply with the company's security requirements cannot gain access to its sensitive data.
Challenges to Endpoint Security: A Need for Increased Focus
Research has shown that a main challenge to the adoption of proper endpoint security in the corporate sector is the view that software is a cure-all solution. However, Network World contributor Jon Oltsik noted that while the endpoint security platform itself forms the foundation, the company must be willing to make organizational changes to support the technology as well.
Oltsik noted that within the past few years, endpoint security has become a "set it and forget it" system for many companies. Furthermore, research by Enterprise Strategy Group revealed that more than half—52 percent—of enterprises only have software in place in order to comply with regulatory requirements. However, in order to ensure proper protection—especially as the threat landscape continues to shift—company administrators and IT teams must boost their focus and the importance placed on endpoint security strategies.
"CISOs must take ownership of endpoint security and designate a group of specialists who own endpoint security controls as part of an overall responsibility for incident prevention, detection, and response," Oltsik wrote.
Challenges: Security Risks Rise, Budgets Remain the Same
Network Computing supported Oltsik's view that an increased focus on endpoint security is needed in the enterprise sector, noting that while data protection risks are on the rise, companies are not diverting enough resources to properly prevent them.
In fact, a recent Ponemon Institute study found that 71 percent of IT professionals agree that threats to individual mobile devices are now much harder to prevent. At the same time, though, 55 percent of organizations aren't planning to boost their endpoint security budgets to account for the rise in risk. Another 16 percent actually plan to decrease their spending on endpoint security strategies.
"Most organizations make endpoint security a top priority, but budgets lag behind," said Larry Ponemon, Ponemon Institute chairman and president. "It's one thing to say we have a problem, but it's another thing to allocate corporate resources."
According to the Ponemon study, endpoint security threats come in a range of different types, including those related to the use of mobile devices and third-party applications. Respondents also experienced risks with remote workers, personal computers, and employee negligence.
In order to provide the best protection for the company and its sensitive information, decision makers need to provide the required resources to bolster these safeguards. In addition, administrators should also ensure that employees understand their role in the protection approach and its critical importance.
A Better Solution is Needed
Endpoint security challenges demonstrate the need for a better solution to manage the devices attempting to access the network. This is where PowerTech comes in, with our industry-leading Network Security.
Network Security enables company leaders to configure all the necessary network access standards in a streamlined manner, including those related to devices accessing the network remotely. The technology provides an easy and cost-effective way to prevent security breaches through the tracking, monitoring, and access control of corporate data. With its newly updated browser interface, users can leverage advanced filtering and search capabilities, while still connecting with the system's best-in-class dashboard.
PowerTech Network Security, an exit program solution, was designed to fill a security void that appeared with the release of OS/400 V3R1 in the early 1990s, when IBM incorporated TCP/IP network server functionality into the Power Systems server. An exit program is an application program that is invoked before or after a user's request is performed and provides a function that the original software does not. In the case of network access, an exit program assists the operating system and should perform two critical tasks:
Audit the user transaction (the OS has very limited visibility to network activity)
Provide Access Control functions to limit backdoor data access and server functionality
Keeping Security Simple
Traditionally, shops relied on legacy controls that consisted of green-screen menus, command-line restrictions, and application-level security. We didn't lose sleep over credit card fraud or disclosure of "personally identifiable" information.
We granted everyone *ALLOBJ special authority or simply left the *PUBLIC authority set at the IBM-supplied default value of *CHANGE. The operating system could secure data at an object level, but most administrators didn't see the need for complicated configurations when we could simply present a menu and limit user activities in a matter of moments.
That dynamic changed forever with the birth of OS/400's TCP/IP services.
Evolving Data Protection Needs
Brand names have changed, but utilizing network services remains simple. Users leverage powerful tools, such as FTP and ODBC, to access data and server functions without the restrictions imposed by legacy controls. While object-level security is enforced by every interface, open public authority and permissive private authority mean this potent security layer remains transparent. Ironically, many of us audit our servers for authority failure (*AUTFAIL) events without considering that we must enact authorization rules before an authority failure can occur!
While IBM is often unfairly blamed for providing backdoors to the database, the reality is that years of cutting corners are catching up with us. IBM provided an impenetrable object-level security infrastructure as well as exit points to register those exit programs to do whatever extra tasks we programmed them to do. In my opinion, there are no backdoors into the database and the only blame IBM deserves is their questionable choice of establishing *CHANGE as the public authority default—something that can easily be altered during server setup.
PowerTech Takes Control
PowerTech recognized the need to audit and control requests originating from the network. Leveraging the IBM-supplied exit points for tight OS integration, PowerTech authored a commercial-grade exit program solution called PowerLock, providing out-of-the-box oversight of those TCP services. Enhanced and rebranded as PowerTech Network Security, it remains the de facto standard others are compared to. While I encourage using object-level security as a foundation, Network Security can vastly improve the threat landscape for those who find retrofitting to be an unrealistic goal.
Those who claim object-security perfection often realize that IBM i supports only one authority setting for each user/object combination, a far cry from the number of access methodologies available today. Of even greater concern are users who can execute commands through interfaces independently of their profile's "limit capability" restriction (this arguably is a backdoor) as well as the fact that data transfers are not considered auditable events!
Layer Security Solutions for the Greatest Level of Protection
Network Security provides an integrated layer of control that augments IBM security with a rules-based analytics engine, designed specifically to audit and control users accessing the system through network services. Restrictions can be enforced for users, TCP/IP locations, and objects. Real-time notifications can alert administrators of select authorized or unauthorized transactions. Transaction history can be recorded into a tamper-proof repository that satisfies stringent audit mandates, including PCI, or escalated to an external SIEM/Syslog server leveraging the capabilities of PowerTech Interact. Configuration is accomplished using either a proven green-screen interface or a new adaptive, mobile-friendly browser interface. An advanced dashboard is now included to visually monitor transaction volumes for identification of data anomalies, and you can run activity reports though the native report generator or via PowerTech Compliance Monitor.
Few investments can improve the security of this critical business server as dramatically as a robust exit program solution like Network Security. During my audit work, this remains the best way to facilitate rapid risk reduction. Without Network Security, users may be able to download or modify business data using simple desktop tools and even execute commands without permission. The 2014 State of IBM i Security study reports that an alarming 66% of servers lack even a single network exit program and only 6% have coverage for all 27 network exit points. The time has come for a fundamental shift in how we perceive Power System security. I welcome an opportunity to show you what the most trusted name in IBM i network security can do for your organization. Sign up for a free demo of Network Security today.
New features in Network Security 6.50 simplify navigation and provide an up-to-the-minute view of key transaction metric
Minneapolis, MN, October 2, 2014—PowerTech, a division of HelpSystems and the leader in security solutions for IBM i servers, today announced the release of a new version of their Network Security exit program solution. Network Security 6.50 introduces a responsive browser interface that improves visibility to transactions occurring on the system.
The new browser interface features advanced filtering, predictive text, and search-within-a-search functionality, reducing the time spent finding and selecting security rules.
Dashboards display important performance indicators, allowing users to identify trends and deviations from typical activity without running a report. “The real-time dashboard is definitely the most popular new feature, as it provides graphical visibility of transaction volumes,” says Robin Tatam, Director of Security Technologies, HelpSystems. “Users also love the way the new browser-based interface augments existing green screen functionality.”
Network Security’s new browser interface is also mobile enabled, allowing users to access dashboards and even apply security rules from any mobile device.
Customers already using Network Security can upgrade to this new version to access the new features. HelpSystems also offers a free, 30-day trial of PowerTech Network Security, which includes full product access and free support.
About PowerTech
PowerTech, a division of HelpSystems, develops modular, automated security solutions for IBM i servers, helping users manage today’s compliance requirements and data privacy threats.
About HelpSystems
HelpSystems, LLC is a leading provider of systems and network management, business intelligence, and security and compliance solutions. HelpSystems software reduces data center costs by improving operational control and delivery of IT services. Founded in 1982, the company has 14 offices worldwide and more than 8,700 customers from small businesses to Fortune 100 companies. Based in Minneapolis, Minnesota, HelpSystems sells its solutions directly and through strategic partners worldwide.
HelpSystems brands include: Robot, SEQUEL Software, PowerTech, Skybot Software, AutoMate, Safestone, Bytware, ShowCase, InterMapper, CCSS, and RJS Software. Learn more at http://www.helpsystems.com/.
Colleen Kulhanek
Director of Global Marketing
+1 952-563-2798
Bring-your-own-device policies have remade enterprise IT in the last decade, as professionals have been empowered to use their own smartphones, tablets, and laptops to work with company data. With 83 percent of employees regarding their mobile devices as more important than a cup of coffee in the morning, it's not hard to see how BYOD can do wonders for worker satisfaction and morale.
But organizations have to be smart about BYOD, because the practice can also amplify risks to company assets via leaky, unsecured apps and opportunities for data theft. Here are five things to know about today's leading BYOD vulnerabilities and why you should address them with solutions from PowerTech.
Mobile Devices Can Become Conduits for Malware Distribution
Smartphones and tablets generally don't contain the anti-virus, data backup, and basic security measures that come standard on many PCs. For example, last year, a study from McAfee found that 30 percent of mobile users don't use password protection.
In the absence of robust defenses, devices can turn into funnels for malicious content distributed through the internet, especially if the enterprise lacks an adequate monitoring solution. Threats such as ransomware have shifted from PC to mobile in recent years, while becoming more sophisticated through the use of hard encryption of stolen files. Strong network security is now paramount.
"Accessing internet content without anti-virus or basic security precautions, which aren't found on mobile devices, could infect the device and compromise [your] own personal data, and [the] organization's network which [you] traverse when bringing it into the company's ecosystem," J.D. Sherry of Trend Micro recently told Bank Info Security.
Employees May Feel Inclined to Skirt Sound IT Practices
In theory, securing BYOD need not be difficult. But in practice, enterprise security teams have to deal with employees who may work around restrictions on devices and apps.
More specifically, 2013 research from Acronis and the Ponemon Institute found that two-thirds of companies didn't have policies governing usage of public cloud-backed services such as Dropbox, which are popular among consumers but unsuited to the storage and transmission of sensitive data. Similarly, many organizations make policy exceptions for executives, creating inconsistencies in security implementation.
A Lost Device Can Become a Liability
Compared to PCs, mobile devices are upgraded much more frequently and are highly prone to being stolen or misplaced. About 22 percent of all smartphones and tablets will be lost at some point, half of them without ever being recovered.
When a device goes missing, it can be a gold mine for anyone who recovers it. Since many endpoints are not protected with a passcode or enabled for remote wipe, they may leak data.
BYOD May Heighten Compliance Risk
A device may store privileged information alongside personal documents and photos. Without separation, assets can become intermingled and put enterprises at risk for lapses in compliance.
With BYOD, organizations may end up giving employees the benefit of the doubt in properly tracking data, or rely on a third party to do so. Neither approach is as good as using an endpoint security suite to keep tabs on traffic and data exchange.
There's an App for That, and That's Not Always a Good Thing
Mobile apps, especially popular ones, have myriad vulnerabilities, including ad networks and location tracking, that are present even if the software doesn't contain actual malware. Many apps also request extensive device permissions, meaning that they can interact with locally stored sensitive data.
Employees who use unapproved apps are putting the company in danger from surveillance and data theft. Blacklisting/whitelisting, anti-virus software, and strong authentication solutions can help mitigate these risks.
System administrators and IT managers rely on Power SystemsTM servers running IBM i because of their well-deserved reputation for impenetrable security. But the data from the 2015 State of IBM i Security Study shows improper configuration settings chip away at the level of security provided by IBM i.
When cybersecurity threats include criminals around the world as well as your own employees, relying on default security settings endangers your business’s future. Although some businesses have the financial and personnel resources to survive a cyberattack, many others do not.
Because tools to access data on IBM i servers are widely available on the internet, IBM allows administrators to monitor and restrict network access through exit programs. Few have implemented such measures.
This unmonitored network access, combined with overly powerful users and lax system auditing, leaves your server vulnerable to internal and external threats.
Please review the following information before installing Network Security.
Note: When installing Network Security in an HA environment:
Stop the replication of user profiles from production to HA system by either ending the replication software or ending the replication of the user profiles.
Install Network Security on the HA and production systems.
Network Security requires that you enter a valid license key in order to protect your servers. Contact keys@helpsystems.com if you need to request a new license key.
System Values
It is PowerTech’s goal not to change system values on customer systems because we recognize that security-conscious organizations have rigorous change control processes in place for even small changes to system values. Therefore, we ask you to make any system value changes that are needed. However, the Network Security installation process could change a system value to allow the install to proceed if a system value is not set as specified below. If the Installation Wizard changes a system value during install, it changes it back to its original value when the install completes.
To install PowerTech Network Security on your system, the following system values that control object restores must be configured as shown.
Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs that adopt authority. Many PowerTech Network Security programs adopt the authority of the product owner, rather than forcing you to give authority directly to administrators and end users. (Note: For some system configurations, *ALL is required temporarily.)
QALWUSRDMN controls which libraries on the system can contain certain types of user domain objects. You should set the system value to *ALL or include the name of the Network Security product library (PTNSLIB and QTEMP as a minimum) for the product to function properly.
Set QVFYOBJRST to 1, 2, or 3. This allows Network Security to restore all objects regardless of their signature. (Note: If you normally check signatures, remember to check this system value after the Network Security install process completes.)
Set QFRCCVNRST (Force conversion on restore) to 0, 'Do not convert anything.'
Set QALWJOBITP (Allow jobs to be interrupted) to 1. This allows jobs to be interrupted to run user-defined exit programs. All new jobs that become active will default to be uninterruptible.
QAUDJRN
If you are installing Network Security on a new system that does not yet include IBM's QAUDJRN audit journal, run the command CHGSECAUD to create one automatically. This is the default journal used to record Network Security’s transaction auditing data.
ShowCase version 9.1.0.3 or greater is required to use Network Security's ShowCase exit points.
Installation
You install Network Security directly from the PowerTech Website. (The "Trial" download is the full product, which can be unlocked with a valid License Key). The installation process is completely automated. Do the following to perform the installation:
Download the Network Security Installer to your PC.
Double-click the .exe file to start the Installation Wizard. When prompted, enter the name of the system on which you want to install Network Security, a user ID, and password. Note: Make sure the user profile is a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, *IOSYSCFG, and *AUDIT. The user profile should have Limit capabilities set to *NO.
The Wizard installs Network Security on your System i and places a copy of the User Guide on your PC desktop. When the installation completes, click Finish to remove the Wizard from your PC.
The installation process displays the job log name, user, and job log number. Use the WRKSPLF command to display the job log for complete information on the Network Security install. (The job log file name is JLOGn, where "n" equals a six digit number, e.g. JLOG144620).
To verify that Network Security installed successfully, enter the following command to display the PowerTech Network Security window, which shows the release and modification level of the product:
PTNSLIB/LPRDVRM
Network Security installs the following product libraries, profiles, authorization lists, commands,objects, and exit points on your system.
Installed on System
Description
Libraries
PTNSLIB
PTWRKMGT (unless already installed by another product)
PTPLLIB (unless already installed by another product)
Profiles
PTWRKMGTOW (unless already created by another product)
PTADMIN (unless already installed by another product), which has special authorities *ALLOBJ, *AUDIT, *IOSYSCFG,*JOBCTL, *SAVSYS, *SECADM, *SERVICE, and *SPLCTL
PTUSER (unless already installed by another product), which has no special authorities
PTWEB, which has no special authorities
(All these profiles are set to Password = *NONE so that they can’t be used to sign on to the system.)
Authorization List
PTADMIN (unless already installed by another product): PowerTech Network Security Administrators
Commands
WRKPTNS
POWERLOCK
PLNSREPORT
POWERTECH
Note: The Network Security installation program places these commands in the PTNSLIB/PTNSLIB07 library. They are copied to QGPL when you activate Network Security.
PowerTech-created
Exit Points
POWERLOCK_SS
POWERLOCK_NS
POWERLOCK_WRKMGT (unless already created by another product)
POWERLOCK_PL (unless already created by another product)
Network Security Web User Interface (Web UI)
The Network Security Web User Interface (WUI, or Web UI) allows security administrators to work with rules and most other Network Security features directly from a browser. The following browser versions (or later) are required to use Network Security's WUI:
Desktop
Internet Explorer 9
Firefox 11
Chrome 21
iOS (Apple)
iOS 6
Android
4.0 using Chrome
Web UI Commands:
The Web UI is not installed during Network Security's installation procedure, because it is generally only required on the Central Management System.
To install the Web UI, use the following command:
PTNSINSWEB
To start/stop the web server job, use these commands:
Start - PTNSSTRWEB
End - PTNSENDWEB
This will start/stop the QP0ZSPWT job with the user of PTWEB in the PTWRKMGT subsystem.
To configure web server ports, and remove the web server, use the following commands:
Configure web server ports - PTNSCFGWEB
Remove web server - PTNSRMVWEB
Dashboard Showing Transaction Counts
A feature of Network Security’s Web UI is the Dashboard.
The Dashboard displays a count of all transactions monitored or controlled by Network Security. The Dashboard displays the totals for the servers based upon the criteria selected by the user (today's totals, yesterday's totals, last 7 days or last 30 days). You can also select to see the individual server's counts for the past 24 hours. To activate this feature, start the Dashboard Data Summarization job.
To start/end the Dashboard Data Summarization job, use the following commands:
Start - PNSSTRDASH
End - PNSENDDASH
Execution of the Dashboard Data Summarization job can be controlled with the following commands:
PNSHLDDASH - Use this command, Hold Dashboard Collection, to set the system in a state such that data collection to support the web interface Dashboard will not run.
PNSRLSDASH - Use this command, Release Dashboard Collection, to release the Hold Dashboard Collection command, allowing data collection to occur.
After You Are Done
After you install Network Security, see Activating PowerTech Network Security in the Administrator's Guide for instructions on how to activate Network Security.
The Network Security Administrator's Guide is also installed as part of the product installation in the following directory: C:\Program Files\PowerTech\Network Security
Please review the following information before upgrading Network Security. Note: When upgrading Network Security in an HA environment:
Stop the replication of user profiles from production to HA system by either ending the replication software or ending the replication of the user profiles.
Stop the replication of objects in the product libraries (POWER***, PTNSLIB* and PTWRKMGT).
Upgrade Network Security on the HA and production systems.
Setup Network Security replication per the HA Setup instructions. To view these instructions, download Network Security HA Setup
Start replication (including the user profiles and objects in the product libraries).
Before starting your upgrade, you should be aware of the following:
The following user profile was renamed in Network Security 7:
Previous version
Network Security 7
PTNSADM
PTADMIN
The following authorization list was renamed in Network Security 7:
Previous version
Network Security 7
PTNSADM
PTADMIN
The upgrade process does not copy user profiles to the new authorization lists. You should copy your user profiles to the appropriate new authorization list before using Network Security 7.
If you upgrade from Network Security 5.3 or 6, the license code is copied to Network Security 7 when you run the MRGPRVNS command (see Merging Rules from a Previous Version below). If you are upgrading from an earlier version of Network Security, contact keys@helpsystems.com to request a new license key.
If you used the Operations Navigator plug-in in a previous version of Network Security, Network Security 7 has been modified so that it no longer uses the plug-in.
It is PowerTech’s goal not to change system values on customer systems because we recognize that security-conscious organizations have rigorous change control processes in place for even small changes to system values. Therefore, we ask you to make any system value changes that are needed. However, the Network Security installation process could change a system value to allow the install to proceed if a system value is not set as specified below. If the Installation Wizard changes a system value during install, it changes it back to its original value when the install completes.
To install PowerTech Network Security on your system, the following system values that control object restores must be configured as shown.
Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs that adopt authority. Many PowerTech Network Security programs adopt the authority of the product owner, rather than forcing you to give authority directly to administrators and end users. (Note: For some system configurations, *ALL is required temporarily.)
QALWUSRDMN controls which libraries on the system can contain certain types of user domain objects. You should set the system value to *ALL or include the name of the Network Security product library (PTNSLIB and QTEMP as a minimum) for the product to function properly.
Set QVFYOBJRST to 1, 2, or 3. This allows Network Security to restore all objects regardless of their signature. (Note: If you normally check signatures, remember to check this system value after the Network Security install process completes.)
Set QFRCCVNRST (Force conversion on restore) to 0, Do not convert anything.
Set QALWJOBITP (Allow jobs to be interrupted) to 1. This allows job to be interrupted to run user-defined exit programs. All new jobs that become active will default to be uninterruptible.
ShowCase version 9.1.0.3 is required to use Network Security's ShowCase exit points.
Upgrading to Network Security 7
Upgrading to Network Security 7 is a three-step process:
Install Network Security 7
Merge information from the previous version (optional)
Activate Network Security 7
To upgrade Network Security, run the installation process. Do the following to perform the installation:
Download the Network Security Upgrade Installer. To do so, go to the PowerTech Website and click Your Account.
Double-click the .exe file to start the Installation Wizard. When prompted, enter the name of the system on which you want to install Network Security, a user ID, and password. Note: Make sure the user profile is a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, *IOSYSCFG, and *AUDIT. The user profile should have Limit capabilities set to *NO.
The Wizard installs Network Security on your system and places a copy of the Administrator’s Guide on your PC desktop. When the installation completes, click Finish to remove the Wizard from
your PC.
The installation process displays the job log name, user, and job log number. Use the WRKSPLF command to display the job log for complete information on the Network Security install. To verify that Network Security installed successfully, enter the following command to display the PowerTech Network Security window, which shows the release and modification level of the product:
PTNSlIB/lPRDVRM
Network Security installs the following product libraries, profiles, authorization lists, commands, objects, and exit points on your system.
Installed on System
Description
Libraries
PTNSLIB (or PTNSLIB07 if converting from a prior version)
PTWRKMGT (unless already installed by another product)
PTPLLIB (unless already installed by another product)
Profiles
PTWRKMGTOW (unless already created by another product)
PTADMIN (unless already installed by another product), which has special authorities *ALLOBJ, *AUDIT, *IOSYSCFG,*JOBCTL, *SAVSYS, *SECADM, *SERVICE, and *SPLCTL
PTUSER (unless already installed by another product), which has no special authorities
PTWEB, which has no special authorities
(All these profiles are set to Password = *NONE so that they can’t be used to sign on to the system.)
Authorization List
PTADMIN (unless already installed by another product): PowerTech Administrators
Commands
WRKPTNS
POWERLOCK
PLNSREPORT
POWERTECH (unless already created by another product)
PowerTech-created
Exit Points
POWERLOCK_SS
POWERLOCK_NS
POWERLOCK_WRKMGT (unless already created by another product)
POWERLOCK_PL (unless already created by another product)
Merging rules from a Previous Version
The installation program installs Network Security 7, but does not automatically import information from a previous version. The previous version exit programs remain active, allowing you to continue to use it as you become familiar with version 7 (as long as you do not activate Network Security 7). Once you’ve familiarized yourself with Network Security 7, use the Merge Previous NS (MRGPRVNS) command to merge rules from your previous version to version 7. You should review these rules and make any modifications necessary before activating version 7.
Note: Merging data from a previous version of Network Security does not automatically activate version 7. You must still run the activation process on Network Security 7 to start using it. See Reactivating Network Security After an Upgrade (below).
Enter the following command on a command line to import rules from a previous version of Network Security: MRGPRVNS
Merge previous NS (MRGPRVNS) command
Force run option
Allows you to specify an option for the merge process. This is useful if you’ve performed the merge already, and need to run it again. Possible values are:
*NONE Indicates that no special options are specified; the merge process proceeds normally.
*FORCE Indicates that the merge process should proceed, even if it has been run previously.
Note: Before upgrading, check the PowerTech product download Web page for any additional information.
Database conversion options [CVTOPTS]
This parameter contains some settings you may use to limit the amount of data migrated to the new version. This is a multi-part parameter consisting of the following elements:
Add missing data Specify *ADD to add data to the new version that is in the prior version but is missing from the new version. Specifying *NOADD will not migrate missing data from the prior version.
Update existing data Specify *UPDATE to update data in the new version that exists in the prior version but is different to that in the prior version. Specifying *NOUPDATE will Leave the data in the new version alone.
Delete extra data Specify *DELETE to remove data from the new version that does not exist in the prior version. Specifying *NODELETE will leave the data in the new version alone.
Convert reporting users (CVTAUTH)
Reporting-only users were registered as members of a particular Authorization List in prior versions. Newer versions of Network Security employ the internal Product Security functions contained in Central Administration to control access to parts of the software.
*NO This value indicates that no users will be transferred from the reporting Authorization List.
*YES This value indicates that the members of the reporting Authorization List named in the CVTAUTL() parameter will be attached to the Product Securitg Role you name on the CVTROLE() parameter.
The Network Security Web User Interface (WUI, or Web UI) allows security administrators to work with rules and most other Network Security features directly from a browser. The following browser versions (or later) are required to use Network Security's WUI:
Desktop
Internet Explorer 9
Firefox 11
Chrome 21
iOS (Apple)
iOS 6
Android
4.0 using Chrome
Web UI Commands:
The Web UI is not installed during Network Security's installation procedure, because it is generally only required on the Central Management System.
To install the Web UI, use the following command:
PTNSINSWEB
To start/stop the web server job, use these commands:
Start - PTNSSTRWEB
End - PTNSENDWEB
This will start/stop the QP0ZSPWT job with the user of PTWEB in the PTWRKMGT subsystem.
Note: If you are upgrading from Network Security 6.5x, it is possible for two web servers to be running on the same system (one from NS6 and one from NS7).
To configure web server ports, use the following command:
PTNSCFGWEB
To remove the web server, use the following command:
PTNSRMVWEB
Dashboard Showing Transaction Counts
A feature of Network Security’s Web UI is the Dashboard.
The Dashboard displays a count of all transactions monitored or controlled by Network Security. The Dashboard displays the totals for the servers based upon the criteria selected by the user (today's totals, yesterday's totals, last 7 days or last 30 days). You can also select to see the individual server's counts for the past 24 hours. To activate this feature, start the Dashboard Data Summarization job.
To start/end the Dashboard Data Summarization job, use the following commands:
Start - PNSSTRDASH
End - PNSENDDASH
Execution of the Dashboard Data Summarization job can be controlled with the following commands:
PNSHLDDASH - Use this command, Hold Dashboard Collection, to set the system in a state such that data collection to support the web interface Dashboard will not run.
PNSRLSDASH - Use this command, Release Dashboard Collection, to release the Hold Dashboard Collection command, allowing data collection to occur.
After You Upgrade
Upgrading and reactivating Network Security are separate processes. An upgrade installs the new Network Security software on your IBM i system; reactivation activates the Network Security exit programs. If you upgrade the software, but do not complete the reactivation process, Network Security protection and auditing of the new version are not active. However, the auditing and access control of the old version are valid and still in effect unless you previously deactivated the exit programs (removed them from the exit points). When you complete both the upgrade and activation processes, Network Security actively audits the network interfaces.
Reactivating Network Security After An Upgrade
After you upgrade Network Security, you must reactivate the exit programs that interact with the servers on your IBM i system. Do the following to activate Network Security for the first time after the upgrade:
From the Network Security Main Menu, select option 81, Configuration Menu.
On the Configuration Menu, select option 3, Work with Activation, to display the Work with Activation screen.
The Work with Activation screen shows the servers that were activated in the previous version of Network Security with a Pending Change of *ACTIVATE. To activate the servers, press F20, Run activation or F18, Add silent activation.
Reactivation stops and restarts your servers. You can use either the Silent method (performed during an IPL) or the Interactive method to activate the exit programs.
Warning: The Interactive method stops and starts your processes and servers when run the activation. You should plan to perform an Interactive activation at a time when stopping critical servers will not interfere with your business processes.
If you want to activate additional servers, use the Work with Activation screen to select the servers to be activated. See Activating PowerTech Network Security in the Network Security Administrator’s Guide for complete information on activation.
During exit program activation, Network Security modifies the values of the following Network Attribuites:
Network Security 7 includes the integration of PowerTech Central Administration, which allows you to manage systems across your network from a central server, benefit from Central Administration’s security features, and copy Rules and other configuration settings across systems. The following updates are included with Network Security 7:
System Accessibility. Easily switch to any managed system in order to manage Network Security’s configuration, or use other Network Security features, on that system. Switching systems is a feature of both the green screen and Web UI:
Convenient Dashboards. Dashboard transaction counts and statistics can now be quickly accessed for any managed system.
Central Administration’s Security Tools. All managed systems benefit from Central Administration features, including:
Auditing: To verify the integrity of Network Security throughout your network, and ensure adherence to your organization’s security policy, users can run audits to identify and manage Rules (and other Network Security settings) that have been changed on Endpoints directly. Any discrepancy can be resolved easily with a Remedy, accepting the configuration of either the Endpoint or Management System.
History Browser: The History Browser displays a list of all events that have occurred on any system that is managed through Central Administration. Any action performed through Central Administration or one of the PowerTech products that work with Central Administration is recorded in the history, including Rule changes, security changes, system inclusions, network configuration changes, and so on.
Role-based Security: Central Administration Product Security allows you to perform product security functions, such as working with Roles. A Role is a collection of access rights that define a PowerTech user’s authority over the managed systems.
Copy Rules to Managed Systems (Web UI). Once you have configured Rules on the Management System, you can copy them to other Endpoints in order to quickly propagate your security policy across your network.
Use this procedure when unable to use the installation wizard. (See Installing Network Security 7 for System Requirements and additional installation details.)
On Your PC
Partially run the Network Security installation wizard until you are prompted to enter login information
NOTE: During this step, the wizard extracts the save files needed for manual installation
Identify where the installation wizard has extracted the save files, typically at a file path like: C:\Documents and Settings\userprofile\Local Settings\Temp \PowerTech\PowerTech Product Maintenance Wizard
Locate the file: “PTNS7I.PT”
The .PT file is simply a .zip file and can be opened with WinZip, 7-Zip, WinRar, etc.
This file contains 2 SAVFs, NS7 and a .props file. The .props file is used by the wizard and can be ignored during a manual installation.
Copy the “PTNS7I.PT” file to your desktop
Rename the file from “PTNS7I.PT” to “PTNS7I.ZIP”
Unzip the file and copy the NS7 SAVF to your desktop.
On Your System i
Log in to the System with QSECOFR, or a like profile
Issue the following commands:
CRTLIB PTSAVF (Note: If this library already exists, clear library: CLRLIB PTSAVF)
CRTSAVF PTSAVF/NS7
FTP the SAVF (NS7.savf) to library PTSAVF
Open PC Command Prompt Window
Change to the directory of the SAVFs from step 6 above
FTP the IBM i System
Logon
CD PTSAVF
BIN
Put NS7.savf
Quit
Exit from the Command Prompt Window
Run these commands in order:
RSTOBJ SISLAUNCH QTEMP *SAVF SAVF(PTSAVF/NS7)
CALL QTEMP/SISLAUNCH ('NS7 ''PTSAVF ''0')
Once complete follow the normal instructions for licensing, accessing and activating the product
Security experts help organizations meet new Payment Card Industry requirements by simulating attacks
Minneapolis, MN, October 27, 2015—HelpSystems, a leading provider of systems management, business intelligence, and security solutions, today announced the availability of penetration testing for IBM i. This new service helps businesses uncover security vulnerabilities that attackers could exploit to access sensitive data. Penetration testing is also required by the Payment Card Industry Data Security Standard (PCI DSS) as of June 30, 2015.
Carol Woodbury, renowned security expert and Vice President of Global Security Services at HelpSystems, leads a team of professional ethical hackers in performing real-world attack simulations, revealing security risks that could result in a damaging data breach. This proactive approach to data threats allows vulnerabilities to be remedied before they’re exploited.
“IBM i has long enjoyed a reputation for first-class security, but many organizations—including ones affected by PCI—fail to fully utilize the security features included on the platform,” said Woodbury. “What’s unique about penetration testing is that it involves highly skilled security professionals examining your systems for security gaps and attempting to exploit them.”
“With the expansion of PCI DSS, demand for penetration testing services is growing. It’s a must-have for many organizations,” said Chris Heim, CEO, HelpSystems. “Our team of security professionals has the knowledge and expertise to provide great value to customers concerned with protecting their business-critical data, as well as passing compliance audits.”
HelpSystems empowers IT professionals to excel like never before. Every day more than 9,000 organizations across the globe rely on HelpSystems to automate and simplify system and network management, secure data, and give people simple access to information they need. For critical needs like IT and business process automation, system security, network mapping, document management, and business intelligence, HelpSystems makes IT lives easier and keeps businesses running smoothly. Learn more at www.helpsystems.com.
Mike Devine
Vice President, Marketing
+1 952-563-1696
Organizations worldwide are reeling from shocking revelations that one of the most reputable enterprise servers is actually preconfigured in a dangerously high-risk state.
Perimeter controls are failing as hackers and rogue employees invisibly exploit weaknesses from the inside out. Have you taken all of the corrective steps needed to guard against a breach of IBM i? Most organizations haven’t.
Sharpen your skills as you watch an IBM i industry veteran and ISACA-certified audit manager reveal numerous areas of risk and misconfiguration during a recorded security showdown.
This recorded webinar will give you a greater awareness of:
Security system values, including newer values like QPWDRULES
How users can access data and commands from PCs
How well user credentials are controlled and secured
Who has administrator privileges (hint: it’s not just admins)
How much corporate data basic users can access
What events can be recorded (and which are typically missed)
Still Image
Video embed <!-- Start of Brightcove Player --><div style="display:none"></div><!--
By use of this code snippet, I agree to the Brightcove Publisher T and C
found at https://accounts.brightcove.com/en/terms-and-conditions/.
--><script language="JavaScript" type="text/javascript" src="http://admin.brightcove.com/js/BrightcoveExperiences.js"></script><object id="myExperience4560280927001" class="BrightcoveExperience"><param name="bgcolor" value="#FFFFFF" /><param name="width" value="480" /><param name="height" value="270" /><param name="playerID" value="3555848150001" /><param name="playerKey" value="AQ~~,AAABUtE_rAk~,CWurGzux-0o758h_RUpvFlWzhp-BpKbK" /><param name="isVid" value="true" /><param name="isUI" value="true" /><param name="dynamicStreaming" value="true" /><param name="@videoPlayer" value="4560280927001" /></object><!--
This script tag will cause the Brightcove Players defined above it to be created as soon
as the line is read by the browser. If you wish to have the player instantiated only after
the rest of the HTML is processed and the page load is complete, remove the line.
--><script type="text/javascript">brightcove.createExperiences();</script><!-- End of Brightcove Player -->
CTA Link Watch the webinar
Call To Action (Sidebar) CHECK YOUR SECURITY FOR FREE
PowerTech’s annual “State of IBM i Security Study” shows the vast majority of organizations remain reliant on menu security and command line restrictions to protect their enterprise data. Unfortunately, modern interfaces like FTP and ODBC completely bypass these controls, often allowing end users to view, update, and delete data in the database without the restrictions and auditing supplied by the application.
Learning about the power and openness of these interfaces is critical for ensuring integrity of the server’s application data. It’s also an essential step in complying with all formal regulations, including SOX, PCI, and HIPAA.
View this informative on-demand webinar to learn how to close the “back doors” not covered by traditional security schemes. You’ll also see a short demonstration as a PowerTech security expert implements policies that restrict access to only those users who need it.
Still Image
Products
PowerTech | Network Security
Video embed <!-- Start of Brightcove Player --><div style="display:none"></div><!--
By use of this code snippet, I agree to the Brightcove Publisher T and C
found at https://accounts.brightcove.com/en/terms-and-conditions/.
--><script language="JavaScript" type="text/javascript" src="http://admin.brightcove.com/js/BrightcoveExperiences.js"></script><object id="myExperience4536617031001" class="BrightcoveExperience"><param name="bgcolor" value="#FFFFFF" /><param name="width" value="480" /><param name="height" value="270" /><param name="playerID" value="3555848150001" /><param name="playerKey" value="AQ~~,AAABUtE_rAk~,CWurGzux-0o758h_RUpvFlWzhp-BpKbK" /><param name="isVid" value="true" /><param name="isUI" value="true" /><param name="dynamicStreaming" value="true" /><param name="@videoPlayer" value="4536617031001" /></object><!--
This script tag will cause the Brightcove Players defined above it to be created as soon
as the line is read by the browser. If you wish to have the player instantiated only after
the rest of the HTML is processed and the page load is complete, remove the line.
--><script type="text/javascript">brightcove.createExperiences();</script><!-- End of Brightcove Player -->
CTA Link Watch the webinar
Call To Action (Sidebar) GET A DEMO OF NETWORK SECURITY
Despite an avalanche of regulatory mandates and industry awareness, news headlines remain chock full of stories about data breaches. Although Power Servers often live inside the safety of the perimeter firewall, the risk of suffering a data leak or data corruption remains high.
Would you know if a data breach happened? How would a breach affect your business?
Join noted IBM i security expert Robin Tatam as he discusses common ways that this supposedly “secure” operating system may actually be vulnerable and who the culprits might be.
Please review the following information before updating Network Security.
Note: When installing Network Security in an HA environment:
Stop the replication of user profiles from production to HA system by either ending the replication software or ending the replication of the user profiles.
Stop the replication of objects in the product libraries (PTNSLIB and PTWRKMGT).
Update Network Security on the HA and production systems.
Start replication (including the user profiles and objects in the product libraries).
Licensing
Network Security requires that you enter a valid license key. Contact keys@helpsystems.com if you need to request a new license key.
System Values
It is PowerTech’s goal not to change system values on customer systems because we recognize that security-conscious organizations have rigorous change control processes in place for even small changes to system values. Therefore, we ask you to make any system value changes that are needed. However, the Network Security installation process could change a system value to allow the install to proceed if a system value is not set as specified below. If the Installation Wizard changes a system value during install, it changes it back to its original value when the install completes.
To install PowerTech Network Security on your system, the following system values that control object restores must be configured as shown.
Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs that adopt authority. Many PowerTech Network Security programs adopt the authority of the product owner, rather than forcing you to give authority directly to administrators and end users. (Note: For some system configurations, *ALL is required temporarily.)
QALWUSRDMN controls which libraries on the system can contain certain types of user domain objects. You should set the system value to *ALL or include the name of the Network Security product library (PTNSLIB and QTEMP as a minimum) for the product to function properly.
Set QVFYOBJRST to 1, 2, or 3. This allows Network Security to restore all objects regardless of their signature. (Note: If you normally check signatures, remember to check this system value after the Network Security install process completes.)
Set QFRCCVNRST (Force conversion on restore) to 0, Do not convert anything.
Set QALWJOBITP (Allow jobs to be interrupted) to 1. This allows jobs to be interrupted to run user-defined exit programs. All new jobs that become active will default to be uninterruptible.
Auditing
If you are installing Network Security on a new system that does not yet include IBM's QAUDJRN audit journal, run the command CHGSECAUD to create one automatically. This is the default journal used to record Network Security’s transaction auditing data.
ShowCase version 9.1.0.3 is required to use Network Security's ShowCase exit points.
Network Security Web User Interface (WUI)
The Network Security Web User Interface (WUI) is a new feature implemented in version 6.50. The WUI allows security administrators to work with rules and most other Network Security features directly from a browser. The following browser versions (or later) are required to use Network Security's WUI:
Desktop
Internet Explorer 9
Firefox 11
Chrome 21
iOS (Apple)
iOS 6
Android
4.0 using Chrome
New Commands:
To start/stop the web server job, use these commands:
Start - PTNSLIB/PTNSSTRWEB
End - PTNSLIB/PTNSENDWEB
This will start/stop the QP0ZSPWT job with the user of PTWEB in the PTWRKMGT subsystem.
New Dashboard Showing Transaction Counts
A feature of Network Security’s new WUI is the Dashboard.
The Dashboard displays a count of all transactions monitored or controlled by Network Security. The Dashboard displays the totals for the servers based upon the criteria selected by the user (today's totals, yesterday's totals, last 7 days or last 30 days). The user can also select to see the individual server's counts for the past 24 hours.
The Dashboard count program (PTNSGMSTR) automatically starts in the PTWRKMGT subsystem during the installation procedure. Execution of this dashboard count program (PTNSGMSTR) can be controlled with system environment variable POWERTECH_NETWORKSECURITY_GM.
If you do not want the transaction counts in the Dashboard, or the PTNSGMSTR job to be active, use the following command to add the environment variable:
Once this environment variable has been added (at the system level), the PTNSGMSTR job can be ended and will not automatically start.
To start the Dashboard count program (PTNSGMSTR), delete the environment variable.
Updating Network Security
Ensure the following servers are available and running prior to updating:
FTP Server
Remote Command Server
You update Network Security 6 directly from the PowerTech Website. (The "Trial" download is the full product, which can be unlocked with a valid License Key). The installation process is completely automated. Do the following to perform the installation:
Download the Network Security Installer to your PC.
Double-click the .exe file to start the Installation Wizard. When prompted, enter the name of the system on which you want to install Network Security, a user ID, and password. Note: Make sure the user profile is a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, *IOSYSCFG, and *AUDIT. The user profile should have Limit capabilities set to *NO.
The Wizard installs Network Security on your System i and places a copy of the User Guide on your PC desktop. When the installation completes, click Finish to remove the Wizard from your PC.
The installation process displays the job log name, user, and job log number. Use the WRKSPLF command to display the job log for complete information on the Network Security install. (The job log file name is JLOGn, where "n" equals a six digit number, e.g. JLOG144620).
To verify that Network Security installed successfully, enter the following command to display the PowerTech Network Security window, which shows the release and modification level of the product:
PTNSLIB/LPRDVRM
Network Security installs the following product libraries, profiles, authorization lists, commands,objects, and exit points on your system.
Installed on System
Description
Libraries
PTNSLIB
PTWRKMGT
Profiles
PTNSOWN, which has special authorities *ALLOBJ, *SECADM, *JOBCTL, *AUDIT, and *IOSYSCFG
PTNSADM, which has no special authorities
PTWRKMGTOW, which has no special authorities
PTWEB, which has no special authorities
(These profiles are set to Password = *NONE so that they cannot be used to sign on to the system.)
Authorization Lists
PTNSADM—PowerTech Network Security Administrators
PTNSDTA—PowerTech Network Security Data Objects
PTNSPGM—PowerTech Network Security Programs
PTNSRPT—PowerTech Network Security Reports
Commands
WRKPTNS
POWERLOCK
PLNSREPORT
PTNSSTRWEB
PTNSENDWEB
Note: The Network Security installation program places these commands in the PTNSLIB library. They are copied to QGPL when you activate Network Security.
PowerTech-created
Exit Points
POWERLOCK_SECURESCN
POWERLOCK_WRKMGT
POWERLOCK_NS
After You Are Done
After you install Network Security, see the Network Security Administrator's Guide for more product details including tutorials and reference information.
The Network Security Administrator's Guide is also installed as part of the product installation in the following directory: C: \Program Files\PowerTech\Network Security
Even with its sophisticated security capabilities, your IBM i is only as secure as you make it. IBM i security experts have been saying this for years, but at least one organization learned the hard way.
Verizon’s recent Data Breach Digest proves once and for all that the system we know by many different names—AS/400, iSeries, System i—is securable, but not inherently secure.
Verizon’s publication analyzes real-world data breach incidents investigated by its team of cybersecurity professionals. The report is published annually and, for the first time, a breach of an AS/400 server is included.
This echoes what the State of IBM i Security Study has shown repeatedly: default settings and inattention to security leave the system vulnerable to cybercriminals, malicious insiders, and hacktivists.
Could a Data Breach Contaminate Tap Water?
Data breaches happen every day and typically only the biggest, most scandalous incidents make headlines. The scenario described by Verizon was no Sony hack or Anthem breach—and that’s the very reason IT professionals might feel beads of sweat trickling down their necks.
Verizon does not share the name and location of the breach victim in the report, revealing only that the organization is a water district. Like most breach victims, leadership at this organization probably never imagined unknown threat actors exploiting security vulnerabilities to steal data and compromise its operations.
Personally identifiable information (PII) and customer data were stolen from the system, but those records may not have been the primary goal of this attack.
The hacktivists, linked to Syria, gained access to operational technology systems to manipulate water flow rate as well as the chemicals used to treat water and make it safe to drink.
Business was disrupted—slightly. Water customers were affected—slightly. But the outcome could have been disastrous if the security vulnerabilities had gone unnoticed for much longer.
Answer the Wake-Up Call
This data breach could have had a tragic outcome, and the water district’s customers are fortunate that only their PII, not their health, was compromised.
Although this breach only involved one organization, the vulnerabilities affecting the water district are not unique. Many other businesses are vulnerable to intrusion, and many other security incidents go undetected for months or even years.
HelpSystems highlights these risks every year with the State of IBM i Security Study, helping IBM i shops understand where and how they can improve cybersecurity. The water district investigated by Verizon is a perfect example of the organizations included in the study.
The results of the 2016 State of IBM i Security Study have just been published this week, and once again, one of the most surprising take-aways is how vulnerable so many systems are. If ever there was a moment to take action on IBM i security, this is it.
Take the Next Step
Two of the world’s foremost IBM i security experts, Carol Woodbury and Robin Tatam, join forces in an analysis of the AS/400 breach, what this news means for the IBM i community, and what lessons businesses can learn. Watch this on-demand webinar for insight into how you can help your organization protect business-critical data and avoid becoming the next breach victim.
Experts’ fears surrounding the risks associated with poor configuration were recently confirmed by the 2016 State of IBM i Security Study. Published annually, the results reveal most Power Systems lack adequate security controls and auditing measures.
In this fast-paced webinar series, leading experts Robin Tatam and Carol Woodbury share insight into critical areas of IBM i security.
This session will show you how well-known services like FTP and ODBC enable users to access sensitive data without oversight or restrictions. Robin Tatam will also explain what exit programs are and how you can use them to protect your organization.
Brand
PowerTech
Presenters
Corporate | Robin Tatam
Signup Link Register for this event
Event Topic Best Practices
Date Range Single Day
Brands listed under
PowerTech
Solution Network Access ControlSecurity & Compliance
Duration
30 minutes
Cost
Free
Sub Heading
Protect your system from unauthorized network access through readily available PC tools
Event Date Monday, June 27, 2016 -
Note: For information on installation and setup in an HA environment, contact PowerTech Support.
Licensing
Network Security requires that you enter a valid license key in order to protect your servers. Contact keys@helpsystems.com if you need to request a new license key.
System Values
It is PowerTech’s goal not to change system values on customer systems because we recognize that security-conscious organizations have rigorous change control processes in place for even small changes to system values. Therefore, we ask you to make any system value changes that are needed. However, the Network Security installation process could change a system value to allow the install to proceed if a system value is not set as specified below. If the Installation Wizard changes a system value during install, it changes it back to its original value when the install completes.
To install PowerTech Network Security on your system, the following system values that control object restores must be configured as shown.
Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs that adopt authority. Many PowerTech Network Security programs adopt the authority of the product owner, rather than forcing you to give authority directly to administrators and end users. (Note: For some system configurations, *ALL is required temporarily.)
QALWUSRDMN controls which libraries on the system can contain certain types of user domain objects. You should set the system value to *ALL or include the name of the Network Security product library (PTNSLIB and QTEMP as a minimum) for the product to function properly.
Set QVFYOBJRST to 1, 2, or 3. This allows Network Security to restore all objects regardless of their signature. (Note: If you normally check signatures, remember to check this system value after the Network Security install process completes.)
Set QFRCCVNRST (Force conversion on restore) to 0, 'Do not convert anything.'
Set QALWJOBITP (Allow jobs to be interrupted) to 1. This allows jobs to be interrupted to run user-defined exit programs. All new jobs that become active will default to be uninterruptible.
QAUDJRN
If you are installing Network Security on a new system that does not yet include IBM's QAUDJRN audit journal, run the command CHGSECAUD to create one automatically. This is the default journal used to record Network Security’s transaction auditing data.
ShowCase version 9.1.0.3 or greater is required to use Network Security's ShowCase exit points.
Installation
Network Security's installer file is available for download directly from the PowerTech Website. (The "Trial" download is the full product, which can be unlocked with a valid License Key). The installation process is completely automated.
Ensure the following servers are available and running prior to installation:
FTP Server
Remote Command Server
Do the following to perform the installation:
Download the Network Security Installer to your PC.
Double-click the .exe file to start the Installation Wizard. When prompted, enter the name of the system on which you want to install Network Security, a user ID, and password. Note: Make sure the user profile is a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, *IOSYSCFG, and *AUDIT. The user profile should have Limit capabilities set to *NO.
The Wizard installs Network Security on your System i and places a copy of the User Guide on your PC desktop. When the installation completes, click Finish to remove the Wizard from your PC.
The installation process displays the job log name, user, and job log number. Use the WRKSPLF command to display the job log for complete information on the Network Security install. (The job log file name is JLOGn, where "n" equals a six digit number, e.g. JLOG144620).
To verify that Network Security installed successfully, enter the following command to display the PowerTech Network Security window, which shows the release and modification level of the product:
PTNSLIB/LPRDVRM
Network Security installs the following product libraries, profiles, authorization lists, commands,objects, and exit points on your system.
Installed on System
Description
Libraries
PTNSLIB
PTWRKMGT (unless already installed by another product)
PTPLLIB (unless already installed by another product)
Profiles
PTWRKMGTOW (unless already created by another product)
PTADMIN (unless already installed by another product), which has special authorities *ALLOBJ, *AUDIT, *IOSYSCFG,*JOBCTL, *SAVSYS, *SECADM, *SERVICE, and *SPLCTL
PTUSER (unless already installed by another product), which has no special authorities
PTWEB, which has no special authorities
(All these profiles are set to Password = *NONE so that they can’t be used to sign on to the system.)
Authorization List
PTADMIN (unless already installed by another product): PowerTech Network Security Administrators
Commands
WRKPTNS
POWERLOCK
PLNSREPORT
POWERTECH
Note: The Network Security installation program places these commands in the PTNSLIB/PTNSLIB07 library. They are copied to QGPL when you activate Network Security.
PowerTech-created
Exit Points
POWERLOCK_SS
POWERLOCK_NS
POWERLOCK_WRKMGT (unless already created by another product)
POWERLOCK_PL (unless already created by another product)
Network Security Web User Interface (Web UI)
The Network Security Web User Interface (WUI, or Web UI) allows security administrators to work with rules and most other Network Security features directly from a browser. The following browser versions (or later) are required to use Network Security's WUI:
Desktop
Internet Explorer 9
Firefox 11
Chrome 21
iOS (Apple)
iOS 6
Android
4.0 using Chrome
Web UI Commands:
The Web UI is not installed during Network Security's installation procedure, because it is generally only required on the Central Management System.
To install the Web UI, use the following command:
PTNSINSWEB
To start/stop the web server job, use these commands:
Start - PTNSSTRWEB
End - PTNSENDWEB
This will start/stop the QP0ZSPWT job with the user of PTWEB in the PTWRKMGT subsystem.
To configure web server ports, and remove the web server, use the following commands:
Configure web server ports - PTNSCFGWEB
Remove web server - PTNSRMVWEB
Dashboard Showing Transaction Counts
A feature of Network Security’s Web UI is the Dashboard.
The Dashboard displays a count of all transactions monitored or controlled by Network Security. The Dashboard displays the totals for the servers based upon the criteria selected by the user (today's totals, yesterday's totals, last 7 days or last 30 days). You can also select to see the individual server's counts for the past 24 hours. To activate this feature, start the Dashboard Data Summarization job.
To start/end the Dashboard Data Summarization job, use the following commands:
Start - PNSSTRDASH
End - PNSENDDASH
Execution of the Dashboard Data Summarization job can be controlled with the following commands:
PNSHLDDASH - Use this command, Hold Dashboard Collection, to set the system in a state such that data collection to support the web interface Dashboard will not run.
PNSRLSDASH - Use this command, Release Dashboard Collection, to release the Hold Dashboard Collection command, allowing data collection to occur.
After You Are Done
After you install Network Security, see Activating PowerTech Network Security in the Administrator's Guide for instructions on how to activate Network Security.
The Network Security Administrator's Guide is also installed as part of the product installation in the following directory: C:\Program Files\PowerTech\Network Security
