Protecting System i Across Multiple OS Partitions
The danger may be greater than you realize.
by Mike Grant
IBM made operations management much easier by allowing System i to run multiple operating systems, including Linux and AIX, in partitions alongside i5/OS on the same machine. This can make operating your business much easier, but it also opens doors through which malicious code can find its way onto your server and then flow throughout your network.
Already, i5/OS's IFS, with its UNIX-based privileges model, brings heightened risks. Adding Linux and AIX compounds this risk, as does connecting Windows-based PCs to the System i5 server. The temptation to casually dismiss these risks by citing the reputation of System i as an impenetrable platform can set you up for a rude awakening when viruses and malicious code slip through.
Fortunately, IBM implemented tools starting with V5R3 that make protecting the system from virus threats much easier. Third-party solutions can now be tied in through the built-in Virus Scanning Enablement. Working with McAfee and Bytware to bring virus protection to System i5, IBM's addition of enablement features ensured that the platform could maintain its reputation for security in the face of rapidly growing threats.
Several options are available for virus scanning on System i. The first, which neither IBM nor I recommend, is to map a PC to the IFS and scan using standard PC software. Associated risks include unintentionally migrating viruses from the scanning PC to the IFS, opening a door with *ALLOBJ authority to the server (thus allowing a hacker to gain control through the scanning PC), having the scan hang up by looping infinitely on recursive links (which Windows cannot understand), transferring sensitive data over the network in the clear for scanning, and dragging down overall network performance because of the large quantity and sizes of files that must be passed between System i and the scanning PC. And even in the best scenarios, this method may fail to identify malicious code hiding in the IFS.
Another option is to use a native solution that offers integrated Linux and AIX support. For example, Bytware's StandGuard Anti-Virus solution provides support for all three of these operating systems on a single box, with centralized control through i5/OS—thus eliminating the need to manage each operating system's scanning individually. McAfee's scanning engine detects more than 380,000 threats.
Regardless of how you choose to take action, the most important decision is to do so. Hackers and viruses do not care whether users believe their systems are vulnerable or not. They simply know that they can get in—and they do.
I often hear people say that there are no System i viruses, that there are virtually no Linux or UNIX viruses, and that the risk is so minimal that it's not worth pursuing. But a virus does not need to target any of these specific operating systems in order to wreak havoc on your operations. As long as a Windows PC accesses files stored on servers running off of any of these operating systems, the virus and malicious code can, and will, spread. It can delete files off of the IFS, or Linux, or AIX, and it will. It can knock your server offline for hours or days. The risk is very real, but it is also very shadowy because i5/OS, Linux, and AIX can all serve as symptom-free carriers of viruses and malicious code. Without scanning, you may have no idea until it's too late.
To protect your operations, you need to run anti-virus software on all of your systems, at both the client and the host level. In addition to anti-virus software on all of your Windows desktops, a System i running i5/OS also needs to have i5/OS anti-virus software installed on it. Likewise, a multi-OS System i5 that is running i5/OS V5R4, OS/400 V5R2, Linux, and AIX in four separate partitions needs to have anti-virus software for each operating system installed. Doing this is a security best practice and is key to complying with many regulations.
Multiple operating systems give you the flexibility to meet all of your organization's needs in the ways you see best, and consolidating these on a single box is very cost-effective. The final piece is protecting your most critical asset—your data—from the very real threat of viruses and malicious code.
This article was originally published on MC Press Online.
Figures in this article were last updated on February 26, 2008.