Day: November 17, 2021

November 2021 Newsletter

This newsletter includes:

When you live in the northeast United States, each season has its own charm and is totally unique. Although, nothing beats a New England fall. The leaves turn from green to golden yellow, sunburnt orange, and raspberry reds appear all over the gentle hills and the cool crisp air reminds you that snow isn’t too far away. Fall’s transformation reminds us of the constant change in our lives and the ability we have to create change for others, as well as improve our customer’s IBM i environments. It’s empowering and yet humbling.…

Three Steps to Protect Your IFS

We will never stop saying it, the IBM i is the most securable platform, but it doesn’t come that way. It’s up to you to ensure that you properly secure access to your system, grant users the appropriate authority to objects, and put tools in place to prevent problems from happening.  This includes the IFS.

The IFS is the integrated file system designed to support streaming input and output and manage the storage of those objects. The IFS has a tree structure, similar to a Windows PC where you can store files and objects.  With a common interface, users can access their locally stored files and other objects on the IBM i. It’s the access to these other objects that is why you need to secure your IFS properly. You don’t want the wrong person getting to your data.

There are three things we recommend you do to protect your IFS from unwanted access or, worse, having your data corrupted or held ransom.

#1 – Eliminate unnecessary IFS File share

If you have root shares happening on your IFS, eliminating them should be your top priority.  Sharing the root is like granting someone access to your C:/ drive. We’ve found that most people don’t realize that everything below the root becomes accessible when you do this. That’s right when you share the root; you expose your system.

We recommend you change the root to *Read/Execute to best protect your IFS data. If you are on IBM i 7.4, you can take advantage of authority collection and run it over file shares.  This will allow you to identify what is in use and make the change in a controlled way. However, this needs to be done carefully, as changing authorities can break applications, depending on how they are coded.

Once you have properly secured the root, you should look at the other folders below the root to ensure that they have the proper level of security too. It’s essential to start at the root first and work your way down the tree to ensure that you protect all of your sensitive files.

#2 – Tighten object-level security

Once you restrict access to your IFS file shares, you can start to put additional user and object-level security controls in place.  The idea is you want to structure access to your IFS the same way you approach DB2 access, by providing users …

Why Project Management Matters

This is just another example of the iTech Difference.  Having great technical resources is just the start.  Someone has to juggle and keep all the balls in the air to ensure that we are meeting the expectations of the customer.  Project Managers are not those people who just add more meetings to your calendar.  Okay, maybe we are sometimes, but there is usually a good reason for it. In addition, the Project Manager will keep the communications between the parties moving.

Project management is important to keep accountability visible to all involved parties.  Many of our client’s projects have lots and I mean lots (!) of moving components.  Rather than having all these necessary steps floating in someone’s head or scribbled down on a to-do list, having a well formulated and composed project plan with an assigned project manager is critical to have all these steps documented.  A project plan provides a 360-degree view of the flow of the project.  It is checks and balances per se. Project managers are a cognitive gear moving (the) project along for both the customer and the technician. While delays or unforeseen circumstances occur, (project managers) work hard to ensure that the project stays on track.

Having a well-formulated project plan is a critical piece for having successful projects especially for hardware installs and migrations.  

 

Now, that’s not to say the project plan is the end-all, be-all to ensure a 100% success rate. We’re in IT. We all know that things can go wrong no matter how well of a plan there is.

My point is, being organized, is key to the most successful project possible both for you, our customer, and us, your business partner.   When you see that email come in or caller ID pop up from me or one of my (project manager) co-workers, know that we are here for you, to help you, and the success of your company.  We are another resource you can reach out to for answers.  If we don’t know, we will find out. There is a brilliant team here at iTech backing everyone up for the success of our clients.

More from this month:

Is Your System Using Outdated and Insecure SSL/TLS Security Protocol Versions?

Safely sending data over the Internet is critical in this brave new world of widespread cybersecurity vulnerabilities.  When it comes to securely passing data from one system to another, a key requirement is to use encryption standards that are current and do not have widespread know flaws that can be exploited.

On IBM i versions V7R3 and V7R4, the following encryption protocol versions are supported (actual versions supported on your specific system is dependent upon system settings allowing their use):

  • TLS 1.3
  • TLS 1.2
  • TLS 1.1
  • TLS 1.0
  • SSL V3
  • SSL V2

When looking at the above list of currently supported protocols, what’s important to note is that “supported” does not implicitly mean “secure”.  This is illustrated by the fact that SSL V2, SSL V3, TLS 1.0, and TLS 1.1 now have known vulnerabilities and are therefore now considered insecure.  TLS versions 1.0 and 1.1 (also referred to as “early TLS”) were formally deprecated by the Internet Engineering Task Force (IETF) early in 2021, those older versions of the protocol were using cryptographic algorithms that were compromised by multiple attacks over the past several years, including BEAST, LUCKY 13, POODLE, and ROBOT, as both older TLS versions lack support for current and recommended cryptographic algorithms and mechanisms.  If your shop is supporting/handling credit card transactions then chances are you already know that the PCI Council announced way back in 2016 that SSL and TLS 1.0 could no longer be used for transmitting credit card data because they are no longer considered secure.

So, is there an “easy” way to determine if your IBM i environment is using any of the older protocols above that are no longer considered safe to use?  Well, as a matter of fact, there is!

IBM has embedded into the Licensed Internal Code(LIC) a very cool automated tool (a LIC macro of sorts) that can be turned-on and used to track all SSL/TLS connections that your system is involved with.  Turning this facility “on” is very easy to do and can be done in only a few minutes, and you do not need to bring your system down or halt production activity to do so.

To turn-on the LIC macro and have it start keeping track of all SSL/TLS protocols being used, simply follow these steps from inside the SST (System Service Tools) menus:

  1. Signon to SST using the STRSST command
  2. Take option #1 Start a

iTech| iBasics | Basics of SSL & Ciphers

iBasics: Basics of SSL & Ciphers

On-demand

Let’s get back to the basics. These sessions are designed for anyone starting out as an IBM i system admin, looking to refresh their knowledge, or looking to learn more.

Need help navigating the seemingly complex world of encryption on IBM i? Steve will work through the basics of encryption and the major components that make it up: protocols and ciphers! This webinar aims to give you a simple to understand explanation on how they work together to provide your system with encryption over the wire.

[ Watch Now ]