Re: AS/400 and security assessment

From: Eric (ews@tellurian.net)
Date: 11/30/01


Message-Id: <5.1.0.14.0.20011129172146.0225bd20@mail.tellurian.net>
Date: Thu, 29 Nov 2001 17:25:02 -0800
To: Mark Wolcenski <yourfriend@mediaone.net>, security-basics@securityfocus.com
From: Eric <ews@tellurian.net>
Subject: Re: AS/400 and security assessment

Tidbit #1: After disclosing so much information about your client, you
might check with them to see if they are still indeed your client. When
posting to newlists, don't offer up so much information that will allow
others to make a concerted effort to hack your systems, or the systems of
your clients, assuming that anyone on this list can determine who you are,
or who you're working for.

Tidbit#2: Review the list of books under the SecurityFocus Library - AS/400
section. There are some good resources there. Some of the IBM Redbooks
are very useful too (they should be listed in the same area).

At 02:36 PM 11/28/2001 +0000, Mark Wolcenski wrote:

>Greetings,
>
>I now have my first security client and am conducting an
>initial -- and very limited -- security assessment
>(< 40 hrs) for an AS/400 based firm.
>It's a greatly cutback first part of a complete,
>three-part security assurance strategy.
>
>Background:
>This client is about to open up his systems to 3000+
>internet located users. The new web-facing system
>will provide hooks, via websphere technology, to
>access AS/400 V5R1 databases. This is a very risky
>move (albeit absolutely necessary) from a paper based
>data (fax) input by local, on site, employee users
>to real-time input via internet based users.
>
>My role:
>The initial work is limited to vulnerabilities related to
>a few, non-AS/400 elements (results in needed associated
>patches/hotfixes/updates and recommended configs,et al);
>a limited review of their very short computer
>usage/security policy; and lastly, the reason
>for this posting, I will be commenting on AS/400 V5R1.
>This last item will be in the form of "notes" including a list
>recommended security sites and potential activities.
>
>There will be no vuln/pen testing on this run -- although
>I have and will continue to recommend this.
>
>My question:
>Does anyone have any "little" gems of wisdom to pass along
>to me regarding the AS/400 piece?
>
>Thanks!
>
>PS: In fact, I'll listen to anything anyone cares to pass on.



Relevant Pages