OK, here is my AS/400 rant. I've worked on the 400 for almost 4 year now. It's true: the 400 architecture eliminates many! common security problems, including buffer overflows. One can think of the 400 like a giant JVM actually.
Here's the rant part: It seems to me that because the 400 is not as popular as other platforms it has not been subjected to as much punishment as those other platforms. (How many people do you know have a 400 at home; how about windows or linux?) So vulnerabilities that exist are not really discovered. The 400, in my mind, is undiscovered territory. When have you picked up a computer security book and found a chapter on 400 security? It's mostly unix/linux and windows. But there are really good reasons why there should be a firewall between the internet and the 400 box. First, because the 400 communucates using TCP/IP (who doesn't!) it is vulnerable to most problems found in the protocol. (I read about this but did not test it.) Second, I'd be willing to bet that someone could crash various services. Even through an excutable overflow condition may not exist, it may shut down such services as telnet, the 400 log-on screen! Third, just a bounce off the second: one could create a number of DOS attacks against the box, including remotely disabling QSECOFR. (Do you have another profile with QSECOFR privileges?) Fourth, I pray you changed those default passwords. Five, should someone get access there are a few ways of privilege esculation that I know. But those are trade secrets... :) Six, should someone access the box, under most certain standard conditions (factory default of security level 40), I know a way of getting information about the machine, including every single user account name even if you give me the lowest possible profile with zero permissions. (I'm about to release this publically.) Seven, domino has its own problems. Enough yet? Use a firewall. Sincerely, 'ken' PS - I discovered the AS/400 HTTP server showcode attack: http://www.securityfocus.com/archive/1/225123 PPS - What is the site? Lol. LK-FM Tech Assistances wrote: > This may be a very silly question. But I am desperate for advice from one of > you "security wizards", as I need to convince a client to immediately > evaluate altanative security solutions ASAP, as they are exposing their > internal network to the Internet without a firewall. > > Their argument is that the servers are AS/400 and they claim that the > platform does not have any security holes or vulnerabilities that a > potential hacker could exploit. So they feel they don't need a firewall. > Although I am aware of 2 vulnerabilities on the Domino AS/400 (They are > using DOMINO too) I don't have adequate knowledge and can not site incidents > on hacking the AS/400. > > Any advice, references,links etc --- MUCH MUCH appreciated ! > > Ta > RJ -- "I grew convinced that truth, sincerity and integrity in dealings between man and man were of the utmost importance to the felicity of life, and I formed a written resolution to practise them ever while I lived." -Benjamin Franklin, The Autobiography of Benjamin Franklin
