Protecting your data from viruses or malicious code is not an unfamiliar concept, but understanding how these threats can affect your Power Systems server may not be as easy to grasp.
There are many myths about viruses and IBM i—including the belief that the system is immune. Many Power Systems managers still don’t see viruses as a risk because they see them as a Windows threat. While this was once true, today’s connected environments operate under different rules.
It’s time to take action and protect IBM i and the network that connects to it. Check out this presentation to gain an understanding of the relationships between:
• Viruses and the integrated file system (IFS)
• Power Systems and Windows viruses
• PC-based anti-virus scanning vs native IBM i scanning
There are a number of ways you can minimize your exposure to viruses. Learn the facts to ensure you are fully-protected.
2. 2
Your Presenters
ROBIN TATAM
Director of Security Technologies
robin.tatam@helpsystems.com
SANDI MOORE
Senior Technical Consultant
sandi.moore@helpsystems.com
3. 3
Today’s Objectives
• Viruses and the Integrated File System
• Power System and Windows Viruses
• Prevention and Protection
• PC-Based Scanning vs. Native IBM i Scanning
• Some Myths and Facts
18. 18
How Viruses Get into the IFS
• Internet downloads
• Removable media
• Internet browsing
• Laptops or wireless devices
• Email
• VPNs
• File sharing
19. 19
Can Windows Viruses Affect IBM i?
Fact: Viruses cannot hide inside RPG and CL programs.
Fact: Viruses cannot hide inside physical and logical files.
Fact: IBM i cannot run .exe files that contain viruses.
Fact: Viruses can hide inside Java and Unix stream files.
Fact: IBM i can run Java and UNIX executables.
27. 27
Virus Protection on the Power System
TCP/IP
Websphere
IBM i Client
Access
Operations
Navigator
Growing Number
of IBM i
Applications
Domino
MQ Series
29. 29
Virus Protection on the Power System
• Implement and enforce security policies
• Shut down unused services
• Avoid oversharing
• Scan for viruses regularly
• Use exit programs to restrict access to servers
• Enable auditing
• Monitor so you will know right away
• Get good backups
30. 30
Virus Scanning from a PC
• Dedicate a PC for scanning
• Map a drive to Root with *ALLOBJ
• Physically secure the PC
• Ensure PC has internet access
• Scan the PC daily
• Automate monitoring of the PC
• Follow IBM’s procedures
31. 31
Virus Scanning from a PC
IBM’s Recommendations
Step 1: To end all Netserver and File Server jobs, run the following commands:
ENDPJ SBS(QSERVER) PGM(QSYS/QZLSFILE) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSERVSO) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSERVSS) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSERVS2) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSTP0) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSTP1) OPTION(*IMMED)
ENDPJ SBS(QSERVER) PGM(QSYS/QPWFSTP2) OPTION(*IMMED)
Step 2: Change the QZLSFILE prestart job description to allow only one Netserver job to start and then start that job:
CHGPJE SBSD(QSERVER) +
PGM(QSYS/QZLSFILE) INLJOBS(1) THRESHOLD(1) ADLJOBS(0)
STRPJ SBS(QSERVER) PGM(QSYS/QZLSFILE)
32. 32
Virus Scanning from a PC
Step 3: Perform the Scan. The user who will be doing the scan should map a network drive to the Power System.
Step 4: Change the NetServer prestart job back:
CHGPJE SBSD(QSERVER) +
PGM(QSYS/QZLSFILE) INLJOBS(1) THRESHOLD(1) ADLJOBS(5)
Step 5: Restart the Netserver and File Server Host Server jobs by running the following commands:
STRPJ SBS(QSERVER) PGM(QSYS/QZLSFILE)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSERVSO)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSERVSS)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSERVS2)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSTP0)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSTP1)
STRPJ SBS(QSERVER) PGM(QSYS/QPWFSTP2)
33. 33
Virus Scanning from a PC
• Security concerns
• Leaving a PC signed on with full authority
• Confidential data is visible
• PC can infect the IFS
34. 34
Virus Scanning from a PC
• Reliabilty/Stability concerns
• Parts of IFS cannot be scanned
• Scanning process can stop entirely
• PC scanning is manual process
35. 35
Virus Scanning from a PC
• Performance concerns
• Increased network load
• Unable to use SAVCHGOBJ after scanning
• Backups take longer
• Very slow
36. 36
Native IBM i Virus Scanning
• Secure
• Reliable
• Stable
• Optimized performance
37. 37
Native IBM i Virus Scanning
• Security enabled
• Does not require *ALLOBJ
• No data is transferred
• Not Windows-based!
38. 38
Native IBM i Virus Scanning
• Reliable/Stable
• Automated
• No additional hardware
• Easily monitored
• Can scan all files
• Can detect and remove threats
39. 39
Native IBM i Virus Scanning
• Performance optimized
• Does not increase network load
• Does not reset a file’s “Last Access Time”
• Allows scanning more frequently
• Very fast!
40. 40
Myths and Facts
Myth: We don’t use the IFS.
Fact: Most modern applications and protocols use the IFS extensively.
Myth: The Power System cannot get a virus.
Fact: Viruses can hide inside Java and Unix files and IBM i can execute
them.
Myth: Viruses can’t attack the IBM i architecture.
Fact: Anything an administrator can do, a virus can do.
41. 41
Myths and Facts
Myth: Our Power System isn’t connected to the internet.
Fact: The cable doesn’t have to be physically connected. The Power
System isn’t an island if it’s on the network.
Myth: Our firewall protects us from viruses.
Fact: There is no single solution on any platform that gives you
protection, including firewalls.
Myth: I can scan the Power System with my PC virus scanner.
Fact: PC-based solutions can be used but they may miss files, require a
manual process, and open many security holes.