Kisco Systems
SafeNet/i : Summary

SafeNet/i protects your iSeries system from unwanted and unauthorized access via network connections, including the Internet. It lets authorized users do the work they need while keeping unauthorized users out. Modern network connections, like iSeries Access, Access Client Solutions, FTP, ODBC and others, can leave the information on your IBM i exposed. SafeNet/i closes this exposure, and it does it without forcing you to change the way you already have your system set up.

The IBM i (Power System/i, iSeries, IBM i) has changed much over the last few years. In the process, it has changed its role in most organizations from a centralized processor to a decentralized server. In the old days, you could easily point to the wealth of data security features built into the IBM i OS. This gave you a feeling of confidence in the integrity of your data. With the recent changes, your confidence may not be as high, and rightly so!

Every IBM i installation now supports attached PC's in some form of Client/Server function. For some shops, this takes the form of PC's that are simply running terminal and printer emulation. Many more shops are running a variety of Client/Server functions on these PC's. Neither of these arrangements bodes well in the area of network security; read on.

Did you know ....

  • Many Client/Server functions bypass traditional IBM i/OS security checking unless you have fully implemented object level security.
  • Without this same full implementation of object level security, a PC-based Client database tool, such as Microsoft Access, can ACCESS any data file on your system.
  • That same MS Access user can UPDATE any data file on your system.
  • The same MS Access user can even DELETE records or files on your system.

While it is true that you can trust most employees, accidents, not intent, cause most incidents of data loss. Further, if you have implemented traditional iSeries applications using menus and iSeries programming, you may have been required to grant full object authority to many users. You may not want these same users to have full object authority when they access your system via Client Server functions. Using traditional iSeries applications, the application controls how much data access is granted. Object security, however, cannot be as context selective for granting rights to access information.

The news, however, is not all bad.

SafeNet/i, a security product for the IBM i developed by MP Associates of Westchester, addresses these and other concerns with an easy-to-use solution. This tool, now available as Release 11, gives you full control over users who access your system via network connections. Check our partial list of customers currently using SafeNet/i to protect their systems..

SafeNet/i enables client/server security on your IBM i using IBM's Exit Points. It supports a variety of controls from simple logging of all activity to completely restricting access to system functions and data. And it does this in a completely non-invasive manner. No changes are made to your existing IBM i/OS security setup. No additional user profiles are needed nor are normal IBM i/OS security features changed or overridden in any way. SafeNet/i is simply an additional layer of security that is placed over standard IBM i/OS security to secure information requests from attached systems.

Check out these features:

  • Request Logging - With basic use, SafeNet/i tracks each request coming from a client into the iSeries. It stores this information in a log that you can review. You can see who is accessing your system, which server function on the iSeries they are using, and what data or objects they are using. You can optionally choose to store the logging information in a journal which is tamper proof providing your auditors with absolute assurance that the logs have not been changed.
  • Audit Reports - SafeNet/i provides valuable insight about the clients that are connecting to your system. Information includes the version, release and modification level of the licensed programs the clients are using.
  • Limit Access to Server Functions, Based on User Profile - SafeNet/i can limit access to specific server functions on the IBM i based on the individual's user profile.
  • Exclude Server Functions - SafeNet/i can turn off individual server functions. For example, you can completely exclude the file transfer function for all users on your iSeries if you wish.
  • Limit Access to Objects within Server Functions, Based on User Profile - SafeNet/i can implement object level security over clients that are accessing the various server functions on the iSeries. Authority is granted by user profile to the individual servers. Then it grants each user authority to objects on the system.
  • Control Internet/Intranet Access - SafeNet/i lets you limit Internet/Intranet access to specific workstations and IP addresses that you define. All others are automatically rejected when they attempt to use most server functions on your system. SafeNet/i even lets you set up controlled use of Anonymous FTP on your system.
  • Control Remote Commands - SafeNet/i lets you specify which users can submit remote commands to your IBM i and what specific commands they are allowed to use. This control is provided for remote CL commands and for remote FTP commands.
  • Context Sentsitive Source IP Address Controls - SafeNet/i supports context sensitive source IP address access controls. Lets you control which remote IP addresses can connect with your system by user profile and by server function. Using this feature, a user profile might be granted access to the system for FTP, but denied access for ODBC from a given source IP address (or IP address range). This will allow customers, for example, to limit ODBC connections to users when they are on site and deny similar access when they are working remotely.
  • Customer Exit Programs - SafeNet/i gives you control over exit processing for any specific requirements that you have which are not covered by SafeNet/i. Each exit point can optionally call an exit routine that you provide for additional processing that is unique to your installation.
  • Time-of-Day, Day-of-Week Controls - lets you shut down server functions for selected users during non-business hours thereby significantly reducing your security exposure. This can also be extended to specific days of the week and holidays.
  • TCPIP Socket Access Controls - Starting with IBM i Release 7.2, new exit points allow you to control TCPIP socket access connections to your sytstem by user profile and source IP address or IP address range.

We designed SafeNet/i for any installation where intelligent clients (PCs) are attached to an iSeries server. These clients have access to the data on the iSeries whether they access the system through a local or remote connection, or whether there is a single iSeries or multiple systems.

SafeNet/i comes in two "flavors":

SafeNet/i Lite - is the same product that we formerly sold under the name "NSafe/400 Lite". This is a subset of SafeNet/i that provides network access controls down to the user-to-server level. It does not provide object level controls.

SafeNet/i - is the same product that we have been selling as "SafeNet/400" since December 1996. It includes all of the network access controls available down to the user-to-object level. It is managed through a series of "green screen" interface displays. You can also manage the product using our "Web Central" browser interface for a smooth GUI experience.

How does SafeNet/i work?

SafeNet/i captures every incoming request from clients who attempt to access server functions of IBM i/OS. These include SQL, ODBC, PC file transfers, FTP and more. It looks at each request, then acts on each depending on how much security that you have defined. Rules for your iSeries are checked. When it receives a legitimate request, it grants access and the information is processed. When they make a request that it does not permit, it rejects it and the information is not processed. Using this approach, SafeNet/i lets you leave your iSeries setup and configuration in place, unlike a lot of other security products that force you to make invasive changes in the way you do things.

What is a Server?

With Client Access, IBM provides many basic client/server functions such as file transfer, remote printing, file serving through shared folders and access to the IFS. Each function in Client Access uses both client and server programs. For instance, the file transfer process uses a program on the PC (the client) to request a file from the IBM i (the server).

However, don't think of the iSeries as a traditional file server. It has several specialized server functions included as part of IBM i/OS. Each request from a client uses one of these server functions on the iSeries.

SafeNet/i protects your system by interrogating requests to each server function and imposing the rules that you set up. This controls who gets access to your system and how much access they are granted. It does not replace or override IBM i/OS security. It works on top of IBM i/OS. If you allow a user the right to delete a file through SafeNet/i, but IBM i/OS does not allow the same authority, then it will reject the request. Conversely, if IBM i/OS allows data deletion rights and SafeNet/i does not, then it will also reject the request.

To get a better idea how this works, look at this diagram. It provides a visual image that helps to clarify where SafeNet/i fits in your system. As you can see, without SafeNet/i, you may have a significant security exposure.

You should also check our on-line demo. Take a look at our partial list of customers currently using SafeNet/i too.

SafeNet/i, developed by MP Associates of Westchester, is available from Kisco Systems for a FREE TRIAL. Just place your order here.

Software support is FREE for your first year of ownership. After this initial period, annual support charges will apply. Support includes unlimited email support, defect correction and free release updates.

We look forward to hearing from you. If we can help clarify any SafeNet/i features, please call us at (518) 897-5002.

Do you have questions about SafeNet/i? E-mail them to us

Price Information

Ordering Information

Available for FREE 30 day trial

Place your order here for a FREE trial of SafeNet/i.

When ordering, check for PTF's that may be required on your system.