RE: iSeries FTP security -- MIDRANGE-L

At the risk of beating a dead horse...

I have no problem at all with the (hopefully) intelligent discussion of
this security issue.  My problem is with the characterization of this as
an iSeries "Exploit."  That sort of thing leads uninformed people down
the road to conclusions that the iSeries is no different than any other
server from a security standpoint and the only reason that there aren't
(name your exploit here: viruses, buffer overflows, etc.) on the iSeries
is that it doesn't have a big enough user base.  

To quote: "The problem is not with the implementation of FTP, but with
the false sense of security we had when we installed an FTP exit
program..."

So the actual problem is with a Vendor or user written Exit Point
program.  IIRC, when I first discussed exit programs with Supportline I
was told that exit point programs were not covered under Supportline
contracts and that I would need a Consultline contract for additional
help.

The iSeries information center Exit Point examples all say: Note: These
examples are for illustration purposes only. They do not contain enough
features to run on a production machine as is. Feel free to use them as
a starting point, or to copy sections of code from them as you write
your own programs. Once you write the program, you must test them.

In Tips and Tools for Securing Your iSeries:
http://publib.boulder.ibm.com/iseries/v5r1/ic2924/books/c415300524.htm#H
DRCTLFTP

It specifically says, "Before you allow FTP, you must ensure that your
object security scheme is adequate."  I am in complete agreement with
Patrick, "object access control is required in a network environment."
It is great that we are discussing this, that's exactly why this forum
is here.  My only argument is with the mischaracterization of this as an
iSeries O/S weakness.  (BTW, I hope that everyone here is aware that
when using FTP the user profile and password is sent in clear text;
anyone with a sniffer and access to a router could capture them.  Not a
bug, just the way it works.)

Shalom, why is your tagline "Exposing iSeries insecurity" and not Ten
easy steps to securing your iSeries? 

Regards,
 
Scott Ingvaldson
iSeries System Administrator
GuideOne Insurance Group

Secured by RFC 1149 - http://www.ietf.org/rfc/rfc1149.txt


-----Original Message-----
date: 18 May 2005 15:20:35 -0000
from: shalom@xxxxxxxxxx
subject: RE: iSeries FTP security 

Scott,
These are vulnerabilities of a particular implementation of FTP, 
in a specific operating system - OS400. 

The problem is not with the implementation of FTP, but with the false
sense of security we had when we installed an FTP exit program and
thought that 
it works in a specific way, when in fact it provides a loophole for 
unplanned access. 

The same applies to the iSeries implementation of LDAP. 
A limited iSeries user cannot run WRKUSRPRF, 
but the LDAP query provides full information about a group of local
users, 
including all of the profile attributes. 

This feature is not found in other LDAP products.
Netscape LDAP does not disclose the list of local users that 
are defined on the server it runs on.


I agree that the LDAP issue is not a major problem, 
but it was never presented as such. 

Regards,
Shalom Carmel
-------------
www.venera.com - Exposing iSeries insecurity



-----Original Message-----
Subject: RE: iSeries FTP security 
From: "Ingvaldson, Scott" <SIngvaldson@xxxxxxxxxxxx> 
Date: Tue, 17 May 2005 10:52:05 -0500 

Shalom -

For simplicity I'll concede every one of your points.  Now please
explain to me why these are iSeries vulnerabilities rather than FTP or
LDAP vulnerabilities. 

Regards,
 
Scott Ingvaldson
iSeries System Administrator
GuideOne Insurance Group