Re: Penetration testing IBMi 7.3?

Thanks for all the responses. I probably should have provided more details
in my original query

To summarise

1. PEN testing is required because it's company policy for any financial
application that has customer data. Once we explain the below points, the
scope might be more clear.

2., The Power servers have no direct customer facing connection to the
Internet. The only way the servers can be accessed remotely is via the
corporate VPN and that's for staff remote access (invaluable during these
Covid19 times) and our support vendor. The VPN uses 2FA with tokens. For
web based applications requiring account balances, this is done from our
digital platform which uses a REST API (I think) to communicate with an
internal z/OS mainframe running CICS. The CICS application then uses MQ to
get certain account balance from IBMi.

3. The servers themselves are not open even on the internal network with
application firewalls in front that limit access to a very small range of
IP addresses and ports. The ports are those IBM document as being required
to support ACS, FTP (to be removed soon) and SFTP to other servers on the
internal network

4. Staff don't run ACS on their desktops as their IP addresses would not be
allowed. The staff access an internal VDI server where ACS is published.
The subnet range of the VDI servers is whitelisted.



On Wed, Jul 22, 2020 at 8:41 AM Yvan Janssens <friedkiwi@xxxxxxxx> wrote:

(writing this with my information security consultant hat on)

We have done IBM i-related PT's quite a few time, and as other people have
mentioned, it all boils down to scope. A consultancy worth their money
would usually sit with you and try to figure out _why_ you need/want the
test and work from there on.

Let's start with the who bit - who is asking you to carry out this test?
Is this management that wants a 'seal of approval'?

Then there's the why bit - is this because there's a change of topology
(the DC move)? Has it been tested before, and what are the meaningful
changes?

Are you testing the infrastructure (i.e. if the infrastructure is set up
properly so you can't get to it if you shouldn't), or are you testing the
system (e.g. the IBM i deployment itself) or the application (the actual
application written in RPG)?

<sales-hat>
If you want, I can always get you in touch with a representative at my
company so we can look at this together.
</sales-hat>

/y

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: 21 July 2020 17:31
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: Penetration testing IBMi 7.3?

<snip>
In fact some in this list have fought auditors when they say "you have x
open source package running and it is vulnerable" when IBM has fixed said
package but not bumped the version...
</snip>
I can definitely testify to that.

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 7310 Innovation Blvd
Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd
Suite 104
Ft. Wayne, IN 46818
http://www.dekko.com


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Roberto José Etcheverry Romero
Sent: Tuesday, July 21, 2020 8:03 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Penetration testing IBMi 7.3?

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.


Isn't pentesting, in part, supposed to be done blind? More like "Here you
have the IBM i box, try to find out what you can"?
At least that is what I've been seeing in my preparation for the OSCP (a
pentesting certification).
You might say "there are no exposed services", but somebody might find out
"you have x and y services running, why?"
In fact some in this list have fought auditors when they say "you have x
open source package running and it is vulnerable" when IBM has fixed said
package but not bumped the version...

On Tue, Jul 21, 2020 at 2:01 AM Laurence Chiu <lchiu7@xxxxxxxxx> wrote:

We arevmoving a production system from one data centre to another. There
will be prod in one, DR in the second. The application is pure RPG on

IBMi

with green screen access., There is no web application. The Power servers
are behind application firewalls and the only external access to the
servers is via the corporate VPN.

There is discussion that we need to perform penetration testing but I
cannot work out what that scope might be. We do have web based

applications

but they don't talk to IBMi at all. The closest we have are some web

based

applications that grab balances from a mainframe application using MQ
messaging and then the CICS transaction might send a message to the IBMi
application over MQ to get a balance from another system.

I guess we could ask our pen testing organisation to start with the IP
address of the application web server and then see if they can somehow

get

to the IBMi server console but that seems very tricky since the IBMi box
isn't advertising any services and supports only 5250 access, MQ and
Correct:Direct.

Anybody in a similar position can provide some insight? Thanks
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com