Security Audit of IBM’s AS/400 System i: Part 1

In this blog post, we will be describing our experience of conducting a security audit of IBM AS/400 and System i.

AS/400 also known as IBM i Series or Green Screen System was initially designed for micro businesses. By industry need and reliable performance of these systems with the efficient output, IBM redesigned the system for distributed networks.

AS/400 supports the distributed network communication while interacting with multiple core applications to serve the data in a multi-direction manner. It runs on its internal operating system called OS/400 which is equipped to provide versatile all-purpose services.

OS/400 based AS/400 system is a milestone success, where IBM can compete with Windows and Unix based servers. Unlike Windows and Unix, its multi-purpose environment and inbuilt security implementation make it safer and reliable in the industry.

Features Of The AS/400 System

Given that most companies have adopted other popular systems where users have accessibility, reliability, efficiency, troubleshooting, human resources, cost-effective, and ease of implementation, we’ll argue the case for why companies should consider adopting AS/400 over other popular systems.

AS/400 systems/servers have always been an attraction for the businesses that deal with a high volume of transactions. These systems are entirely reliable, safe and efficient as per the business need. Below are some key factors which work as a backbone for the existence of AS/400 in the industry:

• Performance
• In-built Security
• Thousands of inbuilt application environment
• Fully integrated h/w and s/w components
• RISC processor technology
• Efficiency
• Stability
• Accuracy
• Versatility

AS/400 or System i Architecture

As we all know, dealing with financial transactions and sensitive user data has always been a concern for organizations. These types of operations require maximum efficiency as well as accuracy as they are expecting the security of critical assets. So organizations tend to go with systems which are capable of providing all these critical factors along with a high-performance environment to the end user to avoid any business/security issues in the place.

IBM AS/400 uses an integrated file system that allows applications to access specific segments of storage that it organizes as logical units. These logical units are files, directories, libraries, and objects.

Integrated File System

There are various file systems in the integrated file system:

• Root (/)
• Open Systems (QOpenSys)
• Library (QSYS.LIB)
• Document Library Services (QDLS)
• LAN Server/400 (QLANSrv)
• Optical Support (QOPT)
• File Server (QFileSvr.400) etc

Challenges During Security Audits of AS/400

The above overview, architecture, file system is enough to understand that these systems are entirely different from other systems which are commonly in use. Whenever we talk about security audit of any system, it directly relates to and depends on the architecture and workflow of that system. So auditor must have an idea about the architecture and workflow of the target system to create the strategy for security testing of that particular system.

As we are aware that, these systems entirely different from other systems to the process and methodology of security testing for other systems would not work here anymore.So let’s have a look on the challenges auditors usually face while doing the security audit of AS/400 based system:

• It uses it’s own IBM client to access the application which is completely wrapped with IBM security checkpoints, so it is difficult to intercept the traffic for testing.
• Requires expertise in AS/400 system commands, where most of the auditors are from a Windows, networking or other background and don’t have in-depth AS/400 security knowledge.
• A file system is different from other conventional systems, so analyzing and choosing attack vectors for the respective module is difficult.
• Runs on IBM Mainframe based systems, so it is challenging to understand the background support processes as mainframe is in infrequent use.
• If a third party utility is used to access the application, IBM’s security checkpoints crash the utility and don’t allow the user to access the application using other utilities.
• Another reason of crashing the utility is that AS/400 is a high performance and reliable system so it requires a utility to access the application which capable as per the AS/400’s requirements, and usually, other utilities are not capable.
• Most of the AS/400 system works on EBCDIC (Extended Binary Coded Decimal Interchange Code) character set so tools used as a proxy in other application by auditors may fail.
• It transfers data character by character, so mass manipulation of data is difficult to perform.
• Depending on the configuration done by administrators, AS/400 may only allow the request from the IBM client only, so auditor’s methodology of sending or replaying existing request might get blocked.
• Client-side manipulation is difficult as it is made by the IBM standard code which is being used since it’s deployment.
• As the application logic is processed on the server, there is almost no scope for application logic testing.
• It is challenging for those companies or auditors to audit AS/400 who mainly depends on the automation testing as there is a minimum scope of automation testing in this scenarios and as such no automated scanner is available.

Tools and Techniques to be used in AS/400 Audit

Below are some tools which can help you during the security audit of AS/400. Use of a particular tool depends on the application behaviour and client application. The role and reason behind choosing these tools will be explained in the core audit process.

• Wireshark
• ITR(Interactive TCP Relay)
• Echo Mirage
• SysInternalSuite
• WinHex
• In-built IBM Utilities
• Python(To reduce the effort during testing)

In the next part, we will explain the process segregation and core audit process covering various aspects of a security audit in regards of AS/400 environment.