Security Audit of IBM’s AS/400 System i: Part 1
In this blog post, we will be describing our experience of conducting a security audit of IBM AS/400 and System i.
AS/400 also known as IBM i Series or Green Screen System was initially designed for micro businesses. By industry need and reliable performance of these systems with the efficient output, IBM redesigned the system for distributed networks.
AS/400 supports the distributed network communication while interacting with multiple core applications to serve the data in a multi-direction manner. It runs on its internal operating system called OS/400 which is equipped to provide versatile all-purpose services.
OS/400 based AS/400 system is a milestone success, where IBM can compete with Windows and Unix based servers. Unlike Windows and Unix, its multi-purpose environment and inbuilt security implementation make it safer and reliable in the industry.
Features Of The AS/400 System
Given that most companies have adopted other popular systems where users have accessibility, reliability, efficiency, troubleshooting, human resources, cost-effective, and ease of implementation, we’ll argue the case for why companies should consider adopting AS/400 over other popular systems.
AS/400 systems/servers have always been an attraction for the businesses that deal with a high volume of transactions. These systems are entirely reliable, safe and efficient as per the business need. Below are some key factors which work as a backbone for the existence of AS/400 in the industry:
AS/400 or System i Architecture
As we all know, dealing with financial transactions and sensitive user data has always been a concern for organizations. These types of operations require maximum efficiency as well as accuracy as they are expecting the security of critical assets. So organizations tend to go with systems which are capable of providing all these critical factors along with a high-performance environment to the end user to avoid any business/security issues in the place.
IBM AS/400 uses an integrated file system that allows applications to access specific segments of storage that it organizes as logical units. These logical units are files, directories, libraries, and objects.
Integrated File System
There are various file systems in the integrated file system:
Challenges During Security Audits of AS/400
The above overview, architecture, file system is enough to understand that these systems are entirely different from other systems which are commonly in use. Whenever we talk about security audit of any system, it directly relates to and depends on the architecture and workflow of that system. So auditor must have an idea about the architecture and workflow of the target system to create the strategy for security testing of that particular system.
As we are aware that, these systems entirely different from other systems to the process and methodology of security testing for other systems would not work here anymore.So let’s have a look on the challenges auditors usually face while doing the security audit of AS/400 based system:
Tools and Techniques to be used in AS/400 Audit
Below are some tools which can help you during the security audit of AS/400. Use of a particular tool depends on the application behaviour and client application. The role and reason behind choosing these tools will be explained in the core audit process.
In the next part, we will explain the process segregation and core audit process covering various aspects of a security audit in regards of AS/400 environment.