Redbooks Paper

Axel Buecker Shawn Young

IBM Tivoli Access Manager for Operating Systems: Host-Based Intrusion Prevention for Applications and Platforms
A lot of companies have gone to a lot of effort to protect themselves from being hacked, but its a lot harder to stop a rogue employee . We have the technology, but were not using it. The Washington Post, December 3, 2002 Employeesnot hackers, not virusespresent the chief threat to IT security. In the biggest identity theft case yet reported, employees stole 30,000 consumer financial reports over three years. A ring of scam artists, in turn, paid the employees $30 for each stolen report. Ultimately, consumers lost more than $2.7 million. Law enforcement estimates that more than half of all identity thefts occur as a result of employees. In this IBM Redpaper, we discuss IBM Tivoli Access Manager for Operating Systems, a simple-to-use, powerful security system that securely locks down business-critical applications, operating platforms, and files from unauthorized access. This firewall-like capability prevents both insiders and outsiders from the unauthorized access to and use of vital customer, employee, and business partner data. Additionally, Tivoli Access Manager for Operating Systems audits application and platform activity to ensure compliance with corporate policies and government regulation. In an increasingly wired yet insecure world, Tivoli Access Manager for Operating Systems provides the assurance that customers, employees, and partners expect, and the rigorous auditing that the government and senior management require.

Copyright IBM Corp. 2003. All rights reserved.

ibm.com/redbooks

Overview
Tivoli Access Manager for Operating Systems erects and enforces a seamless security perimeter to UNIX/Linux systems to provide protection for business-critical systems and auditing of all users. These controls even apply to Root super-users, a notoriously difficult-to-secure UNIX/Linux group. Unchecked and unmonitored Root users are often the source of considerable abuse. Tivoli Access Manager for Operating Systems prevents misbehavior by Root users and all other users through the rigorous application of access controls on resources, files, and data. Further, hackers favor Root accounts as targets because Root users typically create backdoor access routes in order to bypass basic protocols. As a result, while the majority of cyber theft results from internal abusers, the application of adequate controls on Root accounts will also prevent a significant amount of external cyber theft. Tivoli Access Manager for Operating Systems ensures 24x7 protection from unauthorized access to business-critical applications by providing bulletproof controls against malicious actions. Most business-critical applications today are hosted on UNIXor, increasingly, Linuxand are deployed throughout the enterprise network environments as shown in Figure 1. These applications include ERP, CRM, SCM, Human Resource Management applications, and Middleware platforms such as IBM WebSphere. Most of these applications offer inadequate out-of-the-box security and auditing for todays enterprise.

AS/400 UNIX NT

S/390 Security M anagement

55% of data theft occurs here

Proxy-Server W orkload M anagem ent

Mission-Critical Servers

Core Network
W eb Servers Certificate Authority Single Sign-on Backup Restore Security Auditing

Internet Access

VPN

Merchant Server

Perim eter Network

Intrusion Detection Active Content E-M ail Filtering

Firew all

PC Security

Access Network
PC Anti-Virus

Customers Suppliers Distributors Business Partners

M obile Employees

Figure 1 The IT security map

Policy-based security: peace of mind in troubled times

The heart of an effective security program lies in its security policy. The bottom line is that everyonepartners, employees, customers, auditors, government regulators, and senior managementis looking for a security policy that guarantees the privacy and confidentiality of sensitive information. Never before have CIOs faced so many constituents demanding tight protection and accountability. Management and boards of directors no longer accept the

IBM Tivoli Access Manager for Operating Systems

running of expensive applications on insecure operating systems and ineffective protocols. Tivoli Access Manager for Operating Systems ensures that security policy is easily implementable, robust, and comprehensive. Easy-to-use: Because security policy is crucial to operational effectiveness, theres no forgiving a security policy that is difficult to understand and challenging to enforce. Tivoli Access Manager for Operating Systems simplifies policy through multiple methods. The first is through Web Portal Manager, a GUI-based, web-accessible management tool. Security policy can now be managed in a point-and-click format. Command-line interfaces and script accommodation afford UNIX and Linux experts even greater ease. Simplicity is further ensured through Tivoli Access Manager for Operating Systems Fast Track Policy Modules. Fast Track Policy Modules are pre-written, best-practice security policies. They provide a method for demanding enterprises to quickly adopt effective security. Security threats multiply daily, and CIOs cannot be expected to wait on slow security policies. While enterprises can use Tivoli Access Manager for Operating Systems Web Portal Manager to design and set detailed policy if they wish, enterprises accelerate their ROI through the use of Fast Track Policy Modules. Fast Track Policy Modules also come in application-specific versions offering customers out-of-the-box customization. These pre-written, best-practice policies make it easy to tailor security policy for specific missions. These missions may include, for instance, enhancing Web security or defending CRM, ERP, or other applications and databases. Simplicity is crucial for an effective security policy. Through Web Portal Manager, shown in Figure 2, security policies can be managed in a point-and-click fashion.

Figure 2 Web Portal Manager interface

IBM Tivoli Access Manager for Operating Systems

Powerful: Power is provided through Tivoli Access Manager for Operating Systems multi-threaded architecture. This enables Tivoli Access Manager for Operating Systems to operate fully 22 times faster than its leading competitor. This performance also means that CIOs no longer have to trade operating efficiency for security. Applications run smoothly even with the rigorous security added by Tivoli Access Manager for Operating Systems. With Tivoli Access Manager for Operating Systems, administrators can set and enforce three types of security policy: password policy, login policy, and resource policy. In the case of password policy, for instance, administrators can require the timely changing of passwords, or passwords of a specified length and alphanumeric mix. In the case of login policy administrators can determine where users can access systems or what files they can access remotely. Resource policy enables administrators to restrict access to systems, files, and data on a need-to-know basis. Comprehensive: As a result of its industry-leading power, Tivoli Access Manager for Operating Systems successfully scales throughout the enterprise, enforcing security comprehensively. It enables management to set a single security policy that is implemented and enforced worldwide. Centralization ensures adherence to corporate guidelines and government regulations. With Web Portal Manager, Tivoli Access Manager for Operating Systems policy can be managed from a Web-based tool. The benefit of this approach is that it enables an enterprises security managers to delegate limited authority for routine or emergency matters to specified, local sub-domain administrators. This scheme offers maximum control while affording flexibility when necessary. In a case of network interruption, control can be delegated to local subdomain administrators without granting local administrators excessive access or access to other subdomains.

Auditing: proof positive in a cynical world

Defending resources is equally as important as auditing resources. Gone are the days when a CIO could simply attest that the network was secure. Amid unrelenting attacks, omnipresent threats, and widely publicized failures, customers, partners, and regulators all demand proof of effective security controls. Tivoli Access Manager for Operating Systems responds to this need through Persistent Universal Auditing, which maintains 24x7 audit logs on all programs, files, ports, resources, and systems. This provides administrators with a centralized report on security events, enabling administrators to review which users accessed what resources, how, and when. Misbehavior rarely occurs just once. It occurs frequently. Regular audits prevent prolonged abuse. The most successful information thieves endure through creep and take tactics. Through incremental attacks over long periods of time they accumulate extensive amounts of sensitive data and insidiously degrade system defenses. Because they typically are insiders, such CAT thieves present significant riskmuch more than regular Internet hackers. Insiders, after all, know on which systems valuable information resides and how to best circumvent security protocols. Recurrent auditing with Tivoli Access Manager for Operating Systems prevents CAT attacks. The United States government has responded to financial scandals and health care concerns through the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These two sets of legislation require the erection of significant barriers to secure sensitive financial and health care data. In addition, regular auditing is required to prove that confidential and private information is handled only on a need-to-know basis. Countries around the globe have enacted similar legislation. European legislation has gone even farther in its privacy and confidentiality requirements.

IBM Tivoli Access Manager for Operating Systems

Architecture: simple, lean, and muscular

Tivoli Access Manager for Operating Systems is built on a lightweight, powerful, easily installed architecture. This simple architecture centers on the Tivoli Access Manager Policy Server. This server houses all security policies and can also maintain the database of all users in an LDAP directory. Tivoli Access Manager for Operating Systems relies on its Security Agent for local policy enforcement. The Security Agent locally protects and audits each server, acting as a host-based firewall in physically preventing unauthorized users from accessing files. Exceeding typical firewall capability, Tivoli Access Manager for Operating Systems restricts both incoming and outgoing network traffic, providing a matchless level of security for TCP/IP ports. The Security Agent also locally audits the use of applications, files, and resources. Figure 3 is an overview of the architecture of Tivoli Access Manager for Operating Systems.

Access Manager Policy Server Centralized server contains Policy database User IDs (LDAP)
Management Server maintains policy Policy Server maintains policy Security Agent enforces policy

SSL connection

Security Agent Erects security perimeter Intercepts system call Make access decision Writes audit record

Security Agent

Figure 3 Tivoli Access Manager for Operating Systems architecture

For full security even during network interruptions, the Security Agent replicates the security policy and user identifications locally. In the event that the network connection fails, the Security Agent is fully able to make access decisions without the Policy Server being present.

Linux: bulletproof answer to open source questions

Open source software is now the major source of elevated security vulnerabilities for IT buyers. The majority of the 29 advisories issued from January through October 2002 by Carnegie Mellons CERT Coordination Center addressed vulnerabilities in open source or Linux products. eWeek, Nov. 22, 2002 Linux provides a revolutionary platform with superb flexibility, dependability, and valueand a whole new set of security challenges. Typically, however, it is not the enterprises only operating system. In todays heterogeneous enterprise, an effective security solution must be
IBM Tivoli Access Manager for Operating Systems

able to secure and run on a variety of platforms. Tivoli Access Manager for Operating Systems can secure a wide range of Linux and UNIX operating environments, and constantly expands its coverage. Tivoli Access Manager for Operating Systems supports Linux on iSeries, xSeries, pSeries, and zSeries platforms.

Integration: flexibility on demand

Tivoli Access Manager for Operating Systems provides unparalleled breadth in value through full integration with the markets leading identity management, identity provisioning, and security management products. IBM Tivoli Identity Manager, IBM Tivoli Access Manager for e-business, IBM Tivoli Privacy Manager, and IBM Tivoli Risk Manager all effectively complement Tivoli Access Manager for Operating Systems. Use of a common approach and infrastructure enables customers to rapidly meet demands for increased responsiveness, improved efficiency, and greater economy.

3rd Party Software Security Management

Network Firewalls

Anti-Virus

Intrusion Detection

VPN

Tivoli Risk Manager Tivoli Identity Manager User Provisioning Tivoli Access Manager Application Protection IBM Directory Server IBM Directory Integrator Tivoli Privacy Manager Privacy Assurance

User Management

Directory Management

Figure 4 IBM Tivoli Integrated Identity and Security Management

The IBM Tivoli Integrated Identity Management suite (shown in Figure 4) scales to precisely meet customers needs, whether those needs are narrowly focused or broadly conceived. These solutions work together to provide significant return on investment and exceptional levels of service to internal and external users. Close cooperation with industry partners in developing standards ensures that Tivolis Integrated Identity Management suite is both widely interoperable and remarkably rigorous.

Summary: exceptional solution for an insidious threat

The hacker who just stole your records is just as likely to be an insider as an outsider Computer break-ins by insiders often do more damage than when a remote hacker gets into the system They know what to take; they know what is important. The Atlanta Journal-Constitution, May 14, 2003 6
IBM Tivoli Access Manager for Operating Systems

In a recent case involving a large consumer goods company, a hacker pilfered the confidential financial, Social Security, and employee records of 450 co-workers. The employee bypassed protocols to slip into the companys computer system without authorization. Incidents of insider cyber theft are rising rapidly. With increasing amounts of valuable consumer, employee, and partner data being accumulated, the incentives for insider misbehavior are increasing as well. Organizations face growing risk. Simultaneously, regulators and legislators are targeting enterprises that do not implement effective controls with fines and increased scrutiny. CIOs face unrelenting pressure for improved security, auditability, and accountability. The most economic and effective solution for CIOs is to combine comprehensive intrusion prevention technologyhost-based firewall capability, application and platform protection, user tracking and controlswith persistent auditing capability. In a lightweight, powerful way, Tivoli Access Manager for Operating Systems does exactly this. No longer do organizations need to run business-critical applications on mainframes in order to enjoy mainframe-class security. With Tivoli Access Manager for Operating Systems they can enjoy mainframe-class security on distributed systems. And they can enjoy the peace of mind that comes when valuable data is fully secured and all users are held fully accountable.

The team that wrote this Redpaper

This Redpaper was produced by a team of specialists from around the world working at the International Technical Support Organization, Austin Center. Axel Buecker is a Certified Consulting Software I/T Specialist at the International Technical Support Organization, Austin Center. He writes extensively and teaches IBM classes worldwide on areas of Software Security Architecture. He holds a degree in computer science from the University of Bremen, Germany. He has 17 years of experience in a variety of areas related to Workstation and Systems Management, Network Computing, and e-business solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a Senior I/T Specialist in Software Security Architecture. Shawn Young is the IBM Tivoli Access Manager for Operating Systems' worldwide product manager. While at IBM he has contributed to the development of a number of leading edge security products. He has an extensive background in management consulting and has consulted with leading Fortune 500 companies on customer-centric approaches to improved operational effectiveness. He holds a degree in Economics and Public Policy from Rice University and a Masters degree in Business Administration from the University of California, Los Angeles' Anderson School of Management. Thanks to the following person for her contribution to this project: Betsy Thaggard International Technical Support Organization, Austin Center

IBM Tivoli Access Manager for Operating Systems

IBM Tivoli Access Manager for Operating Systems

Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.

Copyright IBM Corp. 2003. All rights reserved.

Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
IBM ibm.com Redbooks(logo) Tivoli zSeries

The following terms are trademarks of other companies: UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others.

10

IBM Tivoli Access Manager for Operating Systems