- IBM i / AS400
I’m a member of two different tech circles, IBM i and cyber-security and I remember futzing my way around the original model B01 AS/400 server in 1988. I get excited when I read about new features released in the latest TR or IBM i OS version and I’ve been immersed in the information and cyber security circle for over 20 years, becoming a CISSP in 2009.
I was recently speaking with a young IT director who was raised in the Cisco and Windows world and is currently tasked with taking over the management of the company’s IBM i, more specifically a Power 9 server running IBM i. The director was doing her homework, gathering information to comply with a routine PCI audit and wanted to know which AV (antivirus) application I would recommend for her system. I spent a lengthy time with her discussing and analyzing the different angles for consideration and ultimately gave her the following advice - spend your money on network security software that uses Exit Points. Don’t waste your money on antivirus for IBM i.
I have many reasons for this opinion. PCI DSS 4.0 says that if the server is in scope, meaning it processes or stores credit card numbers, it must run some form of anti-malware software. This requirement is based on a good security principle, mainly defense in depth, where you design not just one, but many layers into your security architecture. However, this recommendation is a reaction to the virus-ridden history of Microsoft Windows, which can spread, store, and detonate malicious software written for that OS. IBM i OS running on a Power PC cannot detonate software written for Windows OS, which requires an Intel processor.
EDR (Endpoint Detection and Response) and XDR (eXtended Detection and Response) applications are much better suited to detect malicious software than old-style AV apps. They won’t scan the files stored on an IBM i server, but they will scan every file that touches an endpoint, such as a Windows-based PC or server on your company network.
The antivirus products marketed for IBM i are, from a cyber-security perspective, so yesterday’s news as they only compare files against a list of known malicious software signatures. The problem is, the bad guys know this and don metaphorical disguises creating custom malware for each target in order to evade detection. This is why today’s EDR and XDR applications rely less on signatures and more on behavior.
To observe or test behavior, the executable software must run on its native OS. Executable programs compiled on Windows for Intel can’t run on IBM i OS for Power PC. The binaries are as different from each other as Castilian Spanish is from Mandarin Chinese.
If there are no SMB connections from all Windows endpoints to the IBM i server, in other words, there are no drives mapped to the IFS at all, IBM i is much less likely to be the conduit for malicious software.
Network security applications on IBM i that make use of Exit Points are a strong cyber and information security control. If you’re a network, Windows, or Linux nerd, think of IBM i-based Exit Point applications as a “host-based firewall.” Like a firewall, these applications are gatekeepers for network connections using qualifiers such as IP addresses, usernames, and associated permission lists.
Narrowing the flow of network traffic down to that which is authorized reduces the surface area for an attack on your IBM i server.
Nobody has an unlimited security budget. Before joining Briteskies as a consultant, I managed a small IT department and reported directly to the CFO. When I walked into his office, he’d say “The answer is ‘No.’ Now, what’s the question?” With limited resources, you need to make prudent choices with your security budget.
If you’re being pressured, by auditors or higher-ups not familiar with the IBM i platform, to spend on antivirus software that you think is truly unnecessary, talk it through with those giving pushback and explain your reasoning. The components of PCI DSS are requirements, not commandments. If the auditors work with you to understand the big picture of your security posture rather than adhering blindly to a checklist, they should accept this reasoning as an acceptable mitigating control to the requirement.
Unfortunately, if they’re clueless about IBM i you’ll likely have to waste some of your scarce security budget dollars on unnecessary software – it could be worse.