Opening IBM system i to exchanges with the outside world: what are the risks?

How can Electronic Data Interchange (EDI) be implemented, with multiple exchanges over external networks , without introducing additional security risks? Actually, the risk is closely related to how the application in charge of supervising the transactions integrates into the security architecture of the company.
The TBT400 communication software and its built-in security features is fully adapted to face the challenge associated with responding to these security requirements.

General security features

  • TBT SignonTBT400 uses a proprietary signon (ID and password) different from the OS/400 signon system; there is therefore no added security risk for IBM system i.
  • Dynamic file creation: TBT400 always dynamically creates and names all files received, regardless of the network name given by the user; two transferred files cannot receive the same name, and there is no risk of two files colliding.
  • No exposure of filesystems.
  • Systematic rejection of remote commands: TBT400 keeps control of all files, prohibiting remote correspondents from taking control of the machine.
  • No file sharing. If badly managed, file sharing can be a serious risk to data security. TBT400 does not require management of file sharing, which should be handled by operational, not network teams.
  • Asynchronous processing: with TBT400, the reception of files reception is event-driven, only complete files are processed. It is therefore unnecessary to define a "super-protocol" for data exchange: any client or remote server can be integrated into the network without having to develop specific synchronization mechanisms between sender and receiver.

Protection against identity spoofing

  • Support of SSL-encrypted exchanges and X.509 certificates.
  • Native address control: TBT can efficiently protect correspondents with a fixed IP address.
  • Destructive read: TBT can be set in ’read-once’ mode for a given file. This feature should be implemented only for elements explicitly made available for one specific user, and protects a file from being shared by several users.
  • Users are natively isolated from each other.
  • DMZ and Multi TBT: this combination allows to process internal messages in a secure manner.