Four Powerful Ways to Use Exit Points for Securing IBM i Access
How exit points and exit programs can help secure IBM i access
There are many approaches and technologies you can use to keep your IBM i secure. Exit points and exit programs are a powerful means to monitor and secure four important levels of access within the IBM i:
- Communication Ports
The challenge of exit programs is that they can be time-consuming to create and difficult to manage.
IBM introduced exit points to the AS/400 in 1994 with V3R1 of the operating system, which provided administrators and developers with “hooks” that could be used to invoke one or more user-written programs—called exit programs—during a wide variety of OS-related operations. For instance, most types of network communications have their own exit point. Therefore, an exit program can be created and “registered” to the exit point for a particular network-access protocol. For example, an exit point program could be written that not only monitors and keeps logs of all FTP activity, but also allows or denies specific users the ability to transfer a file based on many parameters, such as user profile settings, IP addresses, object permissions, time/date windows, etc.
Because a wide variety of information can be passed to the exit program and the exit program can often be designed with a very granular, rules-based logic, it is possible to allow or disallow a specific type of activity under very specific circumstances.
This kind of control provides the ability to implement a nuanced, contextual approach to securing access, which has numerous benefits. In addition, it’s important to keep in mind that exit programs are always invoked by the OS prior to the consideration of object-level security. This means that when exit programs are properly created, they can control the conditions of access for even powerful users.
Download this white paper to learn the security challenges of each level of access and how exit programs help remediate the threat.