The Lab Guys Scratch Their Heads

Sometimes what doesn't make it to print in Windows NT Magazine is just as interesting as what does. Case in point: As part of this month's security focus, we had planned to conduct a security face-off between a Windows NT Server running Internet Information Server (IIS) and an IBM AS/400 running IBM's Web software. Why would we want to do this? As you know, both NT and IIS have had their share of bad publicity about security problems. IBM, like many proprietary operating system vendors, jumped on NT's back and proclaimed that IBM's system is much more secure than NT. Quite frankly, we agree that the AS/400 has an excellent reputation for solid security in business environments, so we decided to put it to the test.

We invited the security folk in the AS/400 camp to participate in our little test. These folk are understandably proud of the security they have built into the AS/400 line of products, and they were clearly willing to put it to the test. We asked the IBM folk to supply the machine and configure it as they saw fit for a typical business environment--we even let them use a beta version of OS/400 V4, a version that includes many new security features. In short, we let them lock down the AS/400 as tight as they could (probably tighter than most businesses lock it down).

The plan was to bring the AS/400 into our Lab and let an independent security firm attack the system. The same firm would also attack an NT and IIS system. We'd sit back and compare the results. Up until a few days before the AS/400 was to arrive in the Lab, everything looked good. Oh sure, we had plenty of issues to negotiate with IBM about the parameters of the test and what information we would disclose under what circumstances, but the test looked like it was a go. And then, at the very last minute, IBM abruptly withdrew from the test.

Now this part is where the story gets interesting, so stay with me. We later learned from a well-connected ex-IBMer that IBM did not withdraw because it was afraid it was going to fail the test--as I said, the AS/400 security team had high confidence in the AS/400's ability to survive attacks. No, IBM withdrew because some higher-up executives decided IBM had nothing to gain by participating in the test. These executives were afraid that negative results would erode their existing customer base and weren't impressed with the idea that positive results could increase their customer base. Let me put it bluntly: IBM was more afraid of losing existing AS/400 customers than it was interested in gaining new AS/400 customers.

This story is a pretty sad one for a company that touts its system as being highly secure. But this behavior is typical of the midrange and mainframe divisions of IBM. These divisions can't seem to come to grips with today's marketplace. We suggest these older divisions take a lesson or two from IBM's younger PC server hardware and NT software divisions, because the younger divisions clearly know the market. These younger divisions aren't afraid of standing behind their products and letting the cards fall where they may.

However, maybe IBM's move was smart. We certainly believe that all operating systems have security holes--it's just that most operating systems aren't subjected to real-life security tests until they become immensely popular. Think about it: Users weren't aware of NT's security problems until NT became very popular and started to appear as Web servers on the Internet. At that point, the NT systems became targets for attack, and as you know, the attackers found holes. This experience is the same trial-by-fire that UNIX went through during its maturity cycle. We see this process as a good thing: People find holes, the vendors plug the holes, and we all move forward with stronger and more mature software.

The problem is that vendors don't often expose proprietary operating systems to wholesale hacker assault. Thus, concluding that these operating systems don't have security holes is not fair--we just don't know what these security holes are. In the case of the AS/400, about 600,000 systems are in use worldwide, but only a small fraction of them are plugged into the Internet or another public network. This way, they appear safe and secure because nobody's really bent on breaking into them--yet.

For the record, we will continue on the path to performing this AS/400 vs. NT test, but next time around we'll use our own AS/400 system configured by an AS/400 security consultant. In other words, next time we'll leave IBM out of the loop.