Security announcement from IBM.

[Darren Reed <avalon @ coombs . anu . edu . au>]

I believe this announcement is of interest to firewalls...

...there are some very interesting items below, including IBM setting
up their own CERT squad.

I apologise in advance if it has already been posted here and I just
haven't caught up with it.

darren

> *------------------------------------------------------------------------
>  IBM Announces Security Software and Services to Protect the Enterprise
>  September 28, 1995
> 
>  As part of its long-standing commitment to data security, IBM has
>  announced enhancements, availability and pricing for a broad range of
>  I/T security products and services designed to protect the enterprise
>  from intrusion.
> 
>       The announcement includes:
> 
>  -- The launch of the Emergency Response Service , which provides expert
>     incident management skills to clients during and after electronic
>     security emergencies;
> 
>  -- A  Customized Infiltration Tool Kit , to detect the most
>     subtle weaknesses in a customer's Internet connection;
> 
>  -- Significant enhancements and price reductions on IBM's
>     firewall  product;
> 
>  -- The announcement for  secure Web servers and browsers ;
>     enhancements to IBM AntiVirus software to support Windows 95 **;
> 
>  -- The  availability of a new release of RACF *, IBM's award-
>     winning Resource Access Control Facility, which now provides
>     password synchronization across your RACF managed systems;
> 
>  -- The announcement of  Internet secure OS/400 *, the operating system
>      for the world's most popular business computing system.
> 
> 
>            Emergency Response Team Operational Worldwide
> 
>  In response to concerns about network infiltrations, IBM
>  announced that its Emergency Response Service for commercial
>  businesses is now operational for customers throughout the world.
>  Chartered to provide swift, expert incident management skills to
>  clients during and after electronic security emergencies, the
>  emergency response team specializes in electronic disasters that
>  affect data processing capabilities, and is available to
>  customers on a subscription basis via IBM's Integrated Systems
>  Solutions Corporation (ISSC)*.
> 
>  This global service periodically checks customers' networks
>  and can act as an extension of clients' I/T staffs.  In the event
>  of a network break-in, the team helps customers detect, isolate,
>  contain and recover from unauthorized network infiltration.  They
>  are on call 24 hours a day, seven days a week around the world.
>  IBM team members, who have extensive incident management
>  experience, develop an understanding of customers' networks and
>  system architectures, as well as how their firewalls are
>  configured and maintained.
> 
> 
>                  Customized Weakness Detection Kit
> 
>  IBM's Customized Infiltration Tool Kit, a sophisticated set
>  of tools to detect security weaknesses in clients' Internet
>  connections, is available today.  With these tools, IBM can probe
>  the subtlest weaknesses that the most sophisticated hackers might
>  try to exploit.
> 
>  These tools exercise network connections that go beyond the
>  capabilities of most existing tools on the market and are
>  customized to match clients' specific network configurations.
> 
>  The Customized Infiltration Tool Kit is part of IBM's I/T Security
>  Consulting offering, and was developed in conjunction with IBM
>  Research's Global Security Analysis Labs in New York and Zurich.
> 
>                    Advanced Firewall Security ***
> 
>  As part of these security announcements, IBM announces a
>  new release and a price reduction for its firewall, the Internet
>  Connection Secured Network Gateway*, to promote its wider
>  availability and advance the state of security on the Internet.
>  Formerly known as the NetSP Secured Network Gateway, the Internet
>  Connection Secure Network Gateway will be available to the public
>  on October 27.
> 
>  The firewall now supports AIX 4.1.3, and operates with the
>  popular RISC System/6000* workstation.  It contains an encrypted
>  IP tunnel that encodes data from one firewall to another using
>  DES, the Data Encryption Standard invented by IBM more than 20
>  years ago, and Commercial Data Masking Facility (CDMF), an
>  exportable encryption technology used outside of North America.
>  The IP tunnel and key distribution is one of the first that is
>  based on the latest IETF specifications, providing the most
>  advanced technology for firewalls currently available.
> 
>  The Internet Connection Secured Network Gateway also includes remote
>  administration and an alarm capability that allows a user to set
>  alerts that are triggered when certain errors or other security
>  violations occur.
> 
> 
>                 Secure Web Servers and Browsers ***
> 
>  IBM is also announcing the IBM Internet Connection Secure
>  Web Servers for the OS/2* and AIX* platforms and IBM's Internet
>  Connection Secure WebExplorer for OS/2 Warp.  Using the industry
>  standard protocols Secure HyperText Transfer Protocol (S-HTTP)
>  and Secure Sockets Layer (SSL)**, these secure Web servers and
>  browser will be commercially available on December 8.  IBM
>  Internet Connection Secure Servers provide several security
>  methods for conducting commerce over the Internet, including
>  public key data encryption technology.
> 
> 
>                     Anti-Virus Software and Services
> 
>  IBM also announced that its IBM AntiVirus software will be
>  available for the Windows 95 platform in November.  IBM AntiVirus
>  software provides comprehensive virus detection, removal and
>  protection for over 6,000 known computer viruses, and is widely
>  available on the OS/2*, DOS**, Windows**,  and NetWare**
>  platforms for $49.
> 
>  IBM AntiVirus scans memory, hard disks, floppy drives and
>  network servers for thousands of viruses, including polymorphic
>  viruses that change to avoid detection, and viruses previously
>  considered impossible to discover.  To uncover unknown viruses,
>  the software contains heuristics that attempt to find viruses by
>  watching for behavior that is characteristic of viruses. IBM's
>  anti-virus software products are available on the Internet via
>  IBM's AntiVirus home page at http://www.brs.ibm.com/ibmav.html.
> 
> 
>                           RACF 2.2 Debuts
> 
>  IBM's acclaimed Resource Access Control Facility (RACF) for
>  MVS will debut Version 2.2 this week on September 29.  RACF is a
>  versatile, effective security tool that protects MVS system
>  resources from inadvertent damage and deliberate misuse of data.
>  New features for RACF 2.2 include password synchronization and
>  the ability to administer multiple remote RACF databases with a
>  single command, without logging onto the remote systems.  RACF
>  2.2 also features a "remove ID" utility that eliminates security
>  problems created by old, unneeded user ID's, and has expanded its
>  support for OpenEdition MVS by providing security checking and
>  auditing for the XPG4 environment.  RACF 2.2 also provides
>  enhancements to its PassTicket support, an alternative to RACF
>  passwords.  With RACF 2.2 you can now use unique PassTicket keys
>  for different RACF users and groups who need access to the same
>  secured application.
> 
>  These new features build upon support provided in RACF 2.1,
>  such as RACF's sysplex data sharing support which uses the
>  System/390 parallel sysplex services to cache RACF data.  RACF
>  also uses these services to transmit selected administrative
>  commands to peer RACF systems.  The administrator can send these
>  commands from one system to take effect on all systems enabled
>  for sysplex communication.
> 
>  IBM has previously announced its intention to enhance RACF
>  for VM by providing support for the OpenEdition POSIX and Shared
>  File System features of VM/ESA.
> 
> 
>                       Internet Secure OS/400
> 
>  IBM's AS/400 operating system, OS/400, offers a fully integrated
>  set of security features that have been evaluated to meet the U.S.
>  Government C2 security criteria.  OS/400 Version 2 Release 3 is
>  scheduled to receive the C2 rating at the National Security Conference
>  in October.  Subsequent releases of OS/400 have been designed to meet
>  C2 and IBM intends to continue to participate in the government
>  evaluation process.  Included in the C2 evaluation was the AS/400
>  relational database DB2/400, which is integrated into the operating
>  system, and utilizes the same security mechanisms as OS/400.  This
>  ensures the integrity of information stored in OS/400, as well as the
>  security of user access to AS/400 computing resources, providing
>  customers with unmatched security for midrange system computing.
> 
>  IBM's AS/400 provides full individual accountability via a
>  centralized identification and authentication built into the
>  system.  Users are uniquely identified by a one-way DES encrypted
>  password.
> 
>  Since all sharable data is contained in encapsulated
>  objects, discretionary access control is maintained by each
>  object manager using a system-wide access algorithm.  Access to
>  objects may be controlled through public, private, or adopted
>  authorities and may be managed through user groups and common
>  object authorization lists.
> 
>  Additionally, AS/400 provides a highly configurable set of
>  auditing capabilities selectable to individual users, objects, or
>  events.
> 
>  Hardware and software encryption/decryption capabilities
>  supporting data confidentiality, non-repudiation, authentication,
>  and data integrity are also available on AS/400.
> 
>  These announcements complement a wide range of I/T
>  security offerings already available from IBM -- from encryption
>  hardware and software, access control products, firewalls and
>  security management and administration, to DCE security services,
>  IBM Global Network security services and implementation services.
>  Additional information on these offerings can be found through
>  the IBM I/T Security home page, at  http://www.ibm.com/Security.
> 
>  IBM's security products support the security component of
>  the Open Blueprint.  A white paper with information about
>  security in the Open Blueprint is available for reference on the
>  Internet at: http://www.torolab.ibm.com/openblue/openblue.html.
> 
>  For more information about other IBM products and services,
>  see the IBM home page on the World Wide Web, located at
>  http://www.ibm.com.
> 
>  *    Indicates trademark or registered trademark of International
>       Business Machines.
> 
>  **   Indicates trademark or registered trademark of the
>       respective companies.
> 
>  ***  Editor's Note: For more information on IBM's advanced
>  firewall security and Internet Connection Secure Web Servers and
>  Browsers, please refer to the accompanying press release.