essential guide thwarting hackers pdf
TRANSCRIPT
-
7/29/2019 Essential Guide Thwarting Hackers PDF
1/8
ThwartingHackersBY MEL BECKMAN OCTOBER 2005
T H E E S S E N T I A L G U I D E T O
TH EY C ALL IT INTERN ET BACKG RO UND RADIATION , O R IBR. ITS TH AT CO NSTANT H ISS OF
traffic ever present on every Internet connection. Like the universes Cosmic Background Radiation, IBR lets us
know that the Internet is not empty. Unlike its benign cosmic cousin, however, IBR is malevolent proof that
evildoers prow l the Net seeking w hom they may devour.
You can see IBR with your own eyes by examining any firewall log, which will
report a constant stream of probes and pokes at random IP addresses in your
netw ork. There is a hacker behind every one of these probes; none is innocent.
Over time, IBR will ferret out known vulnerabilities in any network and
exploit them. The average survival time of a n unprotected Window s PC is
measured in minutes; more secure devices might last weeks or months. Butone thing is certain: If yo u dont find the vulnerabilities in your netw ork,
hackers will. Soon.
But dont despair. The key to a hackers suc-
cess is the subtle phra se know n vulnera-
bilities. H ackers are bottom feeders; very
few actually discover new security flaws on
their own. Instead, they troll software bug
reports and system pat ch anno uncements,
then devise cunning robotic scanners or
bots to seek out a nd exploit them. It is
these bots tha t generate IBR, a nd it is them
that you must repel.
To tha t end, here are 10 stra ightforw ard stepsthat you can take to make your network less sus-
ceptible to a tta ck, by dint o f removing
know n vulnerabilities. I present
these steps in order of ease
w ith the simplest first
because the more of these steps
you accomplish, the more like-
ly you are to be removed from
the hackers list of low-hanging
fruit. Some of the steps require
SUPPLEMENT TO iSeries NEWS 20051
-
7/29/2019 Essential Guide Thwarting Hackers PDF
2/8
T H E E S S E N T I A L G U I D E T O T H W A R T I N G H A C K E R S
SUPPLEMENT TO iSeries NEWS 2005
MBF>LMB1IKHM>
-
7/29/2019 Essential Guide Thwarting Hackers PDF
3/8SUPPLEMENT TO iSeries NEWS 2005
nothing more tha n the investment o f yo ur time; others
require the cooperation of your entire enterprise. You
should take each step as soon as possible.
1. Continuously Educate UsersH ackers get into netw orks most often by tricking users
into opening the front doo r: Trojan pro grams embedded
in e-mail attachments, malicious URLs seemingly for-
warded by friends, and virus infections brought into the
enterprise by PC s from ho me. There is only one w ay to
prevent user-induced security breaches, and that is user
education.G iven the barra ge of routine anno uncements and t rain-
ing materials that the average corporation foists on
employees, it can be difficult to make your security mes-
sage heard. Your best bet is to make the message perva-
sive and continuous. You cant simply publish a security
policy and expect users to absorb and follow it. Instead,
inform users of their need for vigilance in small doses by
displaying security tips in newsletters, on the corporate
intranet, a nd in routine e-mail communications. Start
with a mandatory security training session to review your
policies but bo lster tha t w ith
constant reminders.
H ere are the key points to
emphasize with all users:
Dont open e-mail at tachments
that you did not expect to receive,
even from colleagues and friends.
Dont click URLs in e-mails; carefully copy and
paste them instead. Although inconvenient, this is
the only way to avoid malicious links.
G et approval before installing any freewa re or
sharew are softwa re. D o not install any unauthorized
commercial software.
Never connect computers from home to the enter-
prise LAN. Only secured systems, including compa-
ny-secured notebook computers can be attached.
Be aw are of visitors attempting to use enterprise
computers or network connections.
Dont connect wireless equipment of any kind,including w ireless keyboa rds a nd mice, to the
netw ork w ithout prior approval.
Some users will be unhappy with these restrictions, so
you should also establish appropriate responses for viola-
tions. No body w ants to play cop, but if you dont enforce
these protections, nobod y else will. One w ay to d etect
infringements is to periodically inventory the soft w are
installed on every computer. You can use any number of
readily ava ilable desktop administration systems to do
this centrally.
A particularly insidious new threat t hat requires copi-
ous user education is Bluetooth netw orking. Bluetoot h,also called personal a rea netw orking, is a short-range
wireless technology designed to replace the cables used to
att ach cell phones, PD As, keyboard s, and mice to
computers. It operates over a range of a few feet, but an
interloper as far as 100 feet away can exploit Bluetooth.
Although Bluetooth includes encryption, end users often
misconfigure it, defeating that protection. Users need to
be taught how to safely connect Bluetooth devices, and
they need to know w hich devices are approved fo r use in
your network.
Your goal in constantly reminding users of security pre-
cautions is to create a n a tmosphere of security aw areness.
A great source of security aw areness educationa l materialsis the SANS Security Aw areness Whitepa pers Web site
(see Security Resources, a t left).
2. Lock Down Physical SecurityH ackers dont just exist outside your netw ork; theyre
often inside the enterprise perimeter in the form of
disgruntled and overly curious employees, authorized and
unauthorized visitors, consultants, suppliers, and mainte-
nance staff. Sometimes an inside hacker is an unsus-
pecting agent fo r hackers, such as a vendor or consultant
CERTSecuring Desktop Workstations
www.cert.org/security-improvement/modules/m04.html
The Spread of the Sapphi re/Slammer Worm
www.cs.berkeley.edu/~nweaver/sapphire/
Respondi ng to Int rusions
www.cert.org/security-improvement/modules/m06.html
Patch Management and the Need for M etri cs
Kenneth J. Ma cLeod
sans.org/rr/whitepapers/bestprac/1461.php
ICSI Center for Internet Research
Characteri sti cs of In ternet Background Radiat ion
www.icir.org/vern/papers/radiation-imc04.pdf
SANS
Securi ty Awareness Whi te Papers
sans.org/rr/whitepapers/awareness/
Honey Pots and H oney N ets: Securit y T hrough Decepti on
sans.org/rr/whitepapers/attacking/41.php
M .B.
SECURITYRESOURCES
3
T H E E S S E N T I A L G U I D E T O T H W A R T I N G H A C K E R S
-
7/29/2019 Essential Guide Thwarting Hackers PDF
4/8SUPPLEMENT TO iSeries NEWS 2005
3. Use Multiple Layers of ProtectionThere are many kinds of netw ork security protection:
hardware firewalls in routers and dedicated security appli-
ances; software firewalls in end-user systems; antivirus
and antispyware scanners; application filters to block
such attacks as cross-site scripting and SQL injection;
intrusion-prevention appliances to kill questionable traf-
fic; and Virtual Private Network (VPN) servers to keep
out unauthorized remote users. You should be employing
several of these in your netwo rk to da y. An essential
aspect of that employment is using these products in lay-
ers, a technique called defense in depth.
The idea behind defense in depth is that you dont
depend on any one protection as the sole barrier between
your users and the unwashed Internet. For example,
behind yo ur Internet bo rder firew all, you should deploy an
antivirus filter on all inbound e-mail, software firewalls on
all desktop ma chines, a nd a ntivirus and antispywa re scan-
ners. Any given route of attack should have to penetrate at
least two layers of protection to succeed.
Defense in depth w orks by dra matically reducing theability of attackers to exploit random flaws, such as
missed patches or buffer overflow vulnerabilities.
H ow ever, t he w ay to effectively deploy multiple layers of
protection isnt alw ays ob vious. For exa mple, many
netwo rk ad ministrato rs operate centra lly a dministered
antivirus scanners, believing them to be an enhancement
over desktop-based scanners. But just because something
is centra lly administered doesnt mean it off ers additiona l
protection. To ga in true in-depth virus prot ection, you
should employ a d eep-inspection firew all or intrusion
prevention appliance that loo ks into every pa cket fo r
evidence of viral content a nd squa shes that content before
it reaches a desktop.A new protection technology just becoming common in
enterprise networks is the so-called application firewall. If
uninformed users are the most common pa ths of entry f or
hackers, ma lformed applications are the second. H ackers
often infiltrate Web servers by exploiting the common
buffer overflow class of vulnerability, new instances of
w hich operating-system a nd server-softw are vendors a re
constantly reporting. Application coders are rarely securi-
ty experts, so getting programmers to implement secure
applications is difficult. A useful wa y to improve the
depth of application security is by using an a pplication
firewall appliance, which examines HTTP requests,
H TM L responses, SQL queries, and other a pplication
traffic to detect and block common hacker attacks.
4. Filter and Monitor Outbound TrafficJust as interlopers can lurk inside your building, they can
lurk inside your netw ork in the fo rm of viruses and
Trojan horses seeking to use your LAN as a jumping-off
point for att acks on new victims. After such Net vermin
get into a computer behind your f irew all, they begin
probing your network and others on the Internet for
additional machines to infect. Unfortunately, the standard
w ho inad vertently plugs an infected computer into yo ur
internal LAN. But they ca n a lso be malicious; some
famo us hackers start ed their atta cks by first visiting their
victims, posing as potential customers or salespeople.
To count er this threat, yo u must bolster your physica l
security. Sta rt b y locking up a ll networ k gear (e.g.,
switches, routers) in a closet or in metal cabinets. Keeping
a hacker away from the key synapses in your network is
essential. A compromised Ethernet switch or router cangive an intruder the keys to your kingdom.
The second most prevalent physical exposures are the
ubiquitous Ethernet port s, of w hich you never seem to
have enough. Unprotected ports in conference rooms, util-
ity closets, and hallw ays a re easy pickings for d eliberate
intruders and tempting lures for inadvertent ones.
Its best to physically lock dow n these ports, but you
can also protect them electronically
using switch-based Medium Access
Co ntrol (MAC) locking a nd 802.1x
authentication. Use M AC locking
to ensure that only the specific
machines you permit are plugged
into publicly accessible ports that
printers, scanners, and other LAN
devices use. Use 802.1xto ensure
that only a uthorized users can plug
general-purpose computers
into ot her Ethernet port s.
The 802.1xsecurity stan-
dard has gotten a lot of press
lately as a quick-and-dirty Wi-Fi
protection measure, but its actually
not particularly reliable in that
role. However, 802.1xis very good as a guardian ofEthernet po rts. You must first establish a R emote
Authentication Dial-in User Service (RADIUS) server to
store user IDs and passwords or to validate user IDs and
passwo rds a gainst yo ur existing a uthentication server,
such as Windows Active Directory. Then simply turn on
802.1xon bo th the sw itches and end-user computers, and
users will be prompted to log in every time they reconnect
their computers to yo ur LAN.
What if a visiting consulta nt or customer ab solutely
must connect to the Internet from your premises? Prepare
for tha t eventuality by establishing a visitor hot spot
network, one completely isolated from your corporate
LAN and providing limited a nd monito red access toonly the Internet. You can build such a hot spot with an
inexpensive off -the-shelf f irew all a ppliance.
As I mentioned, end-user awareness is an important
part of physical security. Users should ha ve a read y
avenue to report suspected abusers. You can also detect
potential physical violations by monitoring the M AC
address tables of your switches, which report to you any
new devices appearing on your LAN. Many managed
switches support this feature, and you should ta ke
advantage of it.
4
T H E E S S E N T I A L G U I D E T O T H W A R T I N G H A C K E R S
-
7/29/2019 Essential Guide Thwarting Hackers PDF
5/8
T H E E S S E N T I A L G U I D E T O T H W A R T I N G H A C K E R S
SUPPLEMENT TO iSeries NEWS 20055
policies in the process. A secondary role for proxies is to
cache content for speedier Web surfing. Proxies typically
handle Web and FTP tra ffic, but they can also ha ndle out-
going e-mail. All Web browsers, and most FTP programs,
have built-in support for proxies, but using this support
requires that every end users desktop be specifically con-
figured to point to your pro xy server. An easier a pproach
is to have your firewall or internal router automatically
redirect Web, FTP, ande-mail tra ffic to your
proxy, avoiding the
need to customize desk-
tops.
After a proxy is in
place, yo u can filter all
outbound protocols
from end users at your
Internet border, because
nobody should be
accessing the Internet
directly. Policies you
can then enforce in the
proxy include limiting
users to certain sites, tracking URLs that users visit,
restricting the size and types of files transferred in and
out, a nd restricting the destinations a nd content fo r e-
mail. For example, you could prohibit o utbound FTP
transfers for a ll but a f ew users and restrict e-mail att ach-
ments to e-mail correspondents on a preapproved w hite
list.
Proxy protection seriously inhibits virus propaga tion
outside your netwo rk, w hich makes you a better Netizen
and reduces the liability tha t yo u incur should yo ur net-
work cause a service outage for some other Internet user.
6. Employ VPN Encryption
on Wireless and Remote LinksRepeat this mantra until its ingrained in your psyche:
Theres no safe w ireless encrypt ion. There isnt thats
an established fact. All Wi-Fi encryption that is,
encryption performed in wireless access points (APs)
themselves is vulnerable to hacker penetration (see
The Wi-Fi Time Bomb Ma y 2005, art icle ID 20069
at iSeri esN etw ork .com). The only proper w ay to secure a
Wi-Fi netw ork is via VPN encrypt ion the same VPN
encryption tha t yo u should be using for a ll your remote
users. (Which you are, right?)At one time, VPNs w ere hard to set up, but tho se da ys
are over. For a few hundred dollars, you can buy VPN-
enabled a ppliances that provide w eapons-grad e encryp-
tion. All enterprise-class firew alls ha ve VPN servers built
in, and all desktop operating systems have VPN clients
built in. A VPN tunnel provides solid security from the
users Ethernet port to your Internet border.
G iven the vulnerab ility of Wi-Fi encryptio n, its not
surprising that Wi-Fi has become the third most common
path for netwo rk infiltration right behind clueless users
practice in most netw orks is to permit a ll outbound tra ffic
on a netw ork, w hich is why recent virus and w orm
plagues have spread so rapidly thro ughout the w orld. The
Sapphire/Slammer w orm, f or exa mple, infected near ly 90
percent of all vulnerable systems on planet Earth in only
10 minutes.
The solution to this problem is stra ightforw ard : Block
all outbound UDP and TCP protocols except those that
you know are neededby end users. Typically
these are HTTP and
HTTPS (TCP ports 80
and 443), e-mail (TCP
25 and 110), DNS
(UDP 51), a nd possibly
FTP (TCP 21). The
most common protocol
that malware uses to
find and detect other
systems is Internet
Control M essage
Protocol (ICMP) Ping;
blocking this one w ill
thw art the vast majority o f viruses and Trojans.
As w ith a ll security, this protection is a com promise
between safety and convenience. Youll undoubtedly get
user complaints shortly after locking down outbound
traffic, and youll have to evaluate each complaint to see
w hether the o ffending tra ffic is truly necessary. You can
add new protocols to your outbound filters, but be
judicious. Its pointless, for instance, to open all UDP
ports a bove 1000, a lthough some users w ill undoubtedly
make such requests.
Hand-in-hand with filtering outbound traffic ismonitoring packets that those filters drop. You should
investigate all such occurrences and remediate them.
Sometimes its simply a matter of a misconfigured host;
sometimes filter hits indicate a virus infection in progress.
Being vigilant here will give you early w arning o f possible
problems, letting you stop t hem before they snow ball into
a netwo rk outage.
5. Use a Proxy ServerHackers are clever and have come up with ways to cir-
cumvent outbound filters. The most common way is sim-
ply to run their malicious traf fic over a w ell-know n port,
such as HTTPs port 80 or e-mails port 25. If youreemploying simple outbound filtering and monitoring, yo u
never see this tra ffic. End users can a lso use w ell-know n
ports to operate unauthorized peer-to-peer servers, open-
ing your o rganizat ion up to intellectual property infringe-
ment liabilities. As they say in mathematics, outbound fil-
tering is necessary but not sufficient. To really prevent
outbound traf fic abuse, you need a proxy server.
In a security role, a prox y server intercepts TC P/IP
requests from desktop computers and relays t hem to the
ultimate Internet destination, applying certain security
Given the vulnerability of Wi-Fi
encryption, its not surprising that
Wi-Fi has become the third most
common path for network
infiltration right behind clueless
users and faulty applications.
-
7/29/2019 Essential Guide Thwarting Hackers PDF
6/8
T H E E S S E N T I A L G U I D E T O T H W A R T I N G H A C K E R S
6 SUPPLEMENT TO iSeries NEWS 2005
and faulty applications. Thats amazing when you
consider that Wi-Fi didnt even exist five years ago. Not
all Wi-Fi exposures are ob vious either. You re conscious,
of course, of the need to secure your ow n APs, and yo u
might have realized the vulnerability of users at coffee
shops and a irport cafes. But ha ve you considered the
w ireless netw orks that your users might already have
deployed without your knowledge? Even if you dont run
Wi-Fi, you need to protect against it by prohibiting unau-thorized w ireless gear and monitoring for rogue APs.
Commercial rogue Wi-Fi appliances exist, but you can
use an ordinary Wi-Fi-capable notebook computer to eas-
ily perform a quick scan of y our enterprise. If yo u find a n
open wireless network, attach to it and then use network
troubleshooting tools to trace the traffic back to the
offending d evice. This is a straightforw ard process easily
accomplished if you have mana ged switches.
OK, yo u can stop the mantra now.
7. Run Routine Vulnerability AssessmentsNetwork monitoring organizations, such as the Computer
Emergency Response Team (C ERT cert.org), report
that 99.999 percent of all successful network penetrations
occur through known vulnerabilities. You can use fire-
w alls and intrusion-prevention tools to try to cover up the
vulnerabilities that you must a ssume are there, or you ca n
go looking for them and kill them dead . Thats w hat vul-
nerability assessment (VA) is.
O nce the purview of netwo rk security specialists a nd
so-called ethical hackers, VA has become a commodity
service embodied in numerous security products, both
hardware and software. The hallmark of modern VA is
the automa tion of the vulnerability d etection, tra cking,
remediation, and verification process. The core compo-nent is a scanner that cont inuously probes your netwo rk
inside and out, looking for vulnerabilities listed in a con-
stantly upda ted da tab ase of potential exposures. The
scanner has two parts one inside your network and
one outside that work together to find and report
problems. Common exposures, such as inadvertently open
ports and missing security patches, are the meat and pota -
toes of VA. But ad vanced products a lso f ind more subtle
failures, such a s application holes and SQL scripting
flaws.
Detected vulnerabilities are ranked by severity and
tracked thro ugh the remediation process. Remediation
can be a s simple as a dding a firewa ll rule or applying anOS patch; on the other hand, remediation might require
hours of programming changes to an application or the
insta llation of a w hole new layer of prot ection. VA keeps
bringing old vulnerabilities to the surface so that they get
att ention, and it provides remediat ion progress reports for
management. VA also performs verification tests after
remediation to make sure that the problem is really fixed.
You can build your ow n VA tool w ith open-source
softw are, such a s the Nessus security scanner, but youre
really better off buying an a ppliance built by an expert in
the field. Youre less likely to miss a critical exposure, and
the cost of appliances makes them easy to justify. With
VA in place, you at least have a chance of catching new
vulnerabilities before the hackers do.
8. Manage PatchesYou likely already apply OS patches to servers and desk-
tops, so you realize that pa tches are bot h a blessing and a
curse. Patches are a blessing because they let you stophackers in their tracks a t the same time they learn abo ut a
new exploit, but patches are a curse because they often
break things and make your life more difficult.
Thats w here patch mana gement comes in. On the scale
of ease of implementation, all the steps Ive discussed so
far have been relatively simple to carry out. But this step,
and those that follow, are a quantum leap in effort and
expense.
Patch management is expensive because its far from a
science. To ma nage patches, you ha ve to know w hat their
impact is by studying vendor recommendations and read-
ing abo ut the experiences of those w hove already applied
the patches. Alas, vendor informa tion
is often couched in terms designed
to limit vendor liability ra ther
than help you assess the need for
a particular patch. Commercial
patch-management
tools automate
this process by
connecting yo u
to an expert
database of patch
information
that documentsside effects
and inter-
actions.
These tools
let you
rank every
patch to
determine whether the benefits outw eigh the risks.
Some patch-management tools are OS specific, such as
those aimed at Window s fixes. O thers are more generic
but necessarily less specific in their recommendations.
Sometimes patch mana gement is an a dd-on module to an
IP or VA appliance. This isnt necessarily bad, because theappliance is in a position to collect the information need-
ed for patch management.
Patch managers provide an important twofold service:
the collection of patches from vendors in a central reposi-
tory for easy deployment, and the interception of auto-
matic patches that vendors might try to apply without
your permission. Windows Service Pack 2 is a good
example of a patch that you w ant to control but that
M icrosoft currently insists o n installing.
Youll need t o underta ke an extensive study of your
-
7/29/2019 Essential Guide Thwarting Hackers PDF
7/8
T H E E S S E N T I A L G U I D E T O T H W A R T I N G H A C K E R S
Bryan
Meyers
About t he A u thorMel Beckman is a senior technical editor for iSeries NEWSand the
editor of Dr. I Doctor (DrIDoctor .com). He has built two regional
Internet service providers and is currently president of Beckman
Software Engineering, a technical consultancy specializing in
large-scale, high-bandwidth networks. You can e-mail Mel
at mbeckm an@iser iesnetw ork.com
SUPPLEMENT TO iSeries NEWS 20057
10. Go on the Offensive with
Honeypots and HoneynetsNot hing is more satisfying than ha cking a ha cker, w hich
is exactly what network administrators were thinking
when they devised so-called honeypots and honeynets. A
honeypot is a decoy computer left a pparently exposed to
hacker attack. Its job is to attract hackers, monitor their
activities, and occupy their time so they have less to spendattacking the rest of your network. A honeynet is a wire-
less network with the same goal: attract hackers and keep
them busy while you watch. Both work surprisingly well
and can a lert security specialists to new hacker ploys
before they become pervasive.
Creat ing a convincing honeypot system isnt easy; if
youre careless, a ha cker w ill make you and a bandon
the system (or worse, set a bot to work on the hon-
eypot occupying yourtime needlessly). A
key ingredient of a ny honeypot is some
att ractive bait a uthentic-looking doc-
uments or binary files that the intruder
can be tricked into believing are valu-able. That aspect ma kes it hard to
mass-produce honeypots, so if yo u
decide to create o ne, youll have to
do it by hand.
Honeynets are somewhat easier to
build because they do nt actua lly have
content, per se. You simply provide
an o pen AP a nd a n Internet connection
and watch hackers swarm like dung flies
on a . . . w ell, you get the idea.
You dont actually have to build a honeypot or
honeynet t o reap the research b enefits of one. Numerous
aca demic honey-things abound on t he Internet, a nd t heirowners publish their findings. Studying these prior
efforts is an important prerequisite to building your o w n
honey-thing.
Proceed to Advance CampWhen it comes to network security, there are no guaran-
tees. You cant do it all, but as long as you can do more
than the next guy, youll make yourself a less attra ctive
ta rget tha n he is. Take as many of these 10 steps as yo u
can to move your enterprise fruit to higher branches.
current systems to have the data necessary to select a
good patch-mana gement platf orm. In the meantime, be
religious a bout applying pat ches manua lly.
9. Deploy Two-Factor AuthenticationTw o-facto r authentication is the augmentat ion of tra di-
tiona l user ID/passw ord checks with a physical token,
such a s a USB key or a biometric test (e.g., a thumbprint).
As with patch management, deploying two-factor authen-
tication is a Big Deal. The additional factor is a major
change to user behavior and a serious inconvenience.
However, two-factor authentication demonstrably
improves the protection that passwords afford and makes
it much easier to revoke authority w hen users change jobs
or leave the organiza tion. Simply deaut horize the token or
biometric, and the user is locked out everywhere.
Enterprises often roll out tw o-facto r a uthenti-
cation in conjunction with an identity
management (IM) overhaul. Most two-
factor authentication requires a modern
authentication infra structure, such as
Lightweight Directory Access
Protocol (LDAP), which also
happens to facilitate single sign-on
(SSO) and other IM benefits. Be
aware, however, that improper
two-factor implementation can
actually reduce rather than enhance
security. If users are currently sharing
passwords, and a USB key lets them
simply share a to ken as w ell, youve not
improved security one w hit. User educat ion and
policy upgrad es are essential a djuncts to tw o-fa ctor
authentication deployment.Beware also of the unwarranted claims of some
tw o-facto r tokens and biometrics. One major security
token vendor was caught with its keys down when a
security consultant discovered that the tokens encryption
could be bypassed easily. And several fingerprint-scanner
proponents were taken off guard by how easily finger-
prints can be captured a nd reused using ordinary gelat in
to simulate skin.
So by all means, add a second factor to authentication,
but do it thoughtfully, with due care.
-
7/29/2019 Essential Guide Thwarting Hackers PDF
8/8
T H E E S S E N T I A L G U I D E T O T H W A R T I N G H A C K E R S
SUPPLEMENT TO iSeries NEWS 20058