ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzai2_5.4.0.1/rzai2securityconsider.htm

73 lines
4.8 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="TCP/IP security considerations" />
<meta name="abstract" content="Consider your security needs before you install TCP/IP." />
<meta name="description" content="Consider your security needs before you install TCP/IP." />
<meta name="DC.Relation" scheme="URI" content="rzai2planning.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="securityconsider" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>TCP/IP security considerations</title>
</head>
<body id="securityconsider"><a name="securityconsider"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">TCP/IP security considerations</h1>
<div><p>Consider your security needs before you install TCP/IP.</p>
<div class="p">When planning your TCP/IP configuration, you should consider your security
needs. These strategies can help limit your TCP/IP exposure: <ul><li class="liexpand"><strong>Start only those TCP/IP applications that you need.</strong> Each TCP/IP
application has its own unique security exposures. Do not depend on a router
to reject requests for a particular application. As a secondary defense, set
the autostart values of applications that are not required to <kbd class="userinput">NO</kbd>.</li>
<li class="liexpand"><strong>Limit the hours during which TCP/IP applications run.</strong> Limit your
exposure by reducing the hours that your servers are running. If possible,
stop TCP/IP servers such as FTP and Telnet during off-hours.</li>
<li class="liexpand"><strong>Control who can start and change your TCP/IP applications.</strong> By default,
*IOSYSCFG authority is required to change TCP/IP configuration settings. A
user without *IOSYSCFG authority needs *ALLOBJ authority or explicit authority
to the TCP/IP start commands. Giving special authorities to users represents
a security exposure. Evaluate the need for any special authorities for each
user and keep special authorities to a minimum. Keep track of which users
have special authorities and periodically review their requirement for the
authority. This also limits the possibility of server access during off-hours.</li>
<li class="liexpand"><strong>Control your TCP/IP routing:</strong> <ul><li>Disallow IP forwarding so that hackers cannot use your Web server to attack
other trusted systems.</li>
<li>Define only one route on your public Web server: the default route to
your Internet Service Provider.</li>
<li>Do not configure host names and IP addresses of internal secure systems
in your Web server's TCP/IP host table. Only put the name of other public
servers that you need to reach in this table.</li>
</ul>
</li>
<li class="liexpand"><img src="./delta.gif" alt="Start of change" /><strong>Control TCP/IP servers designed for remote, interactive
signon.</strong> Applications such as FTP and Telnet are more vulnerable to outside
attack. For details on how to control your exposure, read the topic on controlling
interactive signon in <a href="../rzamv/rzamvsignonsysval.htm">Signon system values</a>.<img src="./deltaend.gif" alt="End of change" /></li>
</ul>
</div>
<p>For more information about security and the options available to you, refer
to <a href="../rzaj4/rzaj4secoverview.htm">iSeries™ and
Internet security</a>.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzai2planning.htm" title="This topic helps you prepare for the installation and configuration of TCP/IP on the iSeries server. Basic requirements for the installation and configuration are provided so that you have all the necessary information at hand when you begin configuring TCP/IP.">Plan TCP/IP setup</a></div>
</div>
</div>
</body>
</html>