ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvtcpsecppp.htm

99 lines
6.3 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Security considerations for using point-to-point protocol" />
<meta name="abstract" content="Point-to-point protocol (PPP) is available as part of TCP/IP." />
<meta name="description" content="Point-to-point protocol (PPP) is available as part of TCP/IP." />
<meta name="DC.Relation" scheme="URI" content="rzamvtcpsetupsecurity.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="tcpsecppp" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Security considerations for using point-to-point protocol</title>
</head>
<body id="tcpsecppp"><a name="tcpsecppp"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Security considerations for using point-to-point protocol</h1>
<div><p>Point-to-point protocol (PPP) is available as part of TCP/IP.</p>
<p> PPP is an industry standard for point-to-point connections that provides
additional function over what is available with SLIP. With PPP, your iSeries™ server
can have high-speed connections directly to an Internet Service Provider or
to other systems in an intranet or extranet. Remote LANs can realistically
make dial-in connections to your iSeries server. </p>
<div class="p">Remember that PPP, like SLIP, provides a network connection to your iSeries server.
A PPP connection essentially brings the requester to your systems door. The
requester still needs a user ID and password to enter your system and connect
to a TCP/IP server like TELNET or FTP. Following are security considerations
with this new connection capability:<div class="note"><span class="notetitle">Note:</span> You configure PPP by using iSeries Navigator
on an IBM<sup>®</sup> iSeries Access
for Windows<sup>®</sup> workstation.</div>
<ul><li>PPP provides the ability to have dedicated connections (where the same
user always has the same IP address). With a dedicated address, you have the
potential for IP spoofing (an imposter system that pretends to be a trusted
system with a known IP address). However, the enhanced authentication capabilities
that PPP provides help protect against IP spoofing.</li>
<li>With PPP, as with SLIP, you create connection profiles that have a user
name and an associated password. However, unlike SLIP, the user does not need
to have a valid user profile and password. The user name and password are
not associated with a user profile. Instead, validation lists are used for
PPP authentication. Additionally, PPP does not require a connection script.
The authentication (exchange of user name and password) is part of the PPP
architecture and happens at a lower level than with SLIP.</li>
<li>With PPP, you have the option to use CHAP (challenge handshake authentication
protocol). You will no longer need to worry about an eavesdropper sniffing
passwords because CHAP encrypts user names and passwords. <p>Your PPP connection
uses CHAP only if both sides have CHAP support. During the exchange signals
to set up communications between two modems, the two systems negotiate. For
example, if SYSTEMA supports CHAP and SYSTEMB does not, SYSTEMA can either
deny the session or agree to use an unencrypted user name and password. Agreeing
to use an unencrypted user name and password is referred to as negotiating
down. </p>
<p>The decision to negotiate down is a configuration option. On
your intranet, for example, where you know that all your systems have CHAP
capability, you should configure your connection profile so that it will not
negotiate down. On a public connection where your system is dialing out, you
might be willing to negotiate down. The connection profile for PPP provides
the ability to specify valid IP addresses. You can, for example, indicate
that you expect a specific address or range of addresses for a specific user. </p>
<p>This
capability, together with the ability for encrypted passwords, provides further
protection against spoofing. As additional protection against spoofing or
piggy-backing on an active session, you can configure PPP to rechallenge at
designated intervals. For example, while a PPP session is active, your iSeries server
might challenge the other system for a user and password. It does this every
15 minutes to ensure that `it is the same connection profile. </p>
<p>The end-user
will not be aware of this rechallenge activity. The systems exchange names
and passwords below the level that the end-user sees. With PPP, it is realistic
to expect that remote LANs might establish a dial-in connection to your iSeries server
and to your extended network. In this environment, having IP forwarding turned
on is probably a requirement. IP forwarding has the potential to allow an
intruder to roam through your network. However, PPP has stronger protections
(such as encryption of passwords and IP address validation). This makes it
less likely that an intruder can establish a network connection in the first
place.</p>
</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpsetupsecurity.htm" title="The following information guides you through the process of setting up TCP/IP security.">Set up TCP/IP security</a></div>
</div>
</div>
</body>
</html>