81 lines
4.4 KiB
HTML
81 lines
4.4 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
|
<!DOCTYPE html
|
|||
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
|
<head>
|
|||
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
|
<meta name="security" content="public" />
|
|||
|
|
<meta name="Robots" content="index,follow" />
|
|||
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
|
<meta name="DC.Type" content="concept" />
|
|||
|
|
<meta name="DC.Title" content="Security considerations for limiting TCP/IP roaming" />
|
|||
|
|
<meta name="abstract" content="If your system is connected to a network, you may want to limit your users’ ability to roam the network with TCP/IP applications." />
|
|||
|
|
<meta name="description" content="If your system is connected to a network, you may want to limit your users’ ability to roam the network with TCP/IP applications." />
|
|||
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvtcpsetupsecurity.htm" />
|
|||
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
|
<meta name="DC.Identifier" content="tcproam" />
|
|||
|
|
<meta name="DC.Language" content="en-us" />
|
|||
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
|
<!-- US Government Users Restricted Rights -->
|
|||
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
|
<title>Security considerations for limiting TCP/IP roaming</title>
|
|||
|
|
</head>
|
|||
|
|
<body id="tcproam"><a name="tcproam"><!-- --></a>
|
|||
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
|
<h1 class="topictitle1">Security considerations for limiting TCP/IP roaming</h1>
|
|||
|
|
<div><p>If your system is connected to a network, you may want to limit
|
|||
|
|
your users’ ability to roam the network with TCP/IP applications. </p>
|
|||
|
|
<div class="p">One way to do this is to restrict access to the following client TCP/IP
|
|||
|
|
commands:<div class="note"><span class="notetitle">Note:</span> These commands might exist in several libraries on your system.
|
|||
|
|
They are in both the QSYS library and the QTCP library, at a minimum. Be sure
|
|||
|
|
to locate and secure all occurrences.</div>
|
|||
|
|
<ul><li>STRTCPFTP</li>
|
|||
|
|
<li>FTP</li>
|
|||
|
|
<li>STRTCPTELN</li>
|
|||
|
|
<li>TELNET</li>
|
|||
|
|
<li>LPR</li>
|
|||
|
|
<li>SNDTCPSPLF</li>
|
|||
|
|
<li>RUNRMTCMD (REXEC client)</li>
|
|||
|
|
</ul>
|
|||
|
|
Your users’ possible destinations are determined by the following:<ul><li>Entries in your TCP/IP host table.</li>
|
|||
|
|
<li>*DFTROUTE entry in the TCP/IP route table. This allows users to enter
|
|||
|
|
the IP address of the next-hop system when their destination is an unknown
|
|||
|
|
network. A user can reach or contact a remote network by using the default
|
|||
|
|
route.</li>
|
|||
|
|
<li>Remote name server configuration. This support allows another server in
|
|||
|
|
the network to locate host names for your users.</li>
|
|||
|
|
<li>Remote system table.</li>
|
|||
|
|
</ul>
|
|||
|
|
You need to control who can add entries to these tables and change your
|
|||
|
|
configuration. You also need to understand the implications of your table
|
|||
|
|
entries and your configuration. </div>
|
|||
|
|
<div class="p">Be aware that a knowledgeable user with access to an ILE C compiler can
|
|||
|
|
create a socket program that can attach to a TCP or UDP port. You can make
|
|||
|
|
this more difficult by restricting access to the following sockets interface
|
|||
|
|
files in the QSYSINC library:<ul><li>SYS</li>
|
|||
|
|
<li>NETINET</li>
|
|||
|
|
<li>H</li>
|
|||
|
|
<li>ARPA</li>
|
|||
|
|
<li>Sockets and SSL</li>
|
|||
|
|
</ul>
|
|||
|
|
For service programs, you can restrict use of socket and SSL applications
|
|||
|
|
that are already compiled by restricting use of these service programs:<ul><li>QSOSRV1</li>
|
|||
|
|
<li>QSOSRV2</li>
|
|||
|
|
<li>QSOSKIT(SSL)</li>
|
|||
|
|
<li>QSOSSLSR(SSL)</li>
|
|||
|
|
</ul>
|
|||
|
|
The service programs are shipped with public authority *USE, but the
|
|||
|
|
authority can be changed to *EXCLUDE (or another value as needed).</div>
|
|||
|
|
</div>
|
|||
|
|
<div>
|
|||
|
|
<div class="familylinks">
|
|||
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpsetupsecurity.htm" title="The following information guides you through the process of setting up TCP/IP security.">Set up TCP/IP security</a></div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</body>
|
|||
|
|
</html>
|