99 lines
6.3 KiB
HTML
99 lines
6.3 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
|
<!DOCTYPE html
|
|||
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
|
<head>
|
|||
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
|
<meta name="security" content="public" />
|
|||
|
|
<meta name="Robots" content="index,follow" />
|
|||
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
|
<meta name="DC.Type" content="concept" />
|
|||
|
|
<meta name="DC.Title" content="Security considerations for using point-to-point protocol" />
|
|||
|
|
<meta name="abstract" content="Point-to-point protocol (PPP) is available as part of TCP/IP." />
|
|||
|
|
<meta name="description" content="Point-to-point protocol (PPP) is available as part of TCP/IP." />
|
|||
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvtcpsetupsecurity.htm" />
|
|||
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
|
<meta name="DC.Identifier" content="tcpsecppp" />
|
|||
|
|
<meta name="DC.Language" content="en-us" />
|
|||
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
|
<!-- US Government Users Restricted Rights -->
|
|||
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
|
<title>Security considerations for using point-to-point protocol</title>
|
|||
|
|
</head>
|
|||
|
|
<body id="tcpsecppp"><a name="tcpsecppp"><!-- --></a>
|
|||
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
|
<h1 class="topictitle1">Security considerations for using point-to-point protocol</h1>
|
|||
|
|
<div><p>Point-to-point protocol (PPP) is available as part of TCP/IP.</p>
|
|||
|
|
<p> PPP is an industry standard for point-to-point connections that provides
|
|||
|
|
additional function over what is available with SLIP. With PPP, your iSeries™ server
|
|||
|
|
can have high-speed connections directly to an Internet Service Provider or
|
|||
|
|
to other systems in an intranet or extranet. Remote LANs can realistically
|
|||
|
|
make dial-in connections to your iSeries server. </p>
|
|||
|
|
<div class="p">Remember that PPP, like SLIP, provides a network connection to your iSeries server.
|
|||
|
|
A PPP connection essentially brings the requester to your system’s door. The
|
|||
|
|
requester still needs a user ID and password to enter your system and connect
|
|||
|
|
to a TCP/IP server like TELNET or FTP. Following are security considerations
|
|||
|
|
with this new connection capability:<div class="note"><span class="notetitle">Note:</span> You configure PPP by using iSeries Navigator
|
|||
|
|
on an IBM<sup>®</sup> iSeries Access
|
|||
|
|
for Windows<sup>®</sup> workstation.</div>
|
|||
|
|
<ul><li>PPP provides the ability to have dedicated connections (where the same
|
|||
|
|
user always has the same IP address). With a dedicated address, you have the
|
|||
|
|
potential for IP spoofing (an imposter system that pretends to be a trusted
|
|||
|
|
system with a known IP address). However, the enhanced authentication capabilities
|
|||
|
|
that PPP provides help protect against IP spoofing.</li>
|
|||
|
|
<li>With PPP, as with SLIP, you create connection profiles that have a user
|
|||
|
|
name and an associated password. However, unlike SLIP, the user does not need
|
|||
|
|
to have a valid user profile and password. The user name and password are
|
|||
|
|
not associated with a user profile. Instead, validation lists are used for
|
|||
|
|
PPP authentication. Additionally, PPP does not require a connection script.
|
|||
|
|
The authentication (exchange of user name and password) is part of the PPP
|
|||
|
|
architecture and happens at a lower level than with SLIP.</li>
|
|||
|
|
<li>With PPP, you have the option to use CHAP (challenge handshake authentication
|
|||
|
|
protocol). You will no longer need to worry about an eavesdropper sniffing
|
|||
|
|
passwords because CHAP encrypts user names and passwords. <p>Your PPP connection
|
|||
|
|
uses CHAP only if both sides have CHAP support. During the exchange signals
|
|||
|
|
to set up communications between two modems, the two systems negotiate. For
|
|||
|
|
example, if SYSTEMA supports CHAP and SYSTEMB does not, SYSTEMA can either
|
|||
|
|
deny the session or agree to use an unencrypted user name and password. Agreeing
|
|||
|
|
to use an unencrypted user name and password is referred to as negotiating
|
|||
|
|
down. </p>
|
|||
|
|
<p>The decision to negotiate down is a configuration option. On
|
|||
|
|
your intranet, for example, where you know that all your systems have CHAP
|
|||
|
|
capability, you should configure your connection profile so that it will not
|
|||
|
|
negotiate down. On a public connection where your system is dialing out, you
|
|||
|
|
might be willing to negotiate down. The connection profile for PPP provides
|
|||
|
|
the ability to specify valid IP addresses. You can, for example, indicate
|
|||
|
|
that you expect a specific address or range of addresses for a specific user. </p>
|
|||
|
|
<p>This
|
|||
|
|
capability, together with the ability for encrypted passwords, provides further
|
|||
|
|
protection against spoofing. As additional protection against spoofing or
|
|||
|
|
piggy-backing on an active session, you can configure PPP to rechallenge at
|
|||
|
|
designated intervals. For example, while a PPP session is active, your iSeries server
|
|||
|
|
might challenge the other system for a user and password. It does this every
|
|||
|
|
15 minutes to ensure that `it is the same connection profile. </p>
|
|||
|
|
<p>The end-user
|
|||
|
|
will not be aware of this rechallenge activity. The systems exchange names
|
|||
|
|
and passwords below the level that the end-user sees. With PPP, it is realistic
|
|||
|
|
to expect that remote LANs might establish a dial-in connection to your iSeries server
|
|||
|
|
and to your extended network. In this environment, having IP forwarding turned
|
|||
|
|
on is probably a requirement. IP forwarding has the potential to allow an
|
|||
|
|
intruder to roam through your network. However, PPP has stronger protections
|
|||
|
|
(such as encryption of passwords and IP address validation). This makes it
|
|||
|
|
less likely that an intruder can establish a network connection in the first
|
|||
|
|
place.</p>
|
|||
|
|
</li>
|
|||
|
|
</ul>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<div>
|
|||
|
|
<div class="familylinks">
|
|||
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpsetupsecurity.htm" title="The following information guides you through the process of setting up TCP/IP security.">Set up TCP/IP security</a></div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</body>
|
|||
|
|
</html>
|