TCP/IP security considerations

When planning your TCP/IP configuration, you should consider your security needs. These strategies can help limit your TCP/IP exposure:

• Start only those TCP/IP applications that you need. Each TCP/IP application has its own unique security exposures. Do not depend on a router to reject requests for a particular application. As a secondary defense, set the autostart values of applications that are not required to NO.
• Limit the hours during which TCP/IP applications run. Limit your exposure by reducing the hours that your servers are running. If possible, stop TCP/IP servers such as FTP and Telnet during off-hours.
• Control who can start and change your TCP/IP applications. By default, *IOSYSCFG authority is required to change TCP/IP configuration settings. A user without *IOSYSCFG authority needs *ALLOBJ authority or explicit authority to the TCP/IP start commands. Giving special authorities to users represents a security exposure. Evaluate the need for any special authorities for each user and keep special authorities to a minimum. Keep track of which users have special authorities and periodically review their requirement for the authority. This also limits the possibility of server access during off-hours.
• Control your TCP/IP routing:
  • Disallow IP forwarding so that hackers cannot use your Web server to attack other trusted systems.
  • Define only one route on your public Web server: the default route to your Internet Service Provider.
  • Do not configure host names and IP addresses of internal secure systems in your Web server's TCP/IP host table. Only put the name of other public servers that you need to reach in this table.
• Control TCP/IP servers designed for remote, interactive signon. Applications such as FTP and Telnet are more vulnerable to outside attack. For details on how to control your exposure, read the topic on controlling interactive signon in Signon system values.