<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xml:lang="en-us"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="security" content="public" /> <meta name="Robots" content="index,follow" /> <meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' /> <meta name="DC.Type" content="concept" /> <meta name="DC.Title" content="Security considerations for limiting TCP/IP roaming" /> <meta name="abstract" content="If your system is connected to a network, you may want to limit your users’ ability to roam the network with TCP/IP applications." /> <meta name="description" content="If your system is connected to a network, you may want to limit your users’ ability to roam the network with TCP/IP applications." /> <meta name="DC.Relation" scheme="URI" content="rzamvtcpsetupsecurity.htm" /> <meta name="copyright" content="(C) Copyright IBM Corporation 2006" /> <meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" /> <meta name="DC.Format" content="XHTML" /> <meta name="DC.Identifier" content="tcproam" /> <meta name="DC.Language" content="en-us" /> <!-- All rights reserved. Licensed Materials Property of IBM --> <!-- US Government Users Restricted Rights --> <!-- Use, duplication or disclosure restricted by --> <!-- GSA ADP Schedule Contract with IBM Corp. --> <link rel="stylesheet" type="text/css" href="./ibmdita.css" /> <link rel="stylesheet" type="text/css" href="./ic.css" /> <title>Security considerations for limiting TCP/IP roaming</title> </head> <body id="tcproam"><a name="tcproam"><!-- --></a> <!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script> <h1 class="topictitle1">Security considerations for limiting TCP/IP roaming</h1> <div><p>If your system is connected to a network, you may want to limit your users’ ability to roam the network with TCP/IP applications. </p> <div class="p">One way to do this is to restrict access to the following client TCP/IP commands:<div class="note"><span class="notetitle">Note:</span> These commands might exist in several libraries on your system. They are in both the QSYS library and the QTCP library, at a minimum. Be sure to locate and secure all occurrences.</div> <ul><li>STRTCPFTP</li> <li>FTP</li> <li>STRTCPTELN</li> <li>TELNET</li> <li>LPR</li> <li>SNDTCPSPLF</li> <li>RUNRMTCMD (REXEC client)</li> </ul> Your users’ possible destinations are determined by the following:<ul><li>Entries in your TCP/IP host table.</li> <li>*DFTROUTE entry in the TCP/IP route table. This allows users to enter the IP address of the next-hop system when their destination is an unknown network. A user can reach or contact a remote network by using the default route.</li> <li>Remote name server configuration. This support allows another server in the network to locate host names for your users.</li> <li>Remote system table.</li> </ul> You need to control who can add entries to these tables and change your configuration. You also need to understand the implications of your table entries and your configuration. </div> <div class="p">Be aware that a knowledgeable user with access to an ILE C compiler can create a socket program that can attach to a TCP or UDP port. You can make this more difficult by restricting access to the following sockets interface files in the QSYSINC library:<ul><li>SYS</li> <li>NETINET</li> <li>H</li> <li>ARPA</li> <li>Sockets and SSL</li> </ul> For service programs, you can restrict use of socket and SSL applications that are already compiled by restricting use of these service programs:<ul><li>QSOSRV1</li> <li>QSOSRV2</li> <li>QSOSKIT(SSL)</li> <li>QSOSSLSR(SSL)</li> </ul> The service programs are shipped with public authority *USE, but the authority can be changed to *EXCLUDE (or another value as needed).</div> </div> <div> <div class="familylinks"> <div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpsetupsecurity.htm" title="The following information guides you through the process of setting up TCP/IP security.">Set up TCP/IP security</a></div> </div> </div> </body> </html>