Secure your TCP/IP environment

This topic provides general suggestions for steps that you can take to reduce the security exposures in the TCP/IP environment on your system.

These tips apply to your entire TCP/IP environment rather than to the specific applications that are discussed in the topics that follow:

When you write an application for a TCP/IP port, make sure that the application is properly secure. You should assume that an outsider might try to access that application through that port. A knowledgeable outsider may attempt to TELNET to that application.
Monitor the use of TCP/IP ports on your system. A user application that is associated with a TCP/IP port can provide “back-door” entry to your system without a user ID or a password. Someone with sufficient authority on your system can associate an application with a TCP or UDP port.
As a security administrator, you should be aware of a technique called IP spoofing that is used by hackers. Every system in a TCP/IP network has an IP address. Someone who uses IP spoofing sets up a system (usually a PC) to pretend to be an existing IP address or a trusted IP address. Thus, the imposter can establish a connection with your system by pretending to be a system that you normally connect with.
If you run TCP/IP on your system and your system participates in a network that is not physically protected, such as all nonswitched lines and predefined links, you are vulnerable to IP spoofing. To protect your system from damage by a "spoofer," start with the suggestions in this chapter, for example, sign-on protection and object security. You should also ensure that your system has reasonable auxiliary storage limits set. This prevents a spoofer from flooding your system with mail or spooled files to the point that your system becomes inoperable. In addition, you should regularly monitor TCP/IP activity on your system. If you detect IP spoofing, you can try to discover the weak points in your TCP/IP setup and to make adjustments.

For your intranet, your company's private network of systems that do not need to connect directly to the outside, use IP addresses that are reusable. Reusable addresses are intended for use within a private network. The Internet backbone does not route packets that have a reusable IP address. Therefore, reusable addresses provide an added layer of protection inside your firewall. TCP/IP Setup provides more information about how IP addresses are assigned and about the ranges of IP addresses, as well as security information about TCP/IP.