73 lines
4.8 KiB
HTML
73 lines
4.8 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="TCP/IP security considerations" />
|
|
<meta name="abstract" content="Consider your security needs before you install TCP/IP." />
|
|
<meta name="description" content="Consider your security needs before you install TCP/IP." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzai2planning.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="securityconsider" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>TCP/IP security considerations</title>
|
|
</head>
|
|
<body id="securityconsider"><a name="securityconsider"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">TCP/IP security considerations</h1>
|
|
<div><p>Consider your security needs before you install TCP/IP.</p>
|
|
<div class="p">When planning your TCP/IP configuration, you should consider your security
|
|
needs. These strategies can help limit your TCP/IP exposure: <ul><li class="liexpand"><strong>Start only those TCP/IP applications that you need.</strong> Each TCP/IP
|
|
application has its own unique security exposures. Do not depend on a router
|
|
to reject requests for a particular application. As a secondary defense, set
|
|
the autostart values of applications that are not required to <kbd class="userinput">NO</kbd>.</li>
|
|
<li class="liexpand"><strong>Limit the hours during which TCP/IP applications run.</strong> Limit your
|
|
exposure by reducing the hours that your servers are running. If possible,
|
|
stop TCP/IP servers such as FTP and Telnet during off-hours.</li>
|
|
<li class="liexpand"><strong>Control who can start and change your TCP/IP applications.</strong> By default,
|
|
*IOSYSCFG authority is required to change TCP/IP configuration settings. A
|
|
user without *IOSYSCFG authority needs *ALLOBJ authority or explicit authority
|
|
to the TCP/IP start commands. Giving special authorities to users represents
|
|
a security exposure. Evaluate the need for any special authorities for each
|
|
user and keep special authorities to a minimum. Keep track of which users
|
|
have special authorities and periodically review their requirement for the
|
|
authority. This also limits the possibility of server access during off-hours.</li>
|
|
<li class="liexpand"><strong>Control your TCP/IP routing:</strong> <ul><li>Disallow IP forwarding so that hackers cannot use your Web server to attack
|
|
other trusted systems.</li>
|
|
<li>Define only one route on your public Web server: the default route to
|
|
your Internet Service Provider.</li>
|
|
<li>Do not configure host names and IP addresses of internal secure systems
|
|
in your Web server's TCP/IP host table. Only put the name of other public
|
|
servers that you need to reach in this table.</li>
|
|
</ul>
|
|
</li>
|
|
<li class="liexpand"><img src="./delta.gif" alt="Start of change" /><strong>Control TCP/IP servers designed for remote, interactive
|
|
signon.</strong> Applications such as FTP and Telnet are more vulnerable to outside
|
|
attack. For details on how to control your exposure, read the topic on controlling
|
|
interactive signon in <a href="../rzamv/rzamvsignonsysval.htm">Signon system values</a>.<img src="./deltaend.gif" alt="End of change" /></li>
|
|
</ul>
|
|
</div>
|
|
<p>For more information about security and the options available to you, refer
|
|
to <a href="../rzaj4/rzaj4secoverview.htm">iSeries™ and
|
|
Internet security</a>.</p>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzai2planning.htm" title="This topic helps you prepare for the installation and configuration of TCP/IP on the iSeries server. Basic requirements for the installation and configuration are provided so that you have all the necessary information at hand when you begin configuring TCP/IP.">Plan TCP/IP setup</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |