ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvtcproam.htm

81 lines
4.4 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Security considerations for limiting TCP/IP roaming" />
<meta name="abstract" content="If your system is connected to a network, you may want to limit your users ability to roam the network with TCP/IP applications." />
<meta name="description" content="If your system is connected to a network, you may want to limit your users ability to roam the network with TCP/IP applications." />
<meta name="DC.Relation" scheme="URI" content="rzamvtcpsetupsecurity.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="tcproam" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Security considerations for limiting TCP/IP roaming</title>
</head>
<body id="tcproam"><a name="tcproam"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Security considerations for limiting TCP/IP roaming</h1>
<div><p>If your system is connected to a network, you may want to limit
your users ability to roam the network with TCP/IP applications. </p>
<div class="p">One way to do this is to restrict access to the following client TCP/IP
commands:<div class="note"><span class="notetitle">Note:</span> These commands might exist in several libraries on your system.
They are in both the QSYS library and the QTCP library, at a minimum. Be sure
to locate and secure all occurrences.</div>
<ul><li>STRTCPFTP</li>
<li>FTP</li>
<li>STRTCPTELN</li>
<li>TELNET</li>
<li>LPR</li>
<li>SNDTCPSPLF</li>
<li>RUNRMTCMD (REXEC client)</li>
</ul>
Your users possible destinations are determined by the following:<ul><li>Entries in your TCP/IP host table.</li>
<li>*DFTROUTE entry in the TCP/IP route table. This allows users to enter
the IP address of the next-hop system when their destination is an unknown
network. A user can reach or contact a remote network by using the default
route.</li>
<li>Remote name server configuration. This support allows another server in
the network to locate host names for your users.</li>
<li>Remote system table.</li>
</ul>
You need to control who can add entries to these tables and change your
configuration. You also need to understand the implications of your table
entries and your configuration. </div>
<div class="p">Be aware that a knowledgeable user with access to an ILE C compiler can
create a socket program that can attach to a TCP or UDP port. You can make
this more difficult by restricting access to the following sockets interface
files in the QSYSINC library:<ul><li>SYS</li>
<li>NETINET</li>
<li>H</li>
<li>ARPA</li>
<li>Sockets and SSL</li>
</ul>
For service programs, you can restrict use of socket and SSL applications
that are already compiled by restricting use of these service programs:<ul><li>QSOSRV1</li>
<li>QSOSRV2</li>
<li>QSOSKIT(SSL)</li>
<li>QSOSSLSR(SSL)</li>
</ul>
The service programs are shipped with public authority *USE, but the
authority can be changed to *EXCLUDE (or another value as needed).</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpsetupsecurity.htm" title="The following information guides you through the process of setting up TCP/IP security.">Set up TCP/IP security</a></div>
</div>
</div>
</body>
</html>