86 lines
5.6 KiB
HTML
86 lines
5.6 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Secure your TCP/IP environment" />
|
|
<meta name="abstract" content="This topic provides general suggestions for steps that you can take to reduce the security exposures in the TCP/IP environment on your system." />
|
|
<meta name="description" content="This topic provides general suggestions for steps that you can take to reduce the security exposures in the TCP/IP environment on your system." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvtcpipplan.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvtcpserverstart.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvtcppreventproc.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="tcpsecurenv" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Secure your TCP/IP environment</title>
|
|
</head>
|
|
<body id="tcpsecurenv"><a name="tcpsecurenv"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Secure your TCP/IP environment</h1>
|
|
<div><p>This topic provides general suggestions for steps that you can
|
|
take to reduce the security exposures in the TCP/IP environment on your system. </p>
|
|
<div class="p">These tips apply to your entire TCP/IP environment rather than to the specific
|
|
applications that are discussed in the topics that follow:<ul><li>When you write an application for a TCP/IP port, make sure that the application
|
|
is properly secure. You should assume that an outsider might try to access
|
|
that application through that port. A knowledgeable outsider may attempt to
|
|
TELNET to that application.</li>
|
|
<li>Monitor the use of TCP/IP ports on your system. A user application that
|
|
is associated with a TCP/IP port can provide “back-door” entry to your system
|
|
without a user ID or a password. Someone with sufficient authority on your
|
|
system can associate an application with a TCP or UDP port.</li>
|
|
<li>As a security administrator, you should be aware of a technique called
|
|
IP spoofing that is used by hackers. Every system in a TCP/IP network has
|
|
an IP address. Someone who uses IP spoofing sets up a system (usually a PC)
|
|
to pretend to be an existing IP address or a trusted IP address. Thus, the
|
|
imposter can establish a connection with your system by pretending to be a
|
|
system that you normally connect with. <p>If you run TCP/IP on your system
|
|
and your system participates in a network that is not physically protected,
|
|
such as all nonswitched lines and predefined links, you are vulnerable to
|
|
IP spoofing. To protect your system from damage by a <span class="q">"spoofer,"</span> start
|
|
with the suggestions in this chapter, for example, sign-on protection and
|
|
object security. You should also ensure that your system has reasonable auxiliary
|
|
storage limits set. This prevents a spoofer from flooding your system with
|
|
mail or spooled files to the point that your system becomes inoperable. In
|
|
addition, you should regularly monitor TCP/IP activity on your system. If
|
|
you detect IP spoofing, you can try to discover the weak points in your TCP/IP
|
|
setup and to make adjustments.</p>
|
|
<p>For your intranet, your company's private
|
|
network of systems that do not need to connect directly to the outside, use
|
|
IP addresses that are reusable. Reusable addresses are intended for use within
|
|
a private network. The Internet backbone does not route packets that have
|
|
a reusable IP address. Therefore, reusable addresses provide an added layer
|
|
of protection inside your firewall. <a href="../rzai2/rzai2kickoff.htm">TCP/IP
|
|
Setup</a> provides more information about how IP addresses are assigned
|
|
and about the ranges of IP addresses, as well as security information about
|
|
TCP/IP.</p>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<ul class="ullinks">
|
|
<li class="ulchildlink"><strong><a href="rzamvtcpserverstart.htm">Control which TCP/IP servers start automatically</a></strong><br />
|
|
As security administrator, you need to control which TCP/IP applications start automatically when you start TCP/IP.</li>
|
|
<li class="ulchildlink"><strong><a href="rzamvtcppreventproc.htm">Prevent TCP/IP processing</a></strong><br />
|
|
TCP/IP server jobs run in the QSYSWRK subsystem. You use the Start TCP/IP (STRTCP) command to start TCP/IP on your system.</li>
|
|
</ul>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpipplan.htm" title="TCP/IP (Transmission Control Protocol/Internet Protocol) is a common way that computers of all types communicate with each other.">Plan TCP/IP security</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |