ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvtcpsecurenv.htm

86 lines
5.6 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Secure your TCP/IP environment" />
<meta name="abstract" content="This topic provides general suggestions for steps that you can take to reduce the security exposures in the TCP/IP environment on your system." />
<meta name="description" content="This topic provides general suggestions for steps that you can take to reduce the security exposures in the TCP/IP environment on your system." />
<meta name="DC.Relation" scheme="URI" content="rzamvtcpipplan.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvtcpserverstart.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvtcppreventproc.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="tcpsecurenv" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Secure your TCP/IP environment</title>
</head>
<body id="tcpsecurenv"><a name="tcpsecurenv"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Secure your TCP/IP environment</h1>
<div><p>This topic provides general suggestions for steps that you can
take to reduce the security exposures in the TCP/IP environment on your system. </p>
<div class="p">These tips apply to your entire TCP/IP environment rather than to the specific
applications that are discussed in the topics that follow:<ul><li>When you write an application for a TCP/IP port, make sure that the application
is properly secure. You should assume that an outsider might try to access
that application through that port. A knowledgeable outsider may attempt to
TELNET to that application.</li>
<li>Monitor the use of TCP/IP ports on your system. A user application that
is associated with a TCP/IP port can provide “back-door” entry to your system
without a user ID or a password. Someone with sufficient authority on your
system can associate an application with a TCP or UDP port.</li>
<li>As a security administrator, you should be aware of a technique called
IP spoofing that is used by hackers. Every system in a TCP/IP network has
an IP address. Someone who uses IP spoofing sets up a system (usually a PC)
to pretend to be an existing IP address or a trusted IP address. Thus, the
imposter can establish a connection with your system by pretending to be a
system that you normally connect with. <p>If you run TCP/IP on your system
and your system participates in a network that is not physically protected,
such as all nonswitched lines and predefined links, you are vulnerable to
IP spoofing. To protect your system from damage by a <span class="q">"spoofer,"</span> start
with the suggestions in this chapter, for example, sign-on protection and
object security. You should also ensure that your system has reasonable auxiliary
storage limits set. This prevents a spoofer from flooding your system with
mail or spooled files to the point that your system becomes inoperable. In
addition, you should regularly monitor TCP/IP activity on your system. If
you detect IP spoofing, you can try to discover the weak points in your TCP/IP
setup and to make adjustments.</p>
<p>For your intranet, your company's private
network of systems that do not need to connect directly to the outside, use
IP addresses that are reusable. Reusable addresses are intended for use within
a private network. The Internet backbone does not route packets that have
a reusable IP address. Therefore, reusable addresses provide an added layer
of protection inside your firewall. <a href="../rzai2/rzai2kickoff.htm">TCP/IP
Setup</a> provides more information about how IP addresses are assigned
and about the ranges of IP addresses, as well as security information about
TCP/IP.</p>
</li>
</ul>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzamvtcpserverstart.htm">Control which TCP/IP servers start automatically</a></strong><br />
As security administrator, you need to control which TCP/IP applications start automatically when you start TCP/IP.</li>
<li class="ulchildlink"><strong><a href="rzamvtcppreventproc.htm">Prevent TCP/IP processing</a></strong><br />
TCP/IP server jobs run in the QSYSWRK subsystem. You use the Start TCP/IP (STRTCP) command to start TCP/IP on your system.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpipplan.htm" title="TCP/IP (Transmission Control Protocol/Internet Protocol) is a common way that computers of all types communicate with each other.">Plan TCP/IP security</a></div>
</div>
</div>
</body>
</html>