Re: Connect via PC -- MIDRANGE-L

Booth:
IMHO, anytime you put your AS400, network, etc in a public arena such as the
Internet (and to a lesser extent, hand a dial up modem on it), you have to
assume that someone may try to access your system.  I don't think anything
is fool proof, however I feel it is my job to secure my networks/systems and
my clients as much as possible.  One of the jobs of a CIO is to secure the
companies data and information assets.  Its not a matter of theft, there is
nothing confidntial on either of our AS400s, however I don;t want them as a
playground for the casual hacker.  It is not very hard to use FTP to crash a
system very quickly.  Be wary of what services you allow from the Internet
to your AS400 and be sure you have the the system values set to where you
can spot a potential problem before it happens.

I don't believe you can sigh on with the service signon (I belive you need
to be in dedicated service tools DST for that), however, be wary to disable
the default user profiles (QSECOFR, QSYSOPR, QPGMR, QUSER , etc), vary
devices and disable profiles after a low number of invalid signons, use
difficult passwords, etc.  There are many *SEC system values to assist here.

As far as firewalls, they can limit access both ways and are much better at
security than a proxy server.

Just my opinions...
Carl
Carl Galgano
EDI Consulting Services, Inc.
http://cgalgano.home.mindspring.com
mailto://cgalgano@ediconsulting.com
(770) 422-2995

-----Original Message-----
From: boothm@ibm.net <boothm@ibm.net>
To: MIDRANGE-L@midrange.com <MIDRANGE-L@midrange.com>
Date: Thursday, July 23, 1998 11:03 PM
Subject: Re: Connect via PC


|I ask this because I am curious.
|
|If someone does reach an AS/400 sign-in screen, can they get in if the
|instructions from IBM have been followed about service passwords, etc.?
|
|My understanding of firewalls is that they are designed more to keep those
|inside, inside.
|
|So far as attacks from outside, do they happen successfully on any but the
|most casual of installations?   One always fears that a great gaping
|security hole will be discovered, but that doesn't seem to happen any more
|often than a company has its phone system attacked, or fraudulent bills
|sent in for Accounts Payable payment.
|
|In the end I wonder if much of our worry about internet security will calm
|down once we get a bit more used to it.  Recently someone was telling
|about the security he'd placed on his web site where he had his
|advertising.  I asked him if he was really worried about someone breaking
|in and stealing his promotions and advertisements.  He didn't see the
|point of my question to him.
|
|Please understand, I am not advocating here, nor suggesting.  I am trying
|to learn.
|
|
|In <005801bdb6a6$d45c7f60$65bc56d1@atlpc1>, on 07/23/98
|   at 10:00 PM, "Carl Galgano" <cgalgano@ediconsulting.com> said:
|
|>Booth:
|>I agree with the addition of an ISP between the remote PC and the
|>Internet, however, your config allows the AS400 to be accessed direclty
|>via the internet and that bothers me....
|>Carl Galgano
|
|--
|-----------------------------------------------------------
|boothm@ibm.net
|Booth Martin
|-----------------------------------------------------------
|
|+---
|| This is the Midrange System Mailing List!
|| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
|| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
|| To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
|| Questions should be directed to the list owner/operator:
david@midrange.com
|+---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---