Re: Okay to change QAUTOVRT to zero? -- MIDRANGE-L

ONE caveat to this...

At my last job (2 1/2 years ago and running on V3R7) using Client Access to 
connect
PC's, with QAUTOVRT set to 0, the system would STILL create these devices !!!

So do a test and make SURE you are OK !

I just did that on our box (V4R1) connecting via TCP/IP and running Synapse 
Netwolf
and it does NOT work (i.e. no device created and CPF87D7 (Cannot automatically
select virtual device.) message logged to QSYSOPR.


Chuck

Jim Langston wrote:

> QAUTOVRT and security.
>
> It should be fine to change your QAUTOVRT to 0, since any needed devices
> by this time should already be created.  They do not disappear after being
> created but hang around until you delete them manually, they are reused.
>
> So what's the big deal then?
>
> Say you have some hacker trying to access your system.  He gets to your
> system either through dial in or telnet or similar methods.  He tries to
> log into your system by guessing user names and passwords.  Now, if you
> have your security set up correctly, when the system disables a user
> profile it will also disable the device.  With QAUTOVRT set to 0 (do not
> create) once the hacker reaches the last usable device he will no longer
> be able to get a sign on.  So you thwarted his attempts.
>
> But, with QAUTOVRT set to 1 (auto create) the hacker can try as often as
> he likes, because even though the virtual devices are becoming disabled, he
> just starts a new connection and a new one is created.
>
> The way to use QAUTOVRT with security in mind is to initially turn it on and
> allow a number of devices to be created.  After enough auto devices get 
>created
> you turn it off.  You now have enough virtual devices for everyone to get onto
> your system that needs too, but no more will be created when someone comes 
>along
> and starts disabling them trying to hack into your system.
>
> Regards,
>
> Jim Langston
>
> Date: Tue, 17 Oct 2000 16:47:49 EDT
> From: MacWheel99@aol.com
> Subject: Re: Okay to change QAUTOVRT to zero?
>
> There are a couple issues here.
>
> Someone made a security review & suggested something to improve security.
> Bryan Burns asked what the implications of the adjustment might be.
> Al Mac asked what impact this might have on AUTHORIZED DIAL IN.
> Chuck Lewis implied that it might not interfere with ANY dial in.
> Which means that the original security reviewer missed something ... if a
> port or line is left open for the purpose of an AUTHORIZED dial in, or pass
> thru, then an intruder might also use that access.
> So what has been accomplished by adjusting QAUTOVRT from perspective of the
> security goals?
> Or am I off in left field ... QAUTOVRT is not FOR security of dial in, but
> for security of LAN attachments?
>
> Alister William Macintyre
> Computer Data Janitor etc. of BPCS 405 CD Rel-02 on 400 model 170 OS4 V4R3
> (forerunner to IBM e-Server i-Series 400)  @ http://www.cen-elec.com Central
> Industries of Indiana--->Quality manufacturer of wire harnesses and
> electrical sub-assemblies
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator: david@midrange.com
> +---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---