RE: Internet security and the AS/400 -- MIDRANGE-L

Jack,

There are a few things you should think about.

The first is make sure you shut off all TCP/IP services on your 
/400 that you have not thought about and are not using.  Eg: 
Telnet, FTP, HTTP, SMTP, etc.  Then when you have put some 
thought into what the ramifications are of those services and 
you need them, turn them back on.  For example, if you are not 
ready for Telnet, turn it off.

As for Telnet.  Keep in mind that you are providing a Signon 
Screen to the World.  If you profile/password security can 
withstand that, by all means go for it.  BUT, make sure ALL 
"default" profiles are either disabled or at least have new 
passwords.  And make sure that you have adequate passwords for 
your users.  Most (but not all) AS/400's can NOT pass this test. 
 Make sure yours can.

Note: If you are using CAWin over TCP/IP, you already have 
Telnet on....BE CAREFULL about putting your network on the 
Internet!

FTP can actualy be as bad as Telnet.  Especially if you create 
everything with PUBAUT(*ALL) or *USE.  The only thing between 
your data and somebody with the desire is your object level 
security.  At least until you make some changes in the Telnet 
setup.

Yes, both of these (Telnet & FTP) can be safely done.  But, you 
must examine your situation first.

Do you need a firewall?  That depends.  The true purpose of a 
firewall is to give you a single point of control over security 
between the Internet and your lan.  If you visit each system on 
your network (Each PC and each AS/400, each Unix box, etc) and 
make sure they aren't running any TCP/IP services that your deem 
dangerous and you know nobody but you will start such a service, 
then you do not need a firewall.

But if you want to have telnet on for your network, but NOT the 
internet (or any TCP/IP service), you will need a firewall.

For the most part, most end-user Client Windows machines are Ok. 
If they are using NETBEUI for network shares (And TCP/IP is not 
bound to network functions).  The only machines you usually have 
to worry about are your "servers".  Eg: SQL Servers using 
TCP/IP, WinNT Server's with all of MS's cool new internet 
services, your AS/400's and any UNIX/AIX box's on your network.

The AS/400 CAN be a very secure machine.  Unfortunately, out of 
the box it is very open to attack.

I will say that "out of the box", Windows NT is much more secure 
than the AS/400 in terms of TCP/IP services.  By this I mean 
that the defaults are much safer.  And I am not saying that 
either OS is "more secure", just that out of the box, WinNT is 
better.

What is a good firewall?  Raptor/NT has a very good reputation 
and can be setup for less than $10,000 (hardware & Software). 
 IBM's Secured Network Gateway for AIX is very good, but 
expensive: $25,000 hardware & software.  I've used SNG/Aix and 
really liked it.  The firewall for the AS/400 from IBM is 
actually a partial port of SNG/Aix and is currently quite 
limited (IMHO)...in a year or two, it might be a very good 
choice, but for now it is "less than impressive".   And at least 
one of the ISDN routers has a firewall built in!  It is probably 
a very simple one, but inexpensive.

Hopefully, the above is enough to get you started and thinking!

Regards,
Bob Crothers
Cornerstone Communications


-----Original Message-----
From:   Jack Mullins [SMTP:jmullins@sundash.com]
Sent:   Wednesday, January 07, 1998 8:34 AM
To:     MIDRANGE-L@midrange.com
Subject:        Internet security and the AS/400

Hello Everybody,

I know there has been some discussion of this in the past. 
 However, I would
appreciate it if I could trouble you again with a few questions.

I am setting up a dedicated connection to the internet at my 
office via
ISDN.  I'm going to route the internet connection directly onto 
my ethernet
so that everyone on the ethernet will have access to the 
internet.  However,
I want to protect my AS/400 which is also connected to the 
ethernet.  Also,
I am planning to eventually use the AS/400 as an e-mail server 
and possibly
HTML server in the future.  I am presently considering buying a 
fiewall to
protect the entire ethernet.  What other considerations do I 
need to
entertain and will a firewall be enough?  How safe will it be to 
allow
telnet/ftp access to my home users (the only users will probably 
be MIS for
now)?

I could use suggestions on firewall brands too.  What kind of 
experiences
have you had, good or bad?

Thank you,


Jack Mullins
Sun Industries, Inc.
2409 Industrial Dr.
Jonesboro, AR 72401
http://www.sundash.com


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to 
"MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to 
MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: 
david@midrange.com
+---
uucp

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---