× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 1998

Internt Security & the AS/400


Hello all:

Jack's note poses a problem that is common to many businesses and I thought
I'd take a stab at it...

First, he proposes to have Internet access to everybody on the Ethernet
rather than just an AS/400 or a stand-alone PC.  Second, he is asking the
question that all of us want to answer: How about TELNET/FTP from home.

I certainly would recommend a firewall to protect his inside network.  He
should look at the IBM firewall product, possibly as a stand-alone AS/400. 
However, he needs to have a security type configure the firewall and make
sure that it is only accessible to a limited number of persons.  The logic
tables need to be audited and reviewed periodically.  If an outside expert
configures the firewall, consider changing the password so only a trusted
employee can gain access via a sealed envelope.  The firewall should
ideally be dedicated to just that, acting as a firewall.  The expert should
be able to clearly (I mean, IN YOUR NATIVE LANGUAGE!) explain all of the
table entries, including special exceptions, if any.

There are some business issues that also need to be addressed.  24 hour
internet access was great but the high volume of pornographic traffic
reviewed by one employee was hardly what the company anticipated!

TELNET/FTP from home:  TELNET and FTP protocols use unencrypted user ids
and passwords.  DataFellows puts out a secured TELNET shell but we're
waiting for secured sockets on the AS/400 before signing in from home.  I
certainly would NOT permit TELNET/FTP to your AS/400 via the Internet at
THIS TIME.  This is one of the hardest decisions because it is so nice to
be able to support an organization while signed onto the net.

Jack asks about experience with firewalls.  I have had some experience
here.  The last firewall expert who setup a firewall had serious flaws in
it.  Several of the logic tables had errors in them allowing prohibited
traffice through and a user id called "guest" was detected.  (He was a
certified expert!)  The firewall can be used to protect you from yourself. 
For example, if you don't want to permit TELNET/FTP from the outside
network, then make sure that ports 20, 21, 23 are closed to the AS/400. 
This could be done individually but should be part of a larger design
because other systems could permit this traffic.  Consider use of a proxy
server to hide the configuration of your inside network from the outside
world.  Make sure your inside IP addresses don't conflict with the outside
world. (e.g. use 192.168.128.nnn which is non-Internic assignable.  There
is a document, RFC 1597, available on the Internet that describes this
assignment.)

Hope this helps....Steve


>Date: Wed, 7 Jan 1998 07:34:20 -0600

>Hello Everybody,

>I know there has been some discussion of this in the past.  However, I
would
>appreciate it if I could trouble you again with a few questions.

>I am setting up a dedicated connection to the internet at my office via
>ISDN.  I'm going to route the internet connection directly onto my
ethernet
>so that everyone on the ethernet will have access to the internet. 
However,
>I want to protect my AS/400 which is also connected to the ethernet. 
Also,
>I am planning to eventually use the AS/400 as an e-mail server and
possibly
>HTML server in the future.  I am presently considering buying a fiewall to
>protect the entire ethernet.  What other considerations do I need to
>entertain and will a firewall be enough?  How safe will it be to allow
>telnet/ftp access to my home users (the only users will probably be MIS
for now)?

>I could use suggestions on firewall brands too.  What kind of experiences
>have you had, good or bad?

>Thank you,
>Jack Mullins
>Sun Industries, Inc.
>2409 Industrial Dr.
>Jonesboro, AR 72401
>http://www.sundash.com


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.