Re: TCPIP security issues

[John Earl <johnearl@xxxxxxxxxxxxxxx>]

"Liu Kean Keong (HLB)" wrote:

> Hi,
> There are a lot of advantages in moving from SNA to TCPIP for client
> services. But I just wonder on whether security on the AS/400 is being
> compromised in some way by this move. Example, if we have to startup the FTP
> server, won't that provide a command line to transfer files? (in a
> controlled non-command line environment)

Yes, if you start the FTP server as well.  You can choose not to start the FTP
server when TCP/IP is started and completely avoid the FTP issue.  You could 
also
employ exit programs to regulate who can use the FTP server and the FTP command
line.   But again, if the _only_ TCP/IP service you want to use is telnet, it is
possible to only start that service

But in this respect TCP/IP is not less secure than SNA because SNA currently
supports many file transfer capabilities as well remote command line
capabilities.  You're probably allowing SNA file transfer right now through
Client Access (or Rumba, or NetManage, etc.).

Client Access File Transfer, DDM, ODBC, etc.  all run as well over SNA as they 
do
over TCP/IP, so even if you are a strictly SNA shop you still have remote 
command
and file transfer issues.  Exit programs can help you here as well by regulating
which musers are allowed to exploit these services.

jte

--
John Earl                               johnearl@400security.com
The PowerTech Group                     206-575-0711
PowerLock Network Security              www.400security.com
--




+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---