On 3 Jan 2002 thomas@inorbit.com wrote:

> Has anybody out there investigated the implications of these IBM
> documents? I'd be nervous about these settings without a few additional
> precautions, and even then I'd wonder.
> 1) With those ports open, I'd want the traffic restricted to the iSeries
> IP address, not allowing traffic to/from any other servers in my
> network.
> (Seems odd restricting to the iSeries rather than the other way around.)

Absolutely, you want to restrict access to those ports only on the AS/400,
not any other server.  You also probably want to restrict *from* what
addresses you allow connections to your AS/400.  And if you know that
connections will only be initiated in one direction (only incoming or only
outgoing) then you want to restrict on the TCP headers SYN and ACK.
O'Reilly has two good books on this subject:
Building Internet Firewalls, 2nd Ed.
and (UNIX-centric but still quite useful) Practical UNIX &
Internet Security, 2nd Edition

I know that this is two days in a row that I've mentioned O'Reilly books
on this list - I'm really don't work for them, honest :)

> 2) You'd want a Netserver 'guest' profile and definite restrictions on
> what was shared.

I'm not sure you would want a guest profile.  That means *anyone* can use
it.  Do you really want that?

> 3) I figure access to Netserver would have to be either by IP address or
> an entry in the remote LMHOSTS file, rather than by Netserver system
> name.

I'm not sure on the Netserver configuration (still at VRM410 here).  But
if you can limit Netserver itself to only respond to certain IPs that
would be good.  Another layer of protection.

> Are those paranoid? Or are they not yet restrictive enough? It's right
> at the fringe of my knowledge.

These can only be answered after considering what you want to do.  Do you
want to give users on the internet access to Netserver?  If so, then I
believe they are not restrictive enough.  SMB is a very insecure protocol.
If you want to use it for internet connected users you should encapsulate
it in some kind of secure protocol;  either VPN or IP tunnel like IPSEC or
IPv6.  If you only want to give Netserver access to people on your LAN and
your AS/400 is also on the LAN but not connected to any other network then
you are probably paranoid.  If your AS/400 sits on two networks (one
private LAN and one public LAN) then you need to restrict Netserver access
based on IP and interface to help eliminate IP spoofing attacks.  If all
you want is a file server for your private LAN users and you AS/400 is not
on the private LAN, just put in a linux box with Samba and be done with
it.  You'll love the performance.

James Rich

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.