|
On 3 Jan 2002 thomas@inorbit.com wrote: > Has anybody out there investigated the implications of these IBM > documents? I'd be nervous about these settings without a few additional > precautions, and even then I'd wonder. > > 1) With those ports open, I'd want the traffic restricted to the iSeries > IP address, not allowing traffic to/from any other servers in my > network. > (Seems odd restricting to the iSeries rather than the other way around.) Absolutely, you want to restrict access to those ports only on the AS/400, not any other server. You also probably want to restrict *from* what addresses you allow connections to your AS/400. And if you know that connections will only be initiated in one direction (only incoming or only outgoing) then you want to restrict on the TCP headers SYN and ACK. O'Reilly has two good books on this subject: Building Internet Firewalls, 2nd Ed. http://www.oreilly.com/catalog/fire2/ and (UNIX-centric but still quite useful) Practical UNIX & Internet Security, 2nd Edition http://www.oreilly.com/catalog/puis/ I know that this is two days in a row that I've mentioned O'Reilly books on this list - I'm really don't work for them, honest :) > 2) You'd want a Netserver 'guest' profile and definite restrictions on > what was shared. I'm not sure you would want a guest profile. That means *anyone* can use it. Do you really want that? > 3) I figure access to Netserver would have to be either by IP address or > an entry in the remote LMHOSTS file, rather than by Netserver system > name. I'm not sure on the Netserver configuration (still at VRM410 here). But if you can limit Netserver itself to only respond to certain IPs that would be good. Another layer of protection. > Are those paranoid? Or are they not yet restrictive enough? It's right > at the fringe of my knowledge. These can only be answered after considering what you want to do. Do you want to give users on the internet access to Netserver? If so, then I believe they are not restrictive enough. SMB is a very insecure protocol. If you want to use it for internet connected users you should encapsulate it in some kind of secure protocol; either VPN or IP tunnel like IPSEC or IPv6. If you only want to give Netserver access to people on your LAN and your AS/400 is also on the LAN but not connected to any other network then you are probably paranoid. If your AS/400 sits on two networks (one private LAN and one public LAN) then you need to restrict Netserver access based on IP and interface to help eliminate IP spoofing attacks. If all you want is a file server for your private LAN users and you AS/400 is not on the private LAN, just put in a linux box with Samba and be done with it. You'll love the performance. James Rich james@eaerich.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.