|
On 21/12/2006, at 11:42 PM, rob@xxxxxxxxx wrote:
I guess, if there is no perceived need for those TCP features then lock them down. That's not bad, but I'd find it very limiting.
This is a publicly accessible server so it's another level of defence. If the servers aren't active then it's not possible to use TCP clients to connect to it. The firewall doesn't have these ports open anyway but this is a belt and braces approach. There is no common TCP function that cannot be done by an equivalent SNA function so I can't agree that it is limiting unless you want to send files to a PC which is never necessary from this system (and HTTP, which IS already active, could be used for that purpose). Having these servers disabled has no impact on the daily operation of this server.
They lock down TCP but not SNA? Classic example of security by obscurity?
Read again what I said. Although both TCP and SNA protocols are active, both TCP and APPC commands are locked down. Not possible to leave the public server via TCP or SNA unless authorised but is possible to get into the public server via SNA from the second internal network. Not possible from outside. Certainly a little obscurity is involved. TCP dweebs trying to connect will get "Connexion rejected by host" and give up. Anyone who tries SNA will require corresponding network configurations at the public server. All configuration commands are locked down too so that won't work.
I almost mentioned the old FTS stuff also, but I didn't want to encourageSNA. I have a PDM option for transferring file members this way.
This worked really well. I wrote a suite of commands to transfer stuff using FTS.
Regards, Simon Coulter. -------------------------------------------------------------------- FlyByNight Software AS/400 Technical Specialists http://www.flybynight.com.au/ Phone: +61 3 9419 0175 Mobile: +61 0411 091 400 /"\ Fax: +61 3 9419 0175 \ / X ASCII Ribbon campaign against HTML E-Mail / \ --------------------------------------------------------------------
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.