Restrict any port related to any service you do not intend your system to
provide. Port restrictions can be done in ranges. So, for example, if you
only intend to offer HTTP, then restrict all the other ports. I ususally
suggest creating a dummy profile with password *none, restricting access to
unused ports to this profile, and then deleting the dummy profile.

Depending on your situation, you can also use port restriction for ports
for services you are providing. For example, if you are only providing HTTP
access you MAY be able to restrict the 80 and 443 ports to only allow
programs running under QTMHHTTP. There is investigation required to make
sure you get use the appropriate profiles for your web server depending on
the security models of your individual web applications.


Patrick Botz
Senior Software Engineer
eServer Security Architect
(507) 253-0917, T/L 553-0917
email: botz@us.ibm.com




                      "Jim Franz"
                      <franz400@triad.rr.        To:       
<security400@midrange.com>
                      com>                       cc:
                      Sent by:                   Subject:  [Security400] web 
security
                      security400-admin@m
                      idrange.com


                      10/06/2002 01:38 PM
                      Please respond to
                      security400





This is a multi-part message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
The redbook AS400 Internet Security: Protecting Your As400 from Harm on the
Internet, suggests restricting selected ports to specific user id that have
password = *none.
80 to QTCP, QTMHHTP1, QTMHHTTP
23 to QTCP
are their others that should be restricted for other services?
lpd, dns, whatever?
let's just say the firewall in place is "limited" and out of my control.
looking for things to bolt down.
jim

--


_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list
To post a message email: Security400@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/security400
or email: Security400-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.








As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.