Security considerations for limiting TCP/IP roaming
If your system is connected to a network, you may want to limit your users’ ability to roam the network with TCP/IP applications.
One way to do this is to restrict access to the following client
TCP/IP commands:
Note: These commands might exist in several libraries
on your system. They are in both the QSYS library and the QTCP library,
at a minimum. Be sure to locate and secure all occurrences.
- STRTCPFTP
- FTP
- STRTCPTELN
- TELNET
- LPR
- SNDTCPSPLF
- RUNRMTCMD (REXEC client)
- Entries in your TCP/IP host table.
- *DFTROUTE entry in the TCP/IP route table. This allows users to enter the IP address of the next-hop system when their destination is an unknown network. A user can reach or contact a remote network by using the default route.
- Remote name server configuration. This support allows another server in the network to locate host names for your users.
- Remote system table.
Be aware that a knowledgeable user with access to an ILE C compiler
can create a socket program capable of attaching to a TCP or UDP port.
You can make this more difficult by restricting access to these socket
interface files in the QSYSINC library:
- SYS
- NETINET
- H
- ARPA
- Sockets and SSL
- QSOSRV1
- QSOSRV2
- QSOSSLSR(SSL)