This article by Peter Martin is an excerpt from the Dec. 11, 2000, Insider Weekly for AS/400 Managers. It is provided...
courtesy of The 400 Group.
TCP/IP is the preferred Internet communication protocol for AS/400 shops (an Insider Weekly survey found that over 90% of shops use it), but it can open up your network to a host of holes and exposures. IBM says to be on the watch for these potential security breaches.
Problem 1: System probing
What to look for: Connection attempts to inactive servers, packets with source routing (don't let them in the firewall), packets denied due to packet filtering rules (enable journaling for native packet filtering), TCP/IP connections left in an unusual state, and excessive pings and other ICMP (Internet Control Message Protocol), which is used to notify the sender that its destination node isn't available).
Problem 2: Abnormal system utilization
What to look for: Excessive CPU, I/O, bandwidth, or disk usage. Also, look for service uses during non-working hours, like TELNET at 4 a.m.
Problem 3: Blatant access attempts
What to look for: SSL, IP Security, and digital signature verification failures, as well as authentication failures that are chronicled in the AS/400 audit journal.
Problem 4: Abnormal deletions
What to look for: Audit logs should never be changed, so look there first for suspicious items. Also, look to deleting QSYSOPR, QSYSMSG, or QHST messages, deleting problem log entries, or stopping monitor programs.
Problem 5: Installing backdoors
What to look for: Any new objects installed on your system, as well as changes in system values, user profiles, validation lists, object authority, work management, job scheduler, service programs, or communication configurations. Use auditing tools to monitor these items.
Problem 6: Activation of services
What to look for: Jobs or subsystems started, communication lines varied on or off, servers such as TCP/IP or Client Access being started, and the starting and stopping of communication lines, servers and jobs.
Problem 7: Server exploitation
What to look for: Trend deviations and invalid request methods. Watch for trends with various servers, such as HTTP (invalid URLs or cgi-bin program failures), FTP (invalid path), SMTP (spamming or excess mail for a particular user), DNS (zone transfers or reverse queries for site mapping).
Secure your TCP/IP connection follow these seven tips
- Start only TCP/IP servers that are needed
- Consider using non-global IP addresses
- Stop applications from using popular ports
- Turn IP Source Routing off
- Allow IP Datagram forwarding when needed
- Don't leave PPP or SLIP lines waiting in answer state
- Turn off DNS and HTTP server