Security
The AS/400 as a Bastion
The AS/400 can be made into a good bastion system with the right configuration and effort to fully secure it. The network layout is similar to the 'sacrificial lamb', with the addition of an attachment to the local network. Local users would first get a 5250 screen on the bastion AS/400, and then use other TCP/IP client functions like FTP and TELNET to directly access the Internet. Graphical web clients could not be used.
- Data could be 'live' either on this bastion AS/400 or via comms (TCP/IP or SNA) to other DB2 systems.
- This would be very good for HTTP, anonymous FTP, or WSG with an exit program as all of these can provide very good security.
- No compilers
- No restore commands
- Protect HTTP configuration file, all communication commands.
- Protect STRPASTHR, TELNET or any other command that could be used to reach other systems.
- Limited number of user profiles, and what profiles you do have are severely limited in the objects they can access.
- *SECOFR user profile can only sign on to a defined twin-ax attached device.
- Only have the servers (deamons) running that are needed.
- Security level 40 (Integrity Protection) recommended.
- Audit this system often.
- Turn off IP datagram forwarding, forcing rogue hackers to 'logon' to this bastion system.
Agenda
SEC065