Security

The AS/400 with a Packet Filter

A Packet Filter operates down at the IP and TCP/UDP level. This is usually just a router with some extra configuration to define some new rules about how to route an IP datagram based upon:

• Source host IP address
• Source host port number
• Destination host IP address
• Destination host port number
• Protocol flags such as ACK or SYN

This would allow, for example, for you to have your Telnet server started on the AS/400 on port 23 and be able to configure the Packet Filter to discard all IP datagrams coming from the external network for port 23. All Telnet clients (on the AS/400 or any other internal system) could be given full access to the external network.

• Data could be 'live' either on this AS/400 or via comms (TCP/IP or SNA) to other DB2 systems.
• Limit compilers
• Limit restore commands
• Protect HTTP configuration file, all communication commands.
• Protect STRPASTHR, TELNET or any other command that could be used to reach other systems.
• Limited number of user profiles, and what profiles you do have should be limited in the objects they can access.
• Only have the servers (deamons) running that are needed.
• Configure the Packet Filter to only allow necessary traffic to the necessary servers. For example, our AS/400 could be the HTTP server for the external network. The Packet Filter should only allow traffic originating from the external network to the AS/400 for port 80 (HTTP default port).
• Security level 40 (Integrity Protection) recommended.
• Audit this system often.

Agenda

SEC066