Restricting outside access to i5 - IBM AS400

This is a discussion on Restricting outside access to i5 - IBM AS400 ; Most people who get into our i5 remotely do so by connecting first to the company VPN. Users who connect in this way must have a VPN account set up, and are issued an RSA token device. There are some ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Restricting outside access to i5

  1. Restricting outside access to i5

    Most people who get into our i5 remotely do so by connecting first to
    the company VPN. Users who connect in this way must have a VPN account
    set up, and are issued an RSA token device.

    There are some people who don't come in via the VPN, but instead open a
    browser window and go to a publicly accessible web site. I don't know
    much about networking, but I believe some kind of network address
    translation redirects them to an HTTP server running on our i5 that runs
    a software product called Strategi, from a company called Advanced
    BusinessLink. Once they get to that site, and provided they have a
    Strategi user ID on the i5, they can get a Java applet 5250 emulation
    screen and sign onto the i5.

    To my dismay, I found that if I open a DOS window on my personal (not
    company) computer at home, and start a Telnet session to the same URL
    used for Strategi, I instantly get a sign-on screen for the i5. I'd
    like to close this hole, but obviously without damaging other authorized
    Telnet access to the i5, e.g. from another i5 partition /inside/ our
    network, or from iSeries Access. What are my options?

  2. Re: Restricting outside access to i5

    Hi Jonathan -

    On Fri, 10 Oct 2008 18:26:43 -0700, Jonathan Ball
    wrote:

    >To my dismay, I found that if I open a DOS window on my personal (not
    >company) computer at home, and start a Telnet session to the same URL
    >used for Strategi, I instantly get a sign-on screen for the i5. I'd
    >like to close this hole, but obviously without damaging other authorized
    >Telnet access to the i5, e.g. from another i5 partition /inside/ our
    >network, or from iSeries Access. What are my options?


    Telnet is to destination port 23. If you block incoming TCP
    connections to port 23 in your company's internet router, that will
    block the direct telnet connections.

    This should not interfere with telnet (or Client Access which uses
    telnet for display sessions) through the VPN because the internet
    router only sees the VPN packets. The packets with destination port
    23 are encapsulated within the VPN packets.

    The Strategi web connection presumably is to port 80 (the default HTTP
    port). If it uses a custom port, it shouldn't be port 23, so that
    should not be interfered with either. (It's been several years since
    we used Strategi where I work, so I don't remember the details nor can
    I test it.)

    Speaking personally, for maximum security I recommend that all
    incoming connections be blocked at your internet router by default,
    and only the needed protocols and ports be opened.

    --
    Ken
    Opinions expressed are my own and do not necessarily represent the views
    of my employer or anyone in their right mind.

  3. Re: Restricting outside access to i5

    The Easy400 site ( http://www.easy400.net ) provides free iSeries
    software utilities, all comprehensive of sources.
    One of this utility is named SECTCP ("Triple A Secured TCP").
    SECTCP utility allows to restrict and log accesses to FTP and TELNET.
    In your case, with SECTCP you could restrict TELNET access to ranges
    of IP addresses
    including your local network and the remote users allowed to logon.

    Giovanni B. Perotti
    Easy400 site owner

    On Oct 11, 3:26*am, Jonathan Ball wrote:
    > Most people who get into our i5 remotely do so by connecting first to
    > the company VPN. *Users who connect in this way must have a VPN account
    > set up, and are issued an RSA token device.
    >
    > There are some people who don't come in via the VPN, but instead open a
    > browser window and go to a publicly accessible web site. *I don't know
    > much about networking, but I believe some kind of network address
    > translation redirects them to an HTTP server running on our i5 that runs
    > a software product called Strategi, from a company called Advanced
    > BusinessLink. *Once they get to that site, and provided they have a
    > Strategi user ID on the i5, they can get a Java applet 5250 emulation
    > screen and sign onto the i5.
    >
    > To my dismay, I found that if I open a DOS window on my personal (not
    > company) computer at home, and start a Telnet session to the same URL
    > used for Strategi, I instantly get a sign-on screen for the i5. *I'd
    > like to close this hole, but obviously without damaging other authorized
    > Telnet access to the i5, e.g. from another i5 partition /inside/ our
    > network, or from iSeries Access. *What are my options?



+ Reply to Thread