Unconfigured Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

    Our AS/400 has been on the Internet for approx. 1 year. I have told new boss of my concerns with security and more & more people asking to get on from hime (dialing into local ISP & connecting to our AS/400) He says--why the concern ?? you can type the AS/400's I.P. # in and get a page not found screen-- and even if someone did tap in-- you have to know user ID's and passwords... WHen he asked why we need a firewall-- I din't have an answer... Could someone please give me some ammunition ...?? Thanks very Much--- ROB

  • #2
    Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

    Just a thought; did you need a fire-wall before Bill Gates? If you felt secure with twin-ax and SNA, what new concerns does the internet present? bobh

    Comment


    • #3
      Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

      Rob wrote: "WHen he asked why we need a firewall-- I din't have an answer... Could someone please give me some ammunition ...??" There's so many twists and tricks to networking configuration that I don't pretend to be on top of it, but I think a fundamental question is whether only the AS/400 is physically exposed to the Internet? Any other scenario brings up possibilities of cracking systems other than the AS/400 and widens the scope of considerations considerably. I only mention this because of the way your post only mentioned the AS/400 as being exposed and accessed. If this were really true, somebody please help me understand what a firewall would do, provide a proxy address and limit the ports on the AS/400 that could be accessed? Ralph ralph@ee.net

      Comment


      • #4
        Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

        If you are using TELNET, as opposed to SSL TELNET, you are subject to an insideous form of hacking known as spoofing. A spoofer can capture the keystrokes of someone using your site, If you present a 5250 sign-on screen to the user, the spoofer can capture another user's ID and password. If you leave the FTP server running, you may find your hard drives clogged with all sorts of garbage. If you are using the AS/400 as a web server, it is done from the IFS. The IFS is subject to viruses, and the web site may be exposed to all sorts of attacks. A Firewall is a small insurance policy. It is not an absolute guarantee, but it's better than locking the barn door after all the horses have escaped! Dave

        Comment


        • #5
          Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

          Dave wrote: "A Firewall is a small insurance policy" Yeah, but could you help us understand this, Dave? What does a firewall do when only the AS/400 is physically exposed to the Internet to prevent telnet spoofing, FTP hacking, and infecting IFS with a virus? Everywhere I've been the firewall was a gateway to a WAN, but what about exposing an AS/400 on a separate physical segment to an ISP? I'm aware that IBM dropped the AS/400 firewall product, but that's about it... Thanks, Ralph ralph@ee.net

          Comment


          • #6
            Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

            Ralph Daugherty wrote: I've been the firewall was a gateway to a WAN, but what about exposing an AS/400 on a separate physical segment to an ISP? Specifically that was what I was referring to. Sorry if I wasn't clear. I have this setup using an NT firewall at one client. It is the only NT box in the entire shop, and its dedicated purpose is that of firewall. It sits between the router and the ISP. We are not using it for much of anything except to close port 23 and a few other ports to the outside. OTOH it has far greater capabilities than the current use, and if we decide to implement these restrictions, we will be able to. Too bad about the AS/400 firewall. I attended a session on configuring the AS/400 firewall. Just about all who attended walked away shaking our heads with complications and confusion. The rumor I heard was that IBM gave up on the product, when their own people were unable to properly install it. I have no verification of that. Dave

            Comment


            • #7
              Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

              Dave wrote: "It is the only NT box in the entire shop, and its dedicated purpose is that of firewall." That's funny in that NT provides more opportunity to crackers than it prevents. That credit card operation that got cracked this weekend was an NT. Almost 4 million credit card numbers. I'm sure you have most NT services shut off but the article listed a couple of major entry points that weren't telnet or FTP, but there were patches and you've probably applied them. Still I can't imagine how NT is more secure than a router. Can't the router block those ports? I still don't understand what a firewall does for an AS/400 in the sense that an isolated AS/400 doesn't have other IP addresses enabled for internal network communications. Ralph ralph@ee.net

              Comment


              • #8
                Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

                Any machine with open communications to the outside can be hacked. The AS/400 is more difficult than others because of it's security features. If the 400 is truly stand-alone, then it's the only unit exposed. If it participates in a LAN and/or WAN then it exposes all servers in the LAN/WAN. I'm not an expert on Firewalls. I know our company uses and depends on them to prevent unauthorized access. I know they have filters activated to prevent specific in and out traffic. Anything inbound must be encrypted, except mail. Outbound filters are to keep the employees away from playboy.com, penthouse.com, etc. Other filters protect ports, redirect specific traffic to other ports. Despite that, we still are subject to virus attacks via email. We problably have installed and running every virus checking package on the market. We are still subject to virus attacks. The Love joke is still embedded somewhere in the network, and they can't find where. Every new employee triggers it. I brought up mail this mo rning and found 6 occurrences of the love joke from one person. Plus 6 notifications from Innoculan that it saw the virus (no cure). So Rob, I guess the only argument for a firewall is that it is a protection shell that sits in front of your assets, your production data, and offers some detriment to unauthorized users. My nickle. Happy New Year everyone.

                Comment


                • #9
                  Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

                  David, I am going to configure a HOD and I think I'll use a NT/box with a firewall (I heard about IBM firewall for NT 4.2)(and maybe a SSL) as you did. What firewall did you install on the NT machine ? Regards, Simone

                  Comment


                  • #10
                    Our AS/400 is on the Internet - Boss asks why we need a Firewall ?

                    I will be going to HOD in the near future. From what I read, be sure to configure HOD to use SSL TELNET (port 992) instead of port 23. Use the firewall to kill port 23 to outside traffic. I'm drawing a blank on the firewall software. I won't be at that shop until Tuesday next. I'll let you know. Dave

                    Comment

                    Working...
                    X