Seven problem areas to monitor for AS/400-TCP/IP host intrusion

7 problem areas to monitor for AS/400-TCP/IP host intrusion

This article by Peter Martin is an excerpt from the Dec. 11, 2000, Insider Weekly for AS/400 Managers. It is provided

courtesy of The 400 Group.

TCP/IP is the preferred Internet communication protocol for AS/400 shops (an Insider Weekly survey found that over 90% of shops use it), but it can open up your network to a host of holes and exposures. IBM says to be on the watch for these potential security breaches.

Problem 1: System probing

What to look for: Connection attempts to inactive servers, packets with source routing (don't let them in the firewall), packets denied due to packet filtering rules (enable journaling for native packet filtering), TCP/IP connections left in an unusual state, and excessive pings and other ICMP (Internet Control Message Protocol), which is used to notify the sender that its destination node isn't available).

Problem 2: Abnormal system utilization

What to look for: Excessive CPU, I/O, bandwidth, or disk usage. Also, look for service uses during non-working hours, like TELNET at 4 a.m.

Problem 3: Blatant access attempts

What to look for: SSL, IP Security, and digital signature verification failures, as well as authentication failures that are chronicled in the AS/400 audit journal.

Problem 4: Abnormal deletions

What to look for: Audit logs should never be changed, so look there first for suspicious items. Also, look to deleting QSYSOPR, QSYSMSG, or QHST messages, deleting problem log entries, or stopping monitor programs.

Problem 5: Installing backdoors

What to look for: Any new objects installed on your system, as well as changes in system values, user profiles, validation lists, object authority, work management, job scheduler, service programs, or communication configurations. Use auditing tools to monitor these items.

Problem 6: Activation of services

What to look for: Jobs or subsystems started, communication lines varied on or off, servers such as TCP/IP or Client Access being started, and the starting and stopping of communication lines, servers and jobs.

Problem 7: Server exploitation

What to look for: Trend deviations and invalid request methods. Watch for trends with various servers, such as HTTP (invalid URLs or cgi-bin program failures), FTP (invalid path), SMTP (spamming or excess mail for a particular user), DNS (zone transfers or reverse queries for site mapping).

Secure your TCP/IP connection follow these seven tips

  • Start only TCP/IP servers that are needed

  • Consider using non-global IP addresses

  • Stop applications from using popular ports

  • Turn IP Source Routing off

  • Allow IP Datagram forwarding when needed

  • Don't leave PPP or SLIP lines waiting in answer state

  • Turn off DNS and HTTP server


Related book

AS/400 TCP/IP Handbook
Author : Chris Peters
Publisher : Midrange Computing
ISBN/CODE : 1583470050
Cover Type : Soft Cover
Pages : 400
Published : Oct. 1999
Summary:
This book is intended to give AS/400 professionals an understanding of the protocol at the heart of Internet and intranet communications. The information presented here will position you to take full advantage of your AS/400s potential for optimizing your business.


This was first published in December 2000

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close