|
ONE caveat to this... At my last job (2 1/2 years ago and running on V3R7) using Client Access to connect PC's, with QAUTOVRT set to 0, the system would STILL create these devices !!! So do a test and make SURE you are OK ! I just did that on our box (V4R1) connecting via TCP/IP and running Synapse Netwolf and it does NOT work (i.e. no device created and CPF87D7 (Cannot automatically select virtual device.) message logged to QSYSOPR. Chuck Jim Langston wrote: > QAUTOVRT and security. > > It should be fine to change your QAUTOVRT to 0, since any needed devices > by this time should already be created. They do not disappear after being > created but hang around until you delete them manually, they are reused. > > So what's the big deal then? > > Say you have some hacker trying to access your system. He gets to your > system either through dial in or telnet or similar methods. He tries to > log into your system by guessing user names and passwords. Now, if you > have your security set up correctly, when the system disables a user > profile it will also disable the device. With QAUTOVRT set to 0 (do not > create) once the hacker reaches the last usable device he will no longer > be able to get a sign on. So you thwarted his attempts. > > But, with QAUTOVRT set to 1 (auto create) the hacker can try as often as > he likes, because even though the virtual devices are becoming disabled, he > just starts a new connection and a new one is created. > > The way to use QAUTOVRT with security in mind is to initially turn it on and > allow a number of devices to be created. After enough auto devices get >created > you turn it off. You now have enough virtual devices for everyone to get onto > your system that needs too, but no more will be created when someone comes >along > and starts disabling them trying to hack into your system. > > Regards, > > Jim Langston > > Date: Tue, 17 Oct 2000 16:47:49 EDT > From: MacWheel99@aol.com > Subject: Re: Okay to change QAUTOVRT to zero? > > There are a couple issues here. > > Someone made a security review & suggested something to improve security. > Bryan Burns asked what the implications of the adjustment might be. > Al Mac asked what impact this might have on AUTHORIZED DIAL IN. > Chuck Lewis implied that it might not interfere with ANY dial in. > Which means that the original security reviewer missed something ... if a > port or line is left open for the purpose of an AUTHORIZED dial in, or pass > thru, then an intruder might also use that access. > So what has been accomplished by adjusting QAUTOVRT from perspective of the > security goals? > Or am I off in left field ... QAUTOVRT is not FOR security of dial in, but > for security of LAN attachments? > > Alister William Macintyre > Computer Data Janitor etc. of BPCS 405 CD Rel-02 on 400 model 170 OS4 V4R3 > (forerunner to IBM e-Server i-Series 400) @ http://www.cen-elec.com Central > Industries of Indiana--->Quality manufacturer of wire harnesses and > electrical sub-assemblies > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.