|
Steve We do this at work. Admittedly, right now we are protected by Swiss cheese, but we're moving to VPN across the board. Leave your PC as the DMZ, then forward port 23 to the 400. This is really the same as you suggest, where you were going to put the 400 on the DMZ. If you do that, then you only need to forward port 21 for FTP. But I'd prefer not to open the 400, with all its servers , on the DMZ. We have 3 400s inside the router, all of which need to be reached from outside. VPN is our eventual answer but not done yet. So I've changed the prots for TELNET and FTP, where I can, as well as for a couple of servers our products use, and Client Access. Of course, this is a slight maintenance and setup headache, soon to be alleviated. I assume your router is set up to be a DHCP server. Be sure to give the 400 and address in the range not assigned by the router. When defining the default route, make the next hop be the LAN address of the router (probably 192.168.1.1). And put the DNS servers into, I think, option 12 of CFGTCP. Use the ones that your provider has given you. We're using a LinkSys VPN router with 4-port switch. It has something called Stateful Packet Inspection, which is avery good idea, except that forwarding does not work if SPI is enabled. Maybe the newer wireless router has this, but it may have the same operational problem. This is why a "real" firewall is better, for one thing. Configuring the LinkSys is pretty simple - but it is not THE most secure method. The VPN we have is only shared private key, not certificates, and is, therefore, somewhat weak. But not too bad for our purposes. Esp. as we are limited in time and personnel (just me). Contact me offline, if you want. Vern At 05:46 PM 10/17/02 -0500, you wrote:
Good afternoon: I just bought an AS/400 with V5R1 that I am going to install on my home network via an ethernet connection. I'm trying to figure out how to allow access to this system from the internet via my Linksys router. I know that I have to set up a default route entry on the AS/400. I know that there are probably several ways to accomplish this, but my environment is somewhat complicated. I have searched the archives here and I have looked on the Linksys site, but I haven't found a definitive answer to my questions. Here is my scenario: I have RoadRunner cable modem service and I am using the Linksys model BEFW11S4 wireless router to allow the PC's on my home network (all nine of them-ok, I'm a geek) to reach the internet. One of these PC's is currently running FTP server software, and is exposed to the internet using the router's DMZ host option. I want to keep this FTP server PC exposed to the internet, and at the same time want to expose my AS/400 to the internet so that I can access it remotely via a telnet connection thru Client Access or Rumba. I am concerned about security at this point, but not paranoid. I know that some of you are probably going to scream about security, but I am willing to take my chances that someone could hack the system. After all, it is MY playground. I plan to change the passwords to the IBM-supplied profiles, but I could also use some pointers about what else needs to be locked down on the AS/400 when it is exposed to the internet. All I initially plan to do from the internet is telnet 5250 emulation and possibly FTP. What I really am trying to figure out is how I can expose BOTH my AS/400 AND my FTP server to the internet at the same time. I guess I could go into the router configuration and manually change the address used by DMZ between the PC and the AS/400, but I would like to figure out how to enable both at the same time. The router also has port forwarding. Here are my questions: 1) It is as simple just specifying the AS/400's IP as the DMZ host and then use port forwarding on the router to forward the FTP (ports 20 & 21) to the PC FTP server's IP? 2) Should I replace the router with a true firewall? Will this let me do multiple DMZ's? If so, is there a low-priced or free firewall package that is fairly easy to setup and administer to replace or supplement my Linksys router? I have a copy of Linux and an extra PC (6 more in the garage) that I can load Linux on in order to run firewall software if necessary. 3) Besides changing the passwords for the IBM-supplied profiles, what else do I need to do to secure my AS/400 system when exposed to the internet? Which services should I start/NOT start with STRTCPSVR to help protect the system from outside attacks? 4) Does anyone have any experience in this area that you are willing to share? 5) Does anyone have any web links that would be beneficial? 6) Are there any questions that I should have asked that I didn't? Thanks in advance for your help... Steve Landess Austin, Texas _______________________________________________
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
