This just sounds like too much work for me. In this day and age of
laptops I may connect to my system from DHCP address on wire on my desk.
From some wireless address in the conference room. From a wireless, or
wired, address from our corporate office. Or from our VPN access. There's
no way I'd constantly change my device names on my 5250 sessions to always
match where I am connecting from. Can you imagine trying to explain that
logic to some mobile bean counter in accounting?
I wrote our FTP exit point. I used to say that they had to come from a
particular address (or range). However a vast majority of our trading
partners could do tricks like IPCONFIG at their DOS prompt (after the 3rd
day of explanation) but rarely could tell me their NATted address. And
then I had this 'major customer' whose ftp person was a mobile user,
including doing work in between her night classes at college.
Much of this is now handled by our network consultant. And when I told
him I wanted it opened to the world and we would handle it by user id's
and passwords he wanted it in writing. Basically we had the same problems
with the same users. Granted, we may block a range of addresses used by
certain foreign entities for nefarious purposes. But that I would do at
the network level. Oh, I'll grant you that there's some argument to be
made for defense in depth.
Your SA was not a nut. At one time it was a generally accepted practice
to do such stuff. The IBM i still has a system value to limit which
terminals QSECOFR can sign on to. The theory being you could limit them
to the system console. Which would be in a secured room where you could
keep an eye on what they were doing.
Rob Berendt
midrange.com
