|
<snip>
Does the logic that requires a device name starting with "VPN" offer
any additional security?
</snip>
Answer: No since most emulation software allows me to set whatever device name I would like to use. The security aspect might be betting on user ignorance of the ability to change the device name.
If you truly need to verify the IP address of telnet request, and assign the device to a subsystem as appropriate, it's much easier and far more straight forward to to it in routing programs on the subsystems themselves. I can go into a large amount of detail and give you sample programs if you like. Larry Bolhuis and I do an Advanced Work Management session at COMMON that does exactly what I am describing. Simple, fast, and can be implemented without any downtime.
With the routing program method, you can use most anything to identify the user and/or device you would like.
Keep in mind the first, best, and most complete security is a well laid out plan, with a single source of authentication, usually an lDAP of some sort, an in most shops that's Active Directory. You have a free LDAP that comes with IBM i that can do quite a bit as well.
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
On 2/12/2012 7:47 PM, John McKee wrote:
This is related to my original question. The sa coded the exit point--
program to examine the first three characters of the device. If they
were not equal to 'VPN', then the IP address is used to look up a
device name in a file. No device name means no signon screen is
allowed. If the first three characters were equal to 'VPN' then the
device name is check for existance and that the status is VARY ON
PENDING. If those conditions are met, then signon is allowed.
I tried to find out the origin of this logic. Nobody knows. The only
thing I learned is that there was speculation that this was for system
security. The system is not directly connected to the internet. From
outside, somebody would have to have a login to the corporate office,
then would have to have access to my facility, and then would have to
have access to the i itself. Finally, they would need to supply a
valid, existing device name.
Does the logic that requires a device name starting with "VPN" offer
any additional security? To me, any additional security that might be
offered is minima, at best.
What I am left with is to either add multiple additional tests to the
login exit point program - no idea how many, or remove that validation
piece. Which was why I asked earlier about adding more tests and if
"and" worked in free format. Just seems to be making the logic more
complicated than necessary.
This mess was brought to a head due to the network guys wanting to use
DHCP for internal new devices. The external devices come throught the
corporate firewall and get NAT addresses that we are not informed
about.
Thoughts?
John McKee
On Fri, Feb 10, 2012 at 1:47 PM, Monnier, Gary<Gary.Monnier@xxxxxxxxx> wrote:
John,
Not equal is<>
The System does not have to be in a restricted state for the telnet exit point. The exit program is only called when a telnet session first starts.
You can "move" the recreated program into the target library. All the normal cautions apply - ownership, authorizations, adopt authority, etc.
It is much easier to have the object you are going to move match the target object before you "install" it.
The only difficulty you may encounter is if someone is starting a telnet session when you "install" your change.
Gary Monnier
-----Original Message-----
From:midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John McKee
Sent: Friday, February 10, 2012 11:12 AM
To: Midrange Systems Technical Discussion
Subject: Modifying an exit point program
An exit point program is installed on QIBM_QTG_DEVINIT
It contains a single line that needs to be changed. It is free format. Existing line is testing for first three characters equal to "VPN"
Questions:
1) What is the not equal operator in free format RPG? Is it != or<>, or something else?
2) I recall the discussion on a mediator program. I can't recall if it was only needed for a data file change, or for any program change.
Does system have to be in restricted state to make this change?
3) Does recompile of the program into the target library accomplish all changes, or does the exit point have to be dropped an readded?
I ask, since I may be "asked" to make the changes. The person who functioned as sa, does not necessarily do this anymore.
John McKee
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email:MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:http://lists.midrange.com/mailman/listinfo/midrange-l
or email:MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives athttp://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.