INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

AS400 - Restrict 5250 sessions to specific subnets?

AS400 - Restrict 5250 sessions to specific subnets?

AS400 - Restrict 5250 sessions to specific subnets?

(OP)
Hello,

Is it possible to restrict 5250 (ie telnet) access to an AS400 based on subnet?

Eg we have a few subnets:

Data - 172.16.1.0
Voice - 172.16.2.0
DMZ - 172.16.254.0

Is it possible to restrict port 23 access to hosts originating on the Data subnet only?

If for example a DMZ host was hacked, they could telnet to other IP's in the range and be presented with a 5250 sign on screen, which obviously is not good. Our firewall does not seem to acknowledge rules where the source and destination are in the same zone, so even if I have an explicit rule, for example, blocking telnet to 172.16.254.10, another host in the DMZ range could still telnet to it. My solution to this is to have separate DMZ zones for logical and physical hosts (often old OS's used for teting) and block telnet from the range with the Old PC's, but I would also be keen to lock it down at an AS400 level

Appreciate any advice you can offer, many thanks

'When all else fails.......read the manual'

RE: AS400 - Restrict 5250 sessions to specific subnets?

I have not seen anyway,, but we have not used our AS400. for the past 24 months. I would look at blocking the access, via a "web appliance". My next question is,, if they get a signon screen,, how do you have your security setup on the AS400? You can get very creative, with password requiremnets, length of password, how long before you change your password, how many times does a user get to logon, before they are disabled, etc.  

RE: AS400 - Restrict 5250 sessions to specific subnets?

(OP)
Thanks for the reply.

The password is actually quite weak to be honest, and it never expires, but the user will get 3 guesses before the account is locked out so they don't have much chance to get it right...it's not an obvious word. There is no 5250 traffic on the DMZ subnet, so sniffing won't get many results.

I will keep looking for the best way to mitigate any risk, thanks.

'When all else fails.......read the manual'

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close