NETACCESS to protect my "ip address"



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

NETACCESS to protect my "ip address"

Postby mehi1353 » Sat Jul 21, 2012 5:18 pm

Hi all,

I want to protect my pc "ip address" and my network range of addresses. so I defined this lines in tcpip.profile :


NETACCESS INBOUND OUTBOUND
172.20.149.8/32 MYPC ;my workstation
172.20.149.0/24 MYSUBNET ;my workstation subnet
DEFAULT 0 WORLD ;everything else
ENDNETACCESS


also this profiles in servauth class in racf:

EZB.NETACCESS.OSMELLAT.TCPIP.MYPC
EZB.NETACCESS.OSMELLAT.TCPIP.MYSUBNET
EZB.NETACCESS.OSMELLAT.TCPIP.WORLD

after activing new tcpip.profile and racf profiles, I cannot ping from mainframe to pc:

ICH408I USER(RASTGAR ) GROUP(SYS1 ) NAME(MEHRDAD RASTGAR )
EZB.NETACCESS.OSMELLAT.TCPIP.MYPC CL(SERVAUTH)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )

but from pc, I still can ping to my mainframe Ip address !!!

I think after defining the above profiles, ping from both ways should be banned.

any idea?

best regards
mehrdad
mehi1353
 
Posts: 39
Joined: Sun Jan 11, 2009 4:51 pm
Has thanked: 0 time
Been thanked: 0 time

Re: NETACCESS to protect my "ip address"

Postby jaggz » Mon Jul 23, 2012 11:57 am

Hi,

Do you want to disable the Ping command from PC ? or Just a user should get a message as you are not authorized to Ping or something ?

Could you please clarify ? Did you try with the other two Profiles and what does it says ?

Jaggz
User avatar
jaggz
 
Posts: 356
Joined: Fri Jul 23, 2010 8:51 pm
Has thanked: 8 times
Been thanked: 5 times

Re: NETACCESS to protect my "ip address"

Postby mehi1353 » Tue Jul 24, 2012 11:06 am

Hi,

No I do not want to disable ping.ping was just a test for me. I want to disable telnet from all stations,except my personal PC and my personal userid. so I defined NETACCESS zones in tcpip profile and defined NETACCESS profiles in racf. then I permited READ access to my userid in profile EZB.NETACCESS.OSMELLAT.TCPIP.MYPC.

I expect that telnet was banned from all stations and userids, except mypc and my userid.

but servauth profiles doesn't work on my system.

I did all this process based on IBM documents.

is there anything wrong?

Best regards
mehi1353
 
Posts: 39
Joined: Sun Jan 11, 2009 4:51 pm
Has thanked: 0 time
Been thanked: 0 time

Re: NETACCESS to protect my "ip address"

Postby jaggz » Tue Jul 24, 2012 12:31 pm

Hi,

"but servauth profiles doesn't work on my system. "

Please check if SERVAUTH class is activated or not ? If not try to activate it by CLASSACT(SERVAUTH).
User avatar
jaggz
 
Posts: 356
Joined: Fri Jul 23, 2010 8:51 pm
Has thanked: 8 times
Been thanked: 5 times

Re: NETACCESS to protect my "ip address"

Postby mehi1353 » Tue Jul 24, 2012 4:00 pm

HI

no.I's sure that servauth class is active. because in pinging from mainframe to my network zone (mypc) , servauth profile banned me:

ICH408I USER(RASTGAR ) GROUP(SYS1 ) NAME(MEHRDAD RASTGAR )
EZB.NETACCESS.OSMELLAT.TCPIP.MYPC CL(SERVAUTH)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )


but it connot prevent telnet from MYPC to mainframe. why?


best regards
mehi1353
 
Posts: 39
Joined: Sun Jan 11, 2009 4:51 pm
Has thanked: 0 time
Been thanked: 0 time

Re: NETACCESS to protect my "ip address"

Postby Robert Sample » Tue Jul 24, 2012 5:39 pm

Have you looked at EZARACF in SEZAINST? That mentions resource EZB.PORTACCESS.sysname.tcpprocname.port
Robert Sample
Global moderator
 
Posts: 3719
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times

Re: NETACCESS to protect my "ip address"

Postby jaggz » Wed Jul 25, 2012 8:24 am

Hi,

Hope you Did SETR RACLIST(SERVAUTH) REFR after permitting ?
User avatar
jaggz
 
Posts: 356
Joined: Fri Jul 23, 2010 8:51 pm
Has thanked: 8 times
Been thanked: 5 times

Re: NETACCESS to protect my "ip address"

Postby mehi1353 » Wed Jul 25, 2012 10:03 am

Hi,

Yes I use "refresh" command after defining and permiting.

"Portaccess" doesn't satisfy me. because I want to find a way for limitting a userid to his/her tcpip terminal. Netaccess is my best choise. But unfortunately netaccess doesn't work for telnet access from different netaccess zones.after activing netaccess profiles, still anyone can logon from anywhere.


all the best
mehi1353
 
Posts: 39
Joined: Sun Jan 11, 2009 4:51 pm
Has thanked: 0 time
Been thanked: 0 time

Re: NETACCESS to protect my "ip address"

Postby dick scherrer » Wed Jul 25, 2012 7:34 pm

Hello,

still anyone can logon from anywhere.

Which is how it is intended to work . . .

Why does someone believe this is a problem?

In most organizations, ip addresses and/or terminal ids are acquired dynamically making this restriction obsolete (if it ever was needed).

Keep in mind that your environment may be upgraded someday so that there are no "permanent" ip addresses for terminals . . .
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6268
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 93 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post