AS400 - Restrict 5250 sessions to specific subnets?

[cyberspace]

Hello,

Is it possible to restrict 5250 (ie telnet) access to an AS400 based on subnet?

Eg we have a few subnets:

Data - 172.16.1.0
Voice - 172.16.2.0
DMZ - 172.16.254.0

Is it possible to restrict port 23 access to hosts originating on the Data subnet only?

If for example a DMZ host was hacked, they could telnet to other IP's in the range and be presented with a 5250 sign on screen, which obviously is not good. Our firewall does not seem to acknowledge rules where the source and destination are in the same zone, so even if I have an explicit rule, for example, blocking telnet to 172.16.254.10, another host in the DMZ range could still telnet to it. My solution to this is to have separate DMZ zones for logical and physical hosts (often old OS's used for teting) and block telnet from the range with the Old PC's, but I would also be keen to lock it down at an AS400 level

Appreciate any advice you can offer, many thanks

'When all else fails.......read the manual'

 

[jmd0252]

I have not seen anyway,, but we have not used our AS400. for the past 24 months. I would look at blocking the access, via a "web appliance". My next question is,, if they get a signon screen,, how do you have your security setup on the AS400? You can get very creative, with password requiremnets, length of password, how long before you change your password, how many times does a user get to logon, before they are disabled, etc.

 

[cyberspace]

Thanks for the reply.

The password is actually quite weak to be honest, and it never expires, but the user will get 3 guesses before the account is locked out so they don't have much chance to get it right...it's not an obvious word. There is no 5250 traffic on the DMZ subnet, so sniffing won't get many results.

I will keep looking for the best way to mitigate any risk, thanks.

'When all else fails.......read the manual'