The security administrator can restrict a TCP/IP request to access a service by enforcing rules. A set of rules can be created and contained in a TCP/IP security rules file. The rules file must be loaded and active for TCP/IP Filtering to enforce these rules.
A default rules file named *SYSTEM/TCPIPSECURITY/RULES is factory-configured to allow all TCP/IP requests, which is equivalent to running with security disabled. The security administrator can modify this rules file or create a new rules file to contain deny rules for general system use. The default rules file must reside on the same pack where the TCPIPSUPPORT library is located.
The security administrator can change rules files as network or work environment needs change. For example, you might need a different rules set for network device connections to unsecured networks.
The TCP/IP Filtering node of the Security Policy Management snap-in, which is part of Security Center, is the recommended method for creating, testing, and modifying a rules file. Refer to the Security Center Help for instructions to create and modify a rules file.
For more information about enabling and disabling TCP/IP security, refer to the TCP/IP Implementation and Operations Guide.
Restrictions to Well-Known Ports
Applications can be granted access or be restricted from using certain ports based on the application authorization.
This feature helps to prevent spoofing, that is, making a transmission appear to come from an authorized user. This is accomplished by prohibiting the use of well-known ports (those ports below 1024) unless the program is TCP/IP authorized.
The TCPIPSECURITY library can deny spoofing of well-known ports by adding another filter to the TCP/IP security rules file. With this filter, only a program authorized with a service attribute of TCP/IP can provide a well-known port number. This attribute is applied to a program using the MP (Mark Program) system command (MP <program> SERVICE = TCPIP). For details about the MP system command, refer to the System Commands Reference.
A feature to deny spoofing of well-known ports was built into TCPIPSUPPORT, eliminating the need for additional filters in the rules file. Programs supplied by Unisys that provide well-known port numbers are marked with SERVICE=TCPIP prior to release. Traffic is denied by TCPIPSUPPORT for any program providing a well-known port number that is not marked with a service attribute of TCPIP.
Opening subports using well-known port numbers is not permitted for any program that is not authorized. User-written applications that provide well-known port numbers can be authorized by marking the code file with SERVICE = TCPIP by a security administrator.
