Socket level communication applications run under the radar on the IBM i. Applications that use socket connections often use other network services too, like FTP or remote commands, which existing exit points will cover; but some applications bypass all other network services and work directly with data at the socket level. Three exit points can be used to secure them: Socket Accepts, Socket Connects and Socket Listens.
The TCP Accept exit point watches for systems trying to establish a connection to your system at the socket level. Using the exit point, you can control which IP addresses to accept or reject, what user profiles to allow use and even control what TCP/IP port numbers that the connection can use.
The TCP Connect does the same thing as Accept except it is for outward connections from your IBM i system to remote systems. The same controls can be implemented controlling the IP address, user profile and port number.
The TCP Listen runs on your IBM i and watches for incoming TCP Connects from remote systems. A typical socket connection starts with a Listen and then proceeds on to the Connect with subsequent Accept. Following this sequence, socket communication can take place without any other network services being involved.
Some of the existing applications that run on the IBM i and use these socket connections include the Apache HTTP server which does not have any additional exit point control available. If you want to control who can use a browser on your system, this is a possible solution.
You can track use of socket calls using the IBM i OS security audit journal (QAUDJRN). It can be configured to record all socket level activity including connections that are accepted and those that are rejected. To use this feature, you must have the security audit journal active and be tracking any of these audit values as determined by your system value QAUDLVL (and/or QAUDLVL2): *NETCMN, *NETFAIL, *NETSCK, *NETSECURE, *NETTELSVR or *NETUDP. When active, socket connections will be logged to the security journal as SK records and can be extracted and interpreted. Kisco's iEventMonitor has this capability already built into it.
Our exit point firewall, SafeNet/i includes complete TCP/IP filtering support. iEventMonitor can also monitor and alert for SK (secure socket) audit journal activity.