Securing the DB2 Network Interface

DB2, by default, can be " discovered " on the network with a discovery packet. This discovery packet can be sent to the broadcast address and all DB2 servers will respond. I'd recommend changing this, even though it makes the attacker's life slightly more difficult; the more hurdles the attacker has to leap, the better. To change the discovery mode of the DB2 server use the Control Center. Right-click on the instance in question and from the pop-up menu, select Configure Parameters. In the Keyword column, find the Discover entry under Communications. Change from Search to Disable. Once you're done stop and restart the instance. The server will no longer reply to discovery requests .

The authentication type on a fresh install of DB2 is set to SERVER. This means that clients send their user IDs and passwords over the network in clear text when they authenticate. As such, anyone who can put a sniffer on the network will be able to gather accounts and passwords. With access to these the attacker can compromise the system. To change the authentication type, use the Control Center. Right-click on the instance in question and select Configure Parameters from the pop-up menu. The top keyword should be "Authentication." Select this and change it from SERVER to SERVER_ENCRYPT. If Kerberos is available, select this instead. Never use CLIENT authentication because it means that absolutely anyone can gain access to the server. Remember to configure the clients to use encryption as well!