Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Telnet to AS400 from internet (Is it secure)

Posted on 2007-07-22
10
Medium Priority
?
1,571 Views
Last Modified: 2013-12-06
Hi all,

Im about to port forward 23 to our AS400 so users can access from the internet, i understand anyone can now access the login screen to our AS400 but is there a more secure solution???

Software VPN clients arent an option. There are 30 users all with dynamic ip addresses.

Thanks, Joe
0
Comment
Question by:joe90kane
  • 5
  • 3
  • 2
10 Comments
 
LVL 1

Author Comment

by:joe90kane
ID: 19542182
Currently on V5R3
0
 
LVL 6

Expert Comment

by:Muflone
ID: 19542495
you could crypt all the telnet traffic with SSL, check the instructions here:

v5r1: http://publib.boulder.ibm.com/iseries/v5r1/ic2924/info/rzain/rzainoverview.htm
v5r2: http://as400bks.rochester.ibm.com/iseries/v5r2/ic2924/info/rzain/rzainoverview.htm
v5r3: http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzain/rzainoverview.htm

as you could see on the security menu on the left, there're others solutions to secure your data
bye Muf
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19542670
I have looked over this option but im not sure how to install and will it stop local users from connecting using port 23?

How do I install these?

    * IBM® Digital Certificate Manager (DCM), option 34 of OS/400® (5722-SS1)
    * The IBM Cryptographic Access Provider product, 5722-AC3 (128-bit).

Thanks, Joe
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 6

Expert Comment

by:Muflone
ID: 19542802
if you'll secure the telnet server, you can choose to allow secure or unsecure or both connections type.
of course you'll have your risks if you decide to allow unsecured connections

to install packages type GO LICPGM, of course you need the software as well the keys
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19543544
Thanks for the info Muflone.

If I use standard telnet is there any chance of security issues if the person doesn't have a valid login?

What would you recommend for remote access to as400?

Thanks Again, Joe
0
 
LVL 6

Accepted Solution

by:
Muflone earned 2000 total points
ID: 19543678
if you're sure all profiles have (and will always have) a valid and difficult password, included the system accounts Q*
if you're sure nobody will be sniffed while trying to connect to your system, because the passwords are in plain text
if you're sure not to have other services which can give you a similar access to the telnet (I remember you the ftp service can also be used to execute commands like in a terminal)

if you're totally sure about this weakness, then you could leave the unsecure telnet protocol
I wouldn't bet anything, above all if you cannot check all the client connections, anyone could spy their data (including user/pass) in a lot of ways.

if you cannot secure the server telnet with ssl like told before, then you should encrypt the data connections with a vpn protocol like pptp (weak to break), l2tp or ipsec, so your clients will transfer encrypted data from their connection to the vpn server and the unencrypted data required by clean telnet will go from the vpn server to the as/400.

choose by yourself what risk you prefer
bye Muf
0
 
LVL 33

Expert Comment

by:shalomc
ID: 19554752
Joe,

If you choose not to use any VPN solution, then your login screen will be open to the internet and to anyone willing to try it.

This is a calculated risk, and you can lower the risk by taking a few precautions:

*  Modify the login screen to include a legal warning (including a statement about monitoring all user behavior)
*  Turn on the QDSPSGNIN system value and educate all users to check their last login date for exceptions, and to report immediately if they find any.
*  Limit security officer device access to specific terminals (QLMTSECOFR)
* Set Action to take for failed signon attempts (QMAXSGNACN) to 1 - Disable device. You do not want a DOS attack where all of the Q* user profiles are disabled.
* Set Maximum sign-on attempts (QMAXSIGN) to a reasonable number like 5.
* Set all autoconfigure parms to off. You will have to manually assign and setup device names both in the server AND in clients.
* Harden the password policy to reasonable settings.

For better security, you should also setup full auditing, AND monitor the audit logs.

ShalomC
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19559074
Thanks for the info Guys,

I have installed the following

    *  Digital Certificate Manager (DCM), option 34 of OS/400 (5769-SS1)
    * TCP/IP Connectivity Utilities for AS/400 (5769-TC1)
    * IBM HTTP Server for AS/400 (5769-DG1)
    * IBM Cryptographic Access Provider products: 5722-AC3 (128-bit)

I setup the DCM with cert and assigned it to Telnet, I still cant get in using SSL 443 or 992.

Do I need to restart Telnet for the changes to take effect.

I'll post another question for the 500 points as I want to keep it all in the same thread.

Thanks again, Joe
0
 
LVL 33

Expert Comment

by:shalomc
ID: 19566841
Joe,
Secure Telnet only works with specific clients like IBM client Access, and many 5250 telnet emulations do not support it. Do all of your business partners have the correct software?

ShalomC
0
 
LVL 1

Author Comment

by:joe90kane
ID: 21908433
Just an update - got it working perfectly for the last 8+ months - has made a big difference for our reps / productivity
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This program is used to assist in finding and resolving common problems with wireless connections.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question