Convince a client to use a VPN

Posted on 2010-11-15
Last Modified: 2012-05-10
I have a client that runs their business on an IBM AS/400 (i, iSeries).  All the programs are 5250 (green screen) applications.  Their sales reps have been accessing the system using Client Access (telnet) directly over the internet for years (almost 10).  I do work for them a few times a year and am getting ready to make a trip there to replace some hardware and integrate credit card processing into their Invoicing and A/R applications.  I want to try and convince them move to a VPN, especially since they are going to start processing credit cards.  I have suggested it in the past, but they never went for it.

I know there is the other option of using the telnet with SSH, but I have never attempted to set that up before.  They are running V5R2 BTW.

I am looking for some suggestions on how to persuade them to really go for this now.  Maybe using some scare tactics on what could happen if some hacked into their system.  
Also I am not sure on this, but isn’t the data stream for the telnet sent in clear text?  Is so couldn’t someone, somehow see the data being passed back and forth?

Question by:DCS12
  • 2
  • 2
  • 2
  • +3
LVL 35

Accepted Solution

Ernie Beek earned 100 total points
ID: 34135654
You are correct. Unsecured telnet sends it's passwords in clear text. This means that when I have (or can gain) access to only one device through which the data traffic goes I will be able to read it out and get access to their systems. And because the data traverses over the internet there are a lot of intermediate device......................
LVL 35

Expert Comment

by:Ernie Beek
ID: 34135679

Assisted Solution

flakier earned 100 total points
ID: 34136285
You can do some wireshark captures to see the plaintext usernames, passwords, and credit card data.  

Also, mention PCI compliance to their management, which is a voluntary regulation from the credit card industry to secure Credit Card data.  Transmitting CC numbers via telnet is definitely NOT PCI compliant.  Have them talk to their lawyers about what their liability will be if something happens and they are NOT PCI complient (this varies by state).

Since they are using Telnet now, setting up SSH will be an easier way from the user standpoint since it has a substantially similar interface.  It should be easier for you too since there is vastly less configuration to do.  If you introduce a client VPN, it immediately becomes a much more complex system both from what needs configuring, and what the users need to do to access their application (never underestimate user inconvenience).  A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure.
LVL 68

Assisted Solution

Qlemo earned 100 total points
ID: 34140617
"A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure."
Not true. A VPN can, like SSH, work with a certificate, solely or in addition to a login. The certificate can even be bound to the PC. However, if that is available depends on the VPN client used. PPTP (integrated) does not have that feature.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Assisted Solution

mkc451 earned 100 total points
ID: 34144902
You should inform your client of the liability for CCS processing. There are very precise legal requirements for IT should you process or store credit card numbers. I work with numerous clients who do this in both a retail and manf setting.

Another option here is to setup SSL Iseries Access sessions. Then allow only SSL ports through the firewall. This will at least encrypt the traffic. You can use a commercial cert or a self signed cert. It's very easy to setup. Then I always set it up so I have to send the external customer the cert so they can't download it.

Yet Another option would be do a SSL web based access system using one of the many Java Emulators out there or even IBM's own web facing (not my recommended product though). This way the remote folks don't even need ISeries Access.

All in all though a VPN is the most secure way to do this.

Assisted Solution

stevebowdoin earned 100 total points
ID: 34149718
Take the hit.  Learn to use Digital Cerificate Manager.  Stay with the SSL.  After you get a certificate you can use the same one for web applications.  The VPN will just bring in more userids and passwords to keep up with.  

Steve Bowdoin

Author Comment

ID: 34150064
Could some one point me to an SSL how to or would any one want to set it up for me while showing me?  For a fee of course.

Author Closing Comment

ID: 34154620
Thanks for the input everyone.  If anyone would be interested in assisting me in "taking the hit" on learning DCM & SSL.  Feel free to contact me.  cwhitein at hotmail

Thanks again.

Expert Comment

ID: 34154789

This is the link to IBM doc's ... it's v5r3, but it's pretty much the same.

Mike Cody

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now