Convince a client to use a VPN

I have a client that runs their business on an IBM AS/400 (i, iSeries).  All the programs are 5250 (green screen) applications.  Their sales reps have been accessing the system using Client Access (telnet) directly over the internet for years (almost 10).  I do work for them a few times a year and am getting ready to make a trip there to replace some hardware and integrate credit card processing into their Invoicing and A/R applications.  I want to try and convince them move to a VPN, especially since they are going to start processing credit cards.  I have suggested it in the past, but they never went for it.

I know there is the other option of using the telnet with SSH, but I have never attempted to set that up before.  They are running V5R2 BTW.

I am looking for some suggestions on how to persuade them to really go for this now.  Maybe using some scare tactics on what could happen if some hacked into their system.  
Also I am not sure on this, but isn’t the data stream for the telnet sent in clear text?  Is so couldn’t someone, somehow see the data being passed back and forth?

TIA
DCS12Asked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
You are correct. Unsecured telnet sends it's passwords in clear text. This means that when I have (or can gain) access to only one device through which the data traffic goes I will be able to read it out and get access to their systems. And because the data traverses over the internet there are a lot of intermediate device......................
0
 
flakierConnect With a Mentor Commented:
You can do some wireshark captures to see the plaintext usernames, passwords, and credit card data.  

Also, mention PCI compliance to their management, which is a voluntary regulation from the credit card industry to secure Credit Card data.  Transmitting CC numbers via telnet is definitely NOT PCI compliant.  Have them talk to their lawyers about what their liability will be if something happens and they are NOT PCI complient (this varies by state).
http://www.pcicomplianceguide.org/pcifaqs.php

Since they are using Telnet now, setting up SSH will be an easier way from the user standpoint since it has a substantially similar interface.  It should be easier for you too since there is vastly less configuration to do.  If you introduce a client VPN, it immediately becomes a much more complex system both from what needs configuring, and what the users need to do to access their application (never underestimate user inconvenience).  A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
"A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure."
Not true. A VPN can, like SSH, work with a certificate, solely or in addition to a login. The certificate can even be bound to the PC. However, if that is available depends on the VPN client used. PPTP (integrated) does not have that feature.
0
 
mkc451Connect With a Mentor Commented:
You should inform your client of the liability for CCS processing. There are very precise legal requirements for IT should you process or store credit card numbers. I work with numerous clients who do this in both a retail and manf setting.

Another option here is to setup SSL Iseries Access sessions. Then allow only SSL ports through the firewall. This will at least encrypt the traffic. You can use a commercial cert or a self signed cert. It's very easy to setup. Then I always set it up so I have to send the external customer the cert so they can't download it.

Yet Another option would be do a SSL web based access system using one of the many Java Emulators out there or even IBM's own web facing (not my recommended product though). This way the remote folks don't even need ISeries Access.

All in all though a VPN is the most secure way to do this.
0
 
stevebowdoinConnect With a Mentor OwnerCommented:
Take the hit.  Learn to use Digital Cerificate Manager.  Stay with the SSL.  After you get a certificate you can use the same one for web applications.  The VPN will just bring in more userids and passwords to keep up with.  

Steve Bowdoin
0
 
DCS12Author Commented:
Could some one point me to an SSL how to or would any one want to set it up for me while showing me?  For a fee of course.
0
 
DCS12Author Commented:
Thanks for the input everyone.  If anyone would be interested in assisting me in "taking the hit" on learning DCM & SSL.  Feel free to contact me.  cwhitein at hotmail

Thanks again.
0
 
mkc451Commented:
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahh/sslreq.htm

This is the link to IBM doc's ... it's v5r3, but it's pretty much the same.

Mike Cody
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.