Go Premium for a chance to win a PS4. Enter to Win


Convince a client to use a VPN

Posted on 2010-11-15
Medium Priority
Last Modified: 2012-05-10
I have a client that runs their business on an IBM AS/400 (i, iSeries).  All the programs are 5250 (green screen) applications.  Their sales reps have been accessing the system using Client Access (telnet) directly over the internet for years (almost 10).  I do work for them a few times a year and am getting ready to make a trip there to replace some hardware and integrate credit card processing into their Invoicing and A/R applications.  I want to try and convince them move to a VPN, especially since they are going to start processing credit cards.  I have suggested it in the past, but they never went for it.

I know there is the other option of using the telnet with SSH, but I have never attempted to set that up before.  They are running V5R2 BTW.

I am looking for some suggestions on how to persuade them to really go for this now.  Maybe using some scare tactics on what could happen if some hacked into their system.  
Also I am not sure on this, but isn’t the data stream for the telnet sent in clear text?  Is so couldn’t someone, somehow see the data being passed back and forth?

Question by:DCS12
  • 2
  • 2
  • 2
  • +3
LVL 35

Accepted Solution

Ernie Beek earned 400 total points
ID: 34135654
You are correct. Unsecured telnet sends it's passwords in clear text. This means that when I have (or can gain) access to only one device through which the data traffic goes I will be able to read it out and get access to their systems. And because the data traverses over the internet there are a lot of intermediate device......................

Assisted Solution

flakier earned 400 total points
ID: 34136285
You can do some wireshark captures to see the plaintext usernames, passwords, and credit card data.  

Also, mention PCI compliance to their management, which is a voluntary regulation from the credit card industry to secure Credit Card data.  Transmitting CC numbers via telnet is definitely NOT PCI compliant.  Have them talk to their lawyers about what their liability will be if something happens and they are NOT PCI complient (this varies by state).

Since they are using Telnet now, setting up SSH will be an easier way from the user standpoint since it has a substantially similar interface.  It should be easier for you too since there is vastly less configuration to do.  If you introduce a client VPN, it immediately becomes a much more complex system both from what needs configuring, and what the users need to do to access their application (never underestimate user inconvenience).  A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 71

Assisted Solution

Qlemo earned 400 total points
ID: 34140617
"A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure."
Not true. A VPN can, like SSH, work with a certificate, solely or in addition to a login. The certificate can even be bound to the PC. However, if that is available depends on the VPN client used. PPTP (integrated) does not have that feature.

Assisted Solution

mkc451 earned 400 total points
ID: 34144902
You should inform your client of the liability for CCS processing. There are very precise legal requirements for IT should you process or store credit card numbers. I work with numerous clients who do this in both a retail and manf setting.

Another option here is to setup SSL Iseries Access sessions. Then allow only SSL ports through the firewall. This will at least encrypt the traffic. You can use a commercial cert or a self signed cert. It's very easy to setup. Then I always set it up so I have to send the external customer the cert so they can't download it.

Yet Another option would be do a SSL web based access system using one of the many Java Emulators out there or even IBM's own web facing (not my recommended product though). This way the remote folks don't even need ISeries Access.

All in all though a VPN is the most secure way to do this.

Assisted Solution

stevebowdoin earned 400 total points
ID: 34149718
Take the hit.  Learn to use Digital Cerificate Manager.  Stay with the SSL.  After you get a certificate you can use the same one for web applications.  The VPN will just bring in more userids and passwords to keep up with.  

Steve Bowdoin

Author Comment

ID: 34150064
Could some one point me to an SSL how to or would any one want to set it up for me while showing me?  For a fee of course.

Author Closing Comment

ID: 34154620
Thanks for the input everyone.  If anyone would be interested in assisting me in "taking the hit" on learning DCM & SSL.  Feel free to contact me.  cwhitein at hotmail

Thanks again.

Expert Comment

ID: 34154789

This is the link to IBM doc's ... it's v5r3, but it's pretty much the same.

Mike Cody

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question