Convince a client to use a VPN

Posted on 2010-11-15
Last Modified: 2012-05-10
I have a client that runs their business on an IBM AS/400 (i, iSeries).  All the programs are 5250 (green screen) applications.  Their sales reps have been accessing the system using Client Access (telnet) directly over the internet for years (almost 10).  I do work for them a few times a year and am getting ready to make a trip there to replace some hardware and integrate credit card processing into their Invoicing and A/R applications.  I want to try and convince them move to a VPN, especially since they are going to start processing credit cards.  I have suggested it in the past, but they never went for it.

I know there is the other option of using the telnet with SSH, but I have never attempted to set that up before.  They are running V5R2 BTW.

I am looking for some suggestions on how to persuade them to really go for this now.  Maybe using some scare tactics on what could happen if some hacked into their system.  
Also I am not sure on this, but isn’t the data stream for the telnet sent in clear text?  Is so couldn’t someone, somehow see the data being passed back and forth?

Question by:DCS12
  • 2
  • 2
  • 2
  • +3
LVL 35

Accepted Solution

Ernie Beek earned 100 total points
ID: 34135654
You are correct. Unsecured telnet sends it's passwords in clear text. This means that when I have (or can gain) access to only one device through which the data traffic goes I will be able to read it out and get access to their systems. And because the data traverses over the internet there are a lot of intermediate device......................
LVL 35

Expert Comment

by:Ernie Beek
ID: 34135679

Assisted Solution

flakier earned 100 total points
ID: 34136285
You can do some wireshark captures to see the plaintext usernames, passwords, and credit card data.  

Also, mention PCI compliance to their management, which is a voluntary regulation from the credit card industry to secure Credit Card data.  Transmitting CC numbers via telnet is definitely NOT PCI compliant.  Have them talk to their lawyers about what their liability will be if something happens and they are NOT PCI complient (this varies by state).

Since they are using Telnet now, setting up SSH will be an easier way from the user standpoint since it has a substantially similar interface.  It should be easier for you too since there is vastly less configuration to do.  If you introduce a client VPN, it immediately becomes a much more complex system both from what needs configuring, and what the users need to do to access their application (never underestimate user inconvenience).  A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure.
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

LVL 69

Assisted Solution

Qlemo earned 100 total points
ID: 34140617
"A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure."
Not true. A VPN can, like SSH, work with a certificate, solely or in addition to a login. The certificate can even be bound to the PC. However, if that is available depends on the VPN client used. PPTP (integrated) does not have that feature.

Assisted Solution

mkc451 earned 100 total points
ID: 34144902
You should inform your client of the liability for CCS processing. There are very precise legal requirements for IT should you process or store credit card numbers. I work with numerous clients who do this in both a retail and manf setting.

Another option here is to setup SSL Iseries Access sessions. Then allow only SSL ports through the firewall. This will at least encrypt the traffic. You can use a commercial cert or a self signed cert. It's very easy to setup. Then I always set it up so I have to send the external customer the cert so they can't download it.

Yet Another option would be do a SSL web based access system using one of the many Java Emulators out there or even IBM's own web facing (not my recommended product though). This way the remote folks don't even need ISeries Access.

All in all though a VPN is the most secure way to do this.

Assisted Solution

stevebowdoin earned 100 total points
ID: 34149718
Take the hit.  Learn to use Digital Cerificate Manager.  Stay with the SSL.  After you get a certificate you can use the same one for web applications.  The VPN will just bring in more userids and passwords to keep up with.  

Steve Bowdoin

Author Comment

ID: 34150064
Could some one point me to an SSL how to or would any one want to set it up for me while showing me?  For a fee of course.

Author Closing Comment

ID: 34154620
Thanks for the input everyone.  If anyone would be interested in assisting me in "taking the hit" on learning DCM & SSL.  Feel free to contact me.  cwhitein at hotmail

Thanks again.

Expert Comment

ID: 34154789

This is the link to IBM doc's ... it's v5r3, but it's pretty much the same.

Mike Cody

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
We all know how boring and exhausting it is to transfer huge web projects developed locally to a webserver simply via FTP. The File Transfer Protocol is a really nice solution if you need to transfer small amounts of files, but if you're plannin…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question