Solved

Convince a client to use a VPN

Posted on 2010-11-15
9
937 Views
Last Modified: 2012-05-10
I have a client that runs their business on an IBM AS/400 (i, iSeries).  All the programs are 5250 (green screen) applications.  Their sales reps have been accessing the system using Client Access (telnet) directly over the internet for years (almost 10).  I do work for them a few times a year and am getting ready to make a trip there to replace some hardware and integrate credit card processing into their Invoicing and A/R applications.  I want to try and convince them move to a VPN, especially since they are going to start processing credit cards.  I have suggested it in the past, but they never went for it.

I know there is the other option of using the telnet with SSH, but I have never attempted to set that up before.  They are running V5R2 BTW.

I am looking for some suggestions on how to persuade them to really go for this now.  Maybe using some scare tactics on what could happen if some hacked into their system.  
Also I am not sure on this, but isn’t the data stream for the telnet sent in clear text?  Is so couldn’t someone, somehow see the data being passed back and forth?

TIA
0
Comment
Question by:DCS12
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 100 total points
ID: 34135654
You are correct. Unsecured telnet sends it's passwords in clear text. This means that when I have (or can gain) access to only one device through which the data traffic goes I will be able to read it out and get access to their systems. And because the data traverses over the internet there are a lot of intermediate device......................
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34135679
0
 
LVL 3

Assisted Solution

by:flakier
flakier earned 100 total points
ID: 34136285
You can do some wireshark captures to see the plaintext usernames, passwords, and credit card data.  

Also, mention PCI compliance to their management, which is a voluntary regulation from the credit card industry to secure Credit Card data.  Transmitting CC numbers via telnet is definitely NOT PCI compliant.  Have them talk to their lawyers about what their liability will be if something happens and they are NOT PCI complient (this varies by state).
http://www.pcicomplianceguide.org/pcifaqs.php

Since they are using Telnet now, setting up SSH will be an easier way from the user standpoint since it has a substantially similar interface.  It should be easier for you too since there is vastly less configuration to do.  If you introduce a client VPN, it immediately becomes a much more complex system both from what needs configuring, and what the users need to do to access their application (never underestimate user inconvenience).  A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure.
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
ID: 34140617
"A VPN also gives away the keys to the kingdom if a user's password is compromised so in this sense is less secure."
Not true. A VPN can, like SSH, work with a certificate, solely or in addition to a login. The certificate can even be bound to the PC. However, if that is available depends on the VPN client used. PPTP (integrated) does not have that feature.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Assisted Solution

by:mkc451
mkc451 earned 100 total points
ID: 34144902
You should inform your client of the liability for CCS processing. There are very precise legal requirements for IT should you process or store credit card numbers. I work with numerous clients who do this in both a retail and manf setting.

Another option here is to setup SSL Iseries Access sessions. Then allow only SSL ports through the firewall. This will at least encrypt the traffic. You can use a commercial cert or a self signed cert. It's very easy to setup. Then I always set it up so I have to send the external customer the cert so they can't download it.

Yet Another option would be do a SSL web based access system using one of the many Java Emulators out there or even IBM's own web facing (not my recommended product though). This way the remote folks don't even need ISeries Access.

All in all though a VPN is the most secure way to do this.
0
 
LVL 5

Assisted Solution

by:stevebowdoin
stevebowdoin earned 100 total points
ID: 34149718
Take the hit.  Learn to use Digital Cerificate Manager.  Stay with the SSL.  After you get a certificate you can use the same one for web applications.  The VPN will just bring in more userids and passwords to keep up with.  

Steve Bowdoin
0
 

Author Comment

by:DCS12
ID: 34150064
Could some one point me to an SSL how to or would any one want to set it up for me while showing me?  For a fee of course.
0
 

Author Closing Comment

by:DCS12
ID: 34154620
Thanks for the input everyone.  If anyone would be interested in assisting me in "taking the hit" on learning DCM & SSL.  Feel free to contact me.  cwhitein at hotmail

Thanks again.
0
 
LVL 2

Expert Comment

by:mkc451
ID: 34154789
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahh/sslreq.htm

This is the link to IBM doc's ... it's v5r3, but it's pretty much the same.

Mike Cody
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any k…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now