× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2002

RE: Remote Access (Again)

On Tue, 3 Dec 2002, Booth Martin wrote:
>
>  Why?  Is the AS/400 the only internet machine in the World unable to cope
> with Port 23???  All the other folks do just fine with it (except maybe
> Microsoft).

Huh?

The problem has nothing to do with the operating system.  It has to do
with the Ethernet protocol and the TCP/IP protocol.  You see, when data
travels on an ethernet network, it travels in packets.  Each packet is
broadcast across the entire network, and every single computer on the
network sees each packet.   In the packet is an address, and supposedly,
each computer will ignore any packet not addressed for it's own address.

For the sake of being able to troubleshoot a network and network software,
it's possible to write/run software called a 'sniffer' which reads every
packet on the network, and displays its contents to the network tech
who needs to troubleshoot it.

So...  If I use an ethernet network to log on to my AS/400, someone else
on the same network can run a sniffer.  He can see the data I'm sending
to the AS/400, including my user name and password.  Also including any
private/confidential business information.

Now, to make things worse, we add TCP/IP to the mix.

TCP/IP is an 'internetworking' protocol.  That's where the term 'internet'
comes from.   The idea is, you take many networks, and on each of these
networks you put a 'gateway' which picks up the packets on one network,
and copies it out to another network.  By following 'routes' you can send
packets from network to network to network until they've gone across the
globe.

Okay...  now you're beginning to see the problem.  Not only can someone on
your network see everything you're sending to/from your AS/400, but ALSO,
everyone on any network in-between can sniff your packets, watch the data
your sending, etc.

On top of that, if there are any security flaws in any of those networks
that are inbetween, then hackers who weren't supposed to have access to
your data can use those flaws to set up sniffers on those networks.

So, what's special about port 23?  Nothing.  Port 21 (FTP) is just as
vulnerable.  Port 110 (POP3) is just as vulnerable.   The big difference
with port 23 is that once you've logged on with TELNET, (or TN5250, which
is just s specialized version of TELNET) you can do ANYTHING.  Run
commands, write software, change settings... it's all at your fingertips.

But, really, FTP or POP3 isn't much better, because once you've got the
passwords, you can use them anywhere.

> I've worked with two iSeries machines that were on the
> internet for over 5 years with zero troubles.  They were taken off the net
> because the Windows Network people were plagued with viruses and all sorts
> of disasters.  The Microsoft experts came in and as a part of the fix to the
> Windows problems they pronounced that the iSeries was a wide open threat and
> thank God they'd showed up in time!!
>

Microsoft Networking uses encrypted passwords.  The encryption is piss
poor.  The coding has lots of holes in it so that you don't really need
the passwords in the first place, you can just exploit the bugs.  It's not
very well done, but at least it uses encryption.

Nobody who really understands how computers work will ever have Microsoft
Networking accessible from outside the LAN.

However, once the bugs have been fixed, it's more secure than opening up
TELNET to the world.

There are many ways to deal with this problem.  VPN is one of them,
perhaps the most complicated one, and IMHO, not the best one.

Another one, one that's natively available on your iSeries is ssl-telnet.
SSL does two things, (1) it encrypts the session in a way that's difficult
(but not impossible) to crack.  (2) it uses cryptographically secure
certificates to identify each end of the connection, so that you can
verify that you're dealing with who you think you are.

This means that, when set up correctly, SSL can be used to only allow
clients to connect that have the correct certificates, so even if they've
cracked the encryption and know your password, they still can't connect
to use it.

Another similar solution is SSH (Secure Shell).  Most of the Open Source
Unix-like OSes use this to keep their logins secure.  I know that FreeBSD
now ships with TELNET disabled by default, and SSH enabled.  SSH has it's
own file transfer capability so that you don't need to use FTP, and it has
the ability to tunnel other ports in it's encrypted data streams, so you
can use it for other protocols as well.  Unfortunately, OS/400 doesn't have
SSH support.

This statement really irks me:

> I've worked with two iSeries machines that were on the
> internet for over 5 years with zero troubles.

This is like saying "I went five years without any health insurance or
other coverage, and I never got sick!"  Or "I drove my motorcycle without
a helmet for 5 years, and I never got hurt!"

You were lucky.  That doesn't mean it should be recommended.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.