× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2002

Re: How to make my iSeries at home available to outside programmers

>
> 2)  I don't know about your cable ISP, but the cable provider here did not
> think too much about security when they engineered things.  Be very careful
> with what ports you open up.  Of course the best way to handle this would be
> to implement a VPN.  But if you are trying to do this cheap I would
> recommend writing a telnet exit program that authenticates users.  This way
> you can check their user id (it is passed if they use a TN5250e compliant
> telnet client and use auto sign-on) to see if they are on a list.  Since
> non-TN5250e telnet clients don't pass this info, the AS/400 will close the
> connection even before it would display a sign on screen.  This can help
> protect you from hackers, since the vast majority out there won't be using
> this kind of telnet client.
>

So, you're saying you'd allow anyone willing to download a freely
available TN5250e client hack into your system with impunity?

I don't know about your ISP, but my cable modem provider treats all
of the traffic as an ethernet LAN.  So, I could run a network sniffer on
my PC,and read all of the data being transmitted to any other PC on the
LAN segment that I'm on.

This means, that with your exit-program security, all I'd have to do is
run a network sniffer.   I'd quickly see that you're sending TN5250e
traffic.  If I ran it long enough, eventually I'd see you do a sign-on,
and I'd know your username & password (since they're usually sent in clear
text) and then I could either download a free TN5250e client, or I could
simply send the same network data that I had sniffed, and connect with a
normal telnet client.   In either case, I'd be logged on to your AS/400
as you, and able to do whatever I liked.

A much, much, better solution is to use the security features of the
iSeries to protect yourself:

      1) Only allow connections on port 992 (SSL enabled telnet) to get
           through your firewall to your iSeries..

      2) Assign each user a certificate that was generated on your
           iSeries, and signed by your iSeries's certificate authority.

      3) Only allow connections from TN5250e clients that present a
           certificate that was generated by your certificate authority.

Now, instead of just sniffing your network traffic, I'd have to break
128-bit encryption to get your user-id and password.  Once I've done that,
I'd still have to break a 2048 bit certificate in order for your system
to allow me to connect.

And you can set this up for next-to-nothing.

The open-source TN5250 client supports client certificates, and is costs
nothing to use:
http://tn5250.sourceforge.net

The AS/400 comes with SSL, and the digital certificate manager, so there's
no extra charges there.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.