|
On Tue, 3 Dec 2002, Booth Martin wrote: > > Why? Is the AS/400 the only internet machine in the World unable to cope > with Port 23??? All the other folks do just fine with it (except maybe > Microsoft). Huh? The problem has nothing to do with the operating system. It has to do with the Ethernet protocol and the TCP/IP protocol. You see, when data travels on an ethernet network, it travels in packets. Each packet is broadcast across the entire network, and every single computer on the network sees each packet. In the packet is an address, and supposedly, each computer will ignore any packet not addressed for it's own address. For the sake of being able to troubleshoot a network and network software, it's possible to write/run software called a 'sniffer' which reads every packet on the network, and displays its contents to the network tech who needs to troubleshoot it. So... If I use an ethernet network to log on to my AS/400, someone else on the same network can run a sniffer. He can see the data I'm sending to the AS/400, including my user name and password. Also including any private/confidential business information. Now, to make things worse, we add TCP/IP to the mix. TCP/IP is an 'internetworking' protocol. That's where the term 'internet' comes from. The idea is, you take many networks, and on each of these networks you put a 'gateway' which picks up the packets on one network, and copies it out to another network. By following 'routes' you can send packets from network to network to network until they've gone across the globe. Okay... now you're beginning to see the problem. Not only can someone on your network see everything you're sending to/from your AS/400, but ALSO, everyone on any network in-between can sniff your packets, watch the data your sending, etc. On top of that, if there are any security flaws in any of those networks that are inbetween, then hackers who weren't supposed to have access to your data can use those flaws to set up sniffers on those networks. So, what's special about port 23? Nothing. Port 21 (FTP) is just as vulnerable. Port 110 (POP3) is just as vulnerable. The big difference with port 23 is that once you've logged on with TELNET, (or TN5250, which is just s specialized version of TELNET) you can do ANYTHING. Run commands, write software, change settings... it's all at your fingertips. But, really, FTP or POP3 isn't much better, because once you've got the passwords, you can use them anywhere. > I've worked with two iSeries machines that were on the > internet for over 5 years with zero troubles. They were taken off the net > because the Windows Network people were plagued with viruses and all sorts > of disasters. The Microsoft experts came in and as a part of the fix to the > Windows problems they pronounced that the iSeries was a wide open threat and > thank God they'd showed up in time!! > Microsoft Networking uses encrypted passwords. The encryption is piss poor. The coding has lots of holes in it so that you don't really need the passwords in the first place, you can just exploit the bugs. It's not very well done, but at least it uses encryption. Nobody who really understands how computers work will ever have Microsoft Networking accessible from outside the LAN. However, once the bugs have been fixed, it's more secure than opening up TELNET to the world. There are many ways to deal with this problem. VPN is one of them, perhaps the most complicated one, and IMHO, not the best one. Another one, one that's natively available on your iSeries is ssl-telnet. SSL does two things, (1) it encrypts the session in a way that's difficult (but not impossible) to crack. (2) it uses cryptographically secure certificates to identify each end of the connection, so that you can verify that you're dealing with who you think you are. This means that, when set up correctly, SSL can be used to only allow clients to connect that have the correct certificates, so even if they've cracked the encryption and know your password, they still can't connect to use it. Another similar solution is SSH (Secure Shell). Most of the Open Source Unix-like OSes use this to keep their logins secure. I know that FreeBSD now ships with TELNET disabled by default, and SSH enabled. SSH has it's own file transfer capability so that you don't need to use FTP, and it has the ability to tunnel other ports in it's encrypted data streams, so you can use it for other protocols as well. Unfortunately, OS/400 doesn't have SSH support. This statement really irks me: > I've worked with two iSeries machines that were on the > internet for over 5 years with zero troubles. This is like saying "I went five years without any health insurance or other coverage, and I never got sick!" Or "I drove my motorcycle without a helmet for 5 years, and I never got hurt!" You were lucky. That doesn't mean it should be recommended.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.