|
Hi ChrisI just found that doing remote support and having to specify a named device made
things more difficult without adding any value that I could see. In the past I have used the Telent exit programs to allocate a device name based on the IP Address (and in the process refused access to requests from IP addresses and ranges that were not permitted to access the network)) The major drawback in my opinion is having access to a telnet that allows a device name to be passed. On a very few occasions I have even ended up using the MS Telnet client when in a hole and this is preferable IMO at least to being in a position where I would have to download and install mocha or something else to allow me access to the ability to name the device.It seems to me that if someone knew the appropriate IP addresses and was able to obtain a usable certificate to access your system then the name of the device would
be a minor additional detail...That said, I recognise that there is a price to be paid for security and that part of that is convenience, so I guess I could live with device naming in your environment
especially if it helps the auditors "move on" ;)As an aside, if I was doing it again I would be tempted to go down the path of running the external telnet over SSH, at least for support staff. I haven't done more with this
idea than get Telent running across an ssh connection.I've used a variation of the routing entry approach when running multiple QINTERS
to disallow/allow access to the system. In this case QINTER merely provided theworkstation allocation/entry screen. All jobs were routed to the appropriate subsystem after signon and no-one actually worked in QINTER which made ending and starting
application access (for green screens at least) fairly straightforward. Regards Evan Harris At 04:29 a.m. 8/02/2006, you wrote:
That works but here we us named devices and restrict access to devices using group profiles. We are phasing out QPADEV* devices since we have created an internet access to our green screens. For security you have to 1. have a valid device name, 2. have access to that device, 3. have an SSL client that will accept our self signed certificate, 4. have your IP registered in our telnet exit point database. 5. have your user ID in our telnet exit point database flagged as remote access allowed. Hey we don't want just anyone to get a signon screen. Ok we are phasing this in, almost there. But I do like your routing idea. By the way we run multiple interactive subsystems do to the old performance limitations of QINTER. With new hardware we probably do not need to, but old habits die hard. ( And I can kick off those pesky departments who want to work while we try to back up their data. ) Christopher Bipes Information Services Director CrossCheck, Inc.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.