× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2006

RE: Technical and Philosophy

Hi Chris
I just found that doing remote support and having to specify a named device made 
things more difficult without adding any value that I could see.

In the past I have used the Telent exit programs to allocate a device name
based on the IP Address (and in the process refused access to requests
from IP addresses and ranges that were not permitted to access the network))

The major drawback in my opinion is having access to a telnet that allows a
device name to be passed. On a very few occasions I have even ended up using
the MS Telnet client when in a hole and this is preferable IMO at least to
being in a position where I would have to download and install mocha or
something else to allow me access to the ability to name the device.
It seems to me that if someone knew the appropriate IP addresses and was able to obtain a usable certificate to access your system then the name of the device would 
be a minor additional detail...
That said, I recognise that there is a price to be paid for security and that part of that is convenience, so I guess I could live with device naming in your environment 
especially if it helps the auditors "move on" ;)
As an aside, if I was doing it again I would be tempted to go down the path of running the external telnet over SSH, at least for support staff. I haven't done more with this 
idea than get Telent running across an ssh connection.
I've used a variation of the routing entry approach when running multiple QINTERS 
to disallow/allow access to the system. In this case QINTER merely provided the
workstation allocation/entry screen. All jobs were routed to the appropriate subsystem after signon and no-one actually worked in QINTER which made ending and starting 
application access (for green screens at least) fairly straightforward.

Regards
Evan Harris

At 04:29 a.m. 8/02/2006, you wrote:

That works but here we us named devices and restrict access to devices
using group profiles.  We are phasing out QPADEV* devices since we have
created an internet access to our green screens.  For security you have
to 1. have a valid device name, 2. have access to that device, 3. have
an SSL client that will accept our self signed certificate, 4. have your
IP registered in our telnet exit point database. 5. have your user ID in
our telnet exit point database flagged as remote access allowed.

Hey we don't want just anyone to get a signon screen.  Ok we are phasing
this in, almost there.

But I do like your routing idea.  By the way we run multiple interactive
subsystems do to the old performance limitations of QINTER.  With new
hardware we probably do not need to, but old habits die hard.  ( And I
can kick off those pesky departments who want to work while we try to
back up their data. )

Christopher Bipes
Information Services Director
CrossCheck, Inc.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.