Your management has been misinformed. Many argue that TLS is the more secure.
Perhaps that's why you see a lot of free SSH ports, but not many free TLS ports. And yet TLS (certificate based authentication and encryption) is everywhere. Just one issue I've noted is that SSH stows its private/secret keys in the open in ordinary files. TLS uses the RACF database or the ICF. Use of 'man in the middle' servers may not be PCI compliant, or, if they are, may not be so for long. Seems that MITM servers may be a soft target and become popular attack vector. VPN is a good solution, but not PCI compliant. You shouldn't have sensitive data flowing over a network in the open. Period. You would use VPN to gain access to the network, but layer another solution such as TLS on top. HTH and good luck. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of John Mattson Sent: Tuesday, August 25, 2009 3:25 PM To: [email protected] Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable EXCELLENT Question. The kind on insight I need here. We use Rumba, running on a Windows server to talk allow 3270 type communication from users on Windows boxes who need to access our zOS system, TSO, CICS, and some VTAM apps. Problem is that PCI and JSOX do not think this is sucure... and it is certainly not secure enough. Users are on our internal net, or coming in thru VPN to our internal net, firewalls on the network, not zOS. Management seems to believe that SSL is not sufficient, they must have SSH and I am working on getting IBM Ported Tools installed. Just where the TN3270 would go, server or user PC... etc, most everything is up in the air at this point. I am also looking at what is involved in putting a firewall on zOS, and framkly, I am WAY over my head. "Patrick O'Keefe" <[email protected]> Sent by: IBM Mainframe Discussion List <[email protected]> 08/25/2009 12:43 PM Please respond to IBM Mainframe Discussion List <[email protected]> Expire Date: 08/25/2011 To [email protected] cc Subject Re: Need new 3270 emulator: SSH, inexpensive, reliable On Tue, 25 Aug 2009 10:35:18 -0700, John Mattson <[email protected]> wrote: > ... Management ... now wants a SSH based >3270 emulation for accessing mainframe TSO, CICS, and such apps. >... > Uh, something I've missed in the thread so far: What are you going to talk to? Does some vendor produce an SSH-based Tn3270 server? Or are you > going to talk with some server that includes a Tn3270 client that then connects to the local z/CS Tn3270 server? (Maybe something sort of like HATS > except with some special SSH client rather than a browser.) Or something else I can't envision? > It looks to me like somebody has tried to define a solution rather defining the problem and then looking for solutions that address it. > Pat O'Keefe ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
