IMHO: Data has to flow in the open over a network from the host to get to the VPN appliance (firewall). During that transit, the data can be readily viewed by suitable network diagnostic tools.
Indeed, it would be reasonable to assume that the data would take a couple of hops in the internal network before it arrived at the VPN appliance. Each of those hops would be a router/firewall that would include diagnostic tools specifically designed to view the data. As best as I can tell, full compliance means that the data is not ever viewable except on the source and target hosts. While TLS or SSH protect the host to host link, that's just not good enough when there are Windows machines and the Wild Wild Web in the mix. That's where a VPN solution makes good sense. So, the current state of the technology would seem to suggest that TLS/SSH be used to protect the data, and a VPN used to protect the network. Of course, network topologies, individual shops' requirements, and your mileage may vary. :-) -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Walt Farrell Sent: Wednesday, August 26, 2009 11:03 AM To: [email protected] Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable On Tue, 25 Aug 2009 16:13:28 -0500, Hal Merritt <[email protected]> wrote: >VPN is a good solution, but not PCI compliant. You shouldn't have sensitive data flowing over a network in the open. Period. You would use VPN to gain access to the network, but layer another solution such as TLS on top. I don't understand that comment, Hal. VPN technology and solutions certainly include encryption of the data that flows over the network. You don't need TLS or SSH or some other added encryption on top of it. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
