That's a good solution for a few users, but more than that I would have purchase another CPU or a zIIP to offload the IPSec work. It's one problem or another you have decide which one you want to deal with
Steve Finch EDS -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Walt Farrell Sent: Thursday, August 27, 2009 9:03 AM To: [email protected] Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable On Wed, 26 Aug 2009 13:26:44 -0400, Finch, Steve <[email protected]> wrote: >Most VPNs do not encrypt the connection from endpoint to endpoint, which >is what is PCI requires. The VPN would need to start on the mainframe >and go all the way to the PC. Most VPN run on a appliance (server), a >hop away from the mainframe. The "last hop' blows' the PCI So use the VPN technology that's built-in to z/OS (IPSec), and forego using an external appliance. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
