On Wed, 30 Apr 2008 17:49:57 +0900, Timothy Sipples
<[EMAIL PROTECTED]> wrote:
The following comments probably apply only to parnoid shops like
mine, but I want to point out some possible stumbling blocks to
implementing Timothy's suggestion.
>... And the key -- no pun intended -- is to communicate well with users
>and explain the benefits to *them*.
>...
Except, of course, this may be being done because of a dictate (a
very reasonable dictate, but a dictate nonetheless) of a corporate
security department which doesn't give a rat's tush how this effects
the end user (where "end user" in this case is internal, not an
external customer). And those end users know it. Sympathy rather
than a sales pitch may be more appropriate.
>... I think end users find it easier to figure out how to switch
>IP addresses instead of ports ...
Unless the end user's PC is a locked down configuration pushed down
by a corporate software distribution system. IP addr or port - it's
all the same. They click on the little icon and get connected (or not).
>You would also start to insert a warning message on the unencrypted
>address/port which gets progressively more urgent. ...
>message is an extra line or two on the first screen ("GREAT NEWS!
>We are enhancing our company's security. ...
... and you are one of the initial victims.
I guess this could be inmplemented using the Tn3270 server's
"MSG10", but, this would break company-approved screen-scraper
applications like those using HATS.
>then there might be an interstitial screen that everybody sees and
>must acknowledge (and which breaks those logon macros with
>hardcoded clear text user passwords -- a >feature, not a bug :-)), ...
Just as fatal to screen-scrapers as the previous step, but much
harder to implement. A default Tn3270 application that then has to
simulate the Tn3270 server's USS processing. (No! Not Unix System
Services!) That would be a seriously royal pain to implement
cleanly.
>then some particularly sensitive application
>functions removed (like displaying somebody's Social Security
>number over an unencrypted connection),
And now the USS simulator and possibly a session manager has
to be sensitive to the port and/or IP address used to reach the
Tn3270 server? Not bloody likely, I'm afraid. It can be done, of
course, if the LU name used can be mapped to the port/addr.
but this is starting to be a real kludge.
>and finally retiring the connection completely
>with only a single screen presented announcing the end of that
>access and how to reestablish access. ...
That, at least, is fairly simple.
>...
>But whatever path you choose, I want to reiterate that it's critical to
>work very closely with the users, understand their needs, and clearly
>articulate why this move is good for them. I find that we IT people too
>often forget to do that.
>...
In preparation for a very trivial change to our session manager
configuration we thought it would be good warn our Tn3270
end users, but were concerned about the logistics of notifying
somewhere between 40,000 and 50,000 (some of which are likely
silicon-based, rather than carbon-based life forms). We discovered
are not allowed to contact them. We get to notify our friends in
our off-shore call-centers; they will helpfully explain everything to
the end users that run into trouble.
Sometimes reallity gets in the way of simple plans.
Pat O'Keefe
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
