Re: SSL to printers

[Rick Fochtman]

--

You are fortunate. 

The audits I worry about are coming in waves from the outside. There is little or no opportunity to form a partnership. Even when you accomplish that, there is a whole new set next time.  

To be fair, most of their points are well taken. You have to admit that any time data flows in the open is something of an exposure. 


Trying to stay up with business needs while trying to guess what will be an 
issue is, well, interesting ;-)
 


---
Our criteria were simple: do we care if it appears on the front page of 
the paper tomorrow? If not, don't bother with securing it. Some things, 
like futures delivery dates, options expiration dates, etc. were public 
anyway, so why waste the cycles encrypting them. Other data, like 
traders' positions, were highly sensitive and were treated by national 
defense secrets. So we knew that auditors had to know the business, as 
well as IT security practices.


Sometimes you're the dog; sometimes you're the hydrant. :-)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers

[Hal Merritt]

You are fortunate. 

The audits I worry about are coming in waves from the outside. There is
little or no opportunity to form a partnership. Even when you accomplish
that, there is a whole new set next time.  

To be fair, most of their points are well taken. You have to admit that
any time data flows in the open is something of an exposure. 

Trying to stay up with business needs while trying to guess what will be
an issue is, well, interesting ;-)



-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Rick Fochtman
Sent: Tuesday, May 20, 2008 11:21 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: SSL to printers
 
We've had some long and involved discussions about auditors. (Check the 
archives.) The better they are educated, the more cooperative and 
understanding they're likely to be. Help them learn and understand and 
the benefits will far outweigh the problems, both long term and short
term.

 

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers

[Ed Finnell]

 
In a message dated 5/20/2008 9:34:43 A.M. Central Daylight Time,  
[EMAIL PROTECTED] writes:

Talking about prices, sometimes it is perfectly sufficient to use  
network equipment "security features". Transmission outside the  
buildings is encrypted (ROT), if you need encryption inside as well  
(really? do you?), then you can use the same means. It should be much  
cheaper than anything on mainframe ;-)


>>
It may be that it's larger 'feature' than  printing. With a print server you 
can set up ICSL for transfer or viewing and  unload the software costs from 
the 'big-iron'. The folks are _www.leadtools.com_ (http://www.leadtools.com)  
are pretty experienced  in many aspects of imaging. Their main product
is ePrint. It's a print server that runs on a  Linux box. It was cheaper to 
convert than upgrade MF software.







**Wondering what's for Dinner Tonight? Get new twists on family 
favorites at AOL Food.  
(http://food.aol.com/dinner-tonight?NCID=aolfod000301)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers

[Rick Fochtman]

--
That used to be true, but a recent alleged breach have cast some shadows 
over that strategy. The reported breach may have been some malicious 
logging software on one of those intermediary servers.


And, yes, some of us are being 'asked' to encipher everything, inside 
and out.


Once the auditors figure things out, I'd guess that full path 
enciphering (endpoint to endpoint) may be the minimum acceptable. Which 
presents other issues that may need more exotic malware countermeasures.


But that is just speculation on my part.

We've had some long and involved discussions about auditors. (Check the 
archives.) The better they are educated, the more cooperative and 
understanding they're likely to be. Help them learn and understand and 
the benefits will far outweigh the problems, both long term and short term.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers

[Hal Merritt]

That used to be true, but a recent alleged breach have cast some shadows over 
that strategy. The reported breach may have been some malicious logging 
software on one of those intermediary servers.

And, yes, some of us are being 'asked' to encipher everything, inside and out. 

Once the auditors figure things out, I'd guess that full path enciphering 
(endpoint to endpoint) may be the minimum acceptable. Which presents other 
issues that may need more exotic malware countermeasures. 

But that is just speculation on my part.  

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of R.S.
Sent: Tuesday, May 20, 2008 9:32 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: SSL to printers

David Boyes wrote:
> 
> Or use NJE over IP to connect to a Linux guest or outboard system, and
> use IPP from there. Simple to implement, minimal impact on z/OS cycles
> (either use an IFL or an outboard Intel or other Unix box), and much
> less expensive than LRS or the others mentioned. Also gives you easy fax
> implementation and PDF creation for archival. 

Talking about prices, sometimes it is perfectly sufficient to use 
network equipment "security features". Transmission outside the 
buildings is encrypted (ROT), if you need encryption inside as well 
(really? do you?), then you can use the same means. It should be much 
cheaper than anything on mainframe ;-)

-- 
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237
NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA  wynosi 
118.642.672 zote i zosta w caoci wpacony.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers

[R.S.]

David Boyes wrote:


Or use NJE over IP to connect to a Linux guest or outboard system, and
use IPP from there. Simple to implement, minimal impact on z/OS cycles
(either use an IFL or an outboard Intel or other Unix box), and much
less expensive than LRS or the others mentioned. Also gives you easy fax
implementation and PDF creation for archival. 


Talking about prices, sometimes it is perfectly sufficient to use 
network equipment "security features". Transmission outside the 
buildings is encrypted (ROT), if you need encryption inside as well 
(really? do you?), then you can use the same means. It should be much 
cheaper than anything on mainframe ;-)


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA  wynosi 
118.642.672 zote i zosta w caoci wpacony.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

SSL to printers

[David Boyes]

> Many printer vendors support IPP (Internet Printing Protocol).  It
supports HTTPS to encrypt 

> the data.  I am not sure which, if any, mainframe printing products
support the protocol. 

 

Or use NJE over IP to connect to a Linux guest or outboard system, and
use IPP from there. Simple to implement, minimal impact on z/OS cycles
(either use an IFL or an outboard Intel or other Unix box), and much
less expensive than LRS or the others mentioned. Also gives you easy fax
implementation and PDF creation for archival. 

 

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to Printers

[Steve Bireley]

Many printer vendors support IPP (Internet Printing Protocol).  It supports 
HTTPS to encrypt the data.  I am not sure which, if any, mainframe printing 
products support the protocol. Check with LRS, McKinney, and IBM to see if 
their products support it.

SSL encryption of TN3270E printer sessions is possible and easy to implement. 
You can attach the printers to a dedicated PC using USB.  You can build a 
multi-session print server by running several instances of a TN3270E printer 
client.

Do LPR/LPD to a PC running an LPD print daemon. Use an IPSEC VPN to encrypt the 
data between the host and the PC. Connect the printer to the PC using USB.  LPD 
can support many target printers using a single IP/PORT and different queue 
names.  PC based LPDs are cheap.

Buy an ESCON to USB print server appliance running TN3270E print sessions or 
LPD print sessions.  The device looks like a 3172 to the mainframe and server 
routes the printer data to printers defined in Windows.

Good Luck

Steve Bireley
BlueZone Software
www.bluezonesoftware.com
BlueZone Terminal Emulation
BlueZone Free Secure FTP

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers??

[Jim Marshall]

>I'm currently supporting a printer vendor with a client issue.  Their client
>will not accept TCP/IP printers because they're worried that someone will
>"tap-in" to the line and pickup the data in the clear.  They're insisting on
>an ESCON/parallel attachment.  The printer vendor I'm working with got rid
>of the parallel interface 5 years ago and doesn't really want to support it.
>Has anyone ever dealt with this paranoia yet?  Do any printers on the market
>support an SSL interface?
>
There are several solutions with some mentioned. 

1. LRS has the product VPSSECURE which can be licensed down to a few 
number of printers; reducing cost. This would require buying a special chip 
from one of a number of vendors for a few thousand or less. So who says 
security is free. 

2. A thought of mine is for someone in the remote site to connect to you with 
a Secure Telnet session. The remote session would be defined with a printer 
and terminal session; remember to turn off the Associated Printing bit. Now 
the session link is SSL and with the printer defined as say R200, you can print 
to it with the products like VPS as a remote printer; look at the MacKinney 
product for a cheaper solution. 

3. Indeed you could run a Site-to-Site VPN appliances on each end to the 
remote site. But them would the customer consider his location a secure and 
accept when the print left the VPN Box and flowed clear over to the printer? 
But then if the customer was located in a SCIF (Secure Compartmented 
Information Facility), then no problem.

4. Do #3 with router IPSEC. 

5. If indeed it is over IP, then I am amazed the customer is savvy enough to 
reject IPSEC into the router and then in the clear over the printer. 

6. If #2 is not acceptable because the print has to travel from the PC over the 
parallel cable in the clear, then put the PC inside a "mini" SCIF. Can build 
one 
out of aluminum foil and chicken wire.  Just make sure the entrance has a ZIG-
ZAG in it. This is no joke for it was done at one location back in the 1970s to 
protect the ITEL disk drives from testing of RADARs which did sweep the units 
clean.  

jim 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers??

[Ted MacNEIL]

>VPS from LRS has support for encrypted printing.

It's also very expensive.
We got a quote that was almost $800,000 US for the first year in a 4,000 MIPS 
shop.
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers??

[Roger Bolan]

Take a look at the Infoprint Server Bookshelf at 
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/AOPBK362
and do a "Search Documents" for "encrypt". 

Roger Bolan

infoprint.com

Boulder, Colorado, USA 


P Think before you print 

IBM Mainframe Discussion List  wrote on 05/16/2008 
08:37:51 AM:

> I'm currently supporting a printer vendor with a client issue.  Their 
client 
> will not accept TCP/IP printers because they're worried that someone 
will 
> "tap-in" to the line and pickup the data in the clear.  They're 
insisting on 
> an ESCON/parallel attachment.  The printer vendor I'm working with got 
rid 
> of the parallel interface 5 years ago and doesn't really want to support 
it. 
> Has anyone ever dealt with this paranoia yet?  Do any printers on the 
market 
> support an SSL interface?
> 
> Regards,
> Tom Conley 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers??

[Staller, Allan]

Escon Converter? Plenty around and should be dirt cheap.

Also, if they are still around check out "Black Box". The Radio Shack of
the computer world. Had little boxes (use specific) in mutltiudes of
combinations. Cumulatively, they could connect almost anything to
anything else.


I'm currently supporting a printer vendor with a client issue.  Their
client 
will not accept TCP/IP printers because they're worried that someone
will 
"tap-in" to the line and pickup the data in the clear.  They're
insisting on 
an ESCON/parallel attachment.  The printer vendor I'm working with got
rid 
of the parallel interface 5 years ago and doesn't really want to support
it. 
Has anyone ever dealt with this paranoia yet?  Do any printers on the
market 
support an SSL interface?


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers??

[Richard Peurifoy]

Pinnacle wrote:
I'm currently supporting a printer vendor with a client issue.  Their 
client will not accept TCP/IP printers because they're worried that 
someone will "tap-in" to the line and pickup the data in the clear.  
They're insisting on an ESCON/parallel attachment.  The printer vendor 
I'm working with got rid of the parallel interface 5 years ago and 
doesn't really want to support it. Has anyone ever dealt with this 
paranoia yet?  Do any printers on the market support an SSL interface?


VPS from LRS has support for encrypted printing.

I think HP, LEXMARK, and probably other printers have
support for this. This may not be a standard feature.
You will probably need to order the printer with this,
or replace the NIC in an existing printer.

We have not tried this, so I don't know what other issues
there might be.

--
Richard

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSL to printers??

[Len Rugen]

Any of them should work if you insert some sort of VPN router right in 
front of them.  Give the router the printer's "public" address, then put 
a private non-routable net between the router and the printer.


What about AFTER this secure stuff prints, will it grow legs and walk off? 




Pinnacle wrote:
I'm currently supporting a printer vendor with a client issue.  Their 
client will not accept TCP/IP printers because they're worried that 
someone will "tap-in" to the line and pickup the data in the clear.  
They're insisting on an ESCON/parallel attachment.  The printer vendor 
I'm working with got rid of the parallel interface 5 years ago and 
doesn't really want to support it. Has anyone ever dealt with this 
paranoia yet?  Do any printers on the market support an SSL interface?


Regards,
Tom Conley
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

SSL to printers??

[Pinnacle]

I'm currently supporting a printer vendor with a client issue.  Their client 
will not accept TCP/IP printers because they're worried that someone will 
"tap-in" to the line and pickup the data in the clear.  They're insisting on 
an ESCON/parallel attachment.  The printer vendor I'm working with got rid 
of the parallel interface 5 years ago and doesn't really want to support it. 
Has anyone ever dealt with this paranoia yet?  Do any printers on the market 
support an SSL interface?


Regards,
Tom Conley 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html