Re: SSL to printers
-- You are fortunate. The audits I worry about are coming in waves from the outside. There is little or no opportunity to form a partnership. Even when you accomplish that, there is a whole new set next time. To be fair, most of their points are well taken. You have to admit that any time data flows in the open is something of an exposure. Trying to stay up with business needs while trying to guess what will be an issue is, well, interesting ;-) --- Our criteria were simple: do we care if it appears on the front page of the paper tomorrow? If not, don't bother with securing it. Some things, like futures delivery dates, options expiration dates, etc. were public anyway, so why waste the cycles encrypting them. Other data, like traders' positions, were highly sensitive and were treated by national defense secrets. So we knew that auditors had to know the business, as well as IT security practices. Sometimes you're the dog; sometimes you're the hydrant. :-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers
You are fortunate. The audits I worry about are coming in waves from the outside. There is little or no opportunity to form a partnership. Even when you accomplish that, there is a whole new set next time. To be fair, most of their points are well taken. You have to admit that any time data flows in the open is something of an exposure. Trying to stay up with business needs while trying to guess what will be an issue is, well, interesting ;-) -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rick Fochtman Sent: Tuesday, May 20, 2008 11:21 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: SSL to printers We've had some long and involved discussions about auditors. (Check the archives.) The better they are educated, the more cooperative and understanding they're likely to be. Help them learn and understand and the benefits will far outweigh the problems, both long term and short term. NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers
In a message dated 5/20/2008 9:34:43 A.M. Central Daylight Time, [EMAIL PROTECTED] writes: Talking about prices, sometimes it is perfectly sufficient to use network equipment "security features". Transmission outside the buildings is encrypted (ROT), if you need encryption inside as well (really? do you?), then you can use the same means. It should be much cheaper than anything on mainframe ;-) >> It may be that it's larger 'feature' than printing. With a print server you can set up ICSL for transfer or viewing and unload the software costs from the 'big-iron'. The folks are _www.leadtools.com_ (http://www.leadtools.com) are pretty experienced in many aspects of imaging. Their main product is ePrint. It's a print server that runs on a Linux box. It was cheaper to convert than upgrade MF software. **Wondering what's for Dinner Tonight? Get new twists on family favorites at AOL Food. (http://food.aol.com/dinner-tonight?NCID=aolfod000301) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers
-- That used to be true, but a recent alleged breach have cast some shadows over that strategy. The reported breach may have been some malicious logging software on one of those intermediary servers. And, yes, some of us are being 'asked' to encipher everything, inside and out. Once the auditors figure things out, I'd guess that full path enciphering (endpoint to endpoint) may be the minimum acceptable. Which presents other issues that may need more exotic malware countermeasures. But that is just speculation on my part. We've had some long and involved discussions about auditors. (Check the archives.) The better they are educated, the more cooperative and understanding they're likely to be. Help them learn and understand and the benefits will far outweigh the problems, both long term and short term. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers
That used to be true, but a recent alleged breach have cast some shadows over that strategy. The reported breach may have been some malicious logging software on one of those intermediary servers. And, yes, some of us are being 'asked' to encipher everything, inside and out. Once the auditors figure things out, I'd guess that full path enciphering (endpoint to endpoint) may be the minimum acceptable. Which presents other issues that may need more exotic malware countermeasures. But that is just speculation on my part. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of R.S. Sent: Tuesday, May 20, 2008 9:32 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: SSL to printers David Boyes wrote: > > Or use NJE over IP to connect to a Linux guest or outboard system, and > use IPP from there. Simple to implement, minimal impact on z/OS cycles > (either use an IFL or an outboard Intel or other Unix box), and much > less expensive than LRS or the others mentioned. Also gives you easy fax > implementation and PDF creation for archival. Talking about prices, sometimes it is perfectly sufficient to use network equipment "security features". Transmission outside the buildings is encrypted (ROT), if you need encryption inside as well (really? do you?), then you can use the same means. It should be much cheaper than anything on mainframe ;-) -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA wynosi 118.642.672 zote i zosta w caoci wpacony. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers
David Boyes wrote: Or use NJE over IP to connect to a Linux guest or outboard system, and use IPP from there. Simple to implement, minimal impact on z/OS cycles (either use an IFL or an outboard Intel or other Unix box), and much less expensive than LRS or the others mentioned. Also gives you easy fax implementation and PDF creation for archival. Talking about prices, sometimes it is perfectly sufficient to use network equipment "security features". Transmission outside the buildings is encrypted (ROT), if you need encryption inside as well (really? do you?), then you can use the same means. It should be much cheaper than anything on mainframe ;-) -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA wynosi 118.642.672 zote i zosta w caoci wpacony. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
SSL to printers
> Many printer vendors support IPP (Internet Printing Protocol). It supports HTTPS to encrypt > the data. I am not sure which, if any, mainframe printing products support the protocol. Or use NJE over IP to connect to a Linux guest or outboard system, and use IPP from there. Simple to implement, minimal impact on z/OS cycles (either use an IFL or an outboard Intel or other Unix box), and much less expensive than LRS or the others mentioned. Also gives you easy fax implementation and PDF creation for archival. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to Printers
Many printer vendors support IPP (Internet Printing Protocol). It supports HTTPS to encrypt the data. I am not sure which, if any, mainframe printing products support the protocol. Check with LRS, McKinney, and IBM to see if their products support it. SSL encryption of TN3270E printer sessions is possible and easy to implement. You can attach the printers to a dedicated PC using USB. You can build a multi-session print server by running several instances of a TN3270E printer client. Do LPR/LPD to a PC running an LPD print daemon. Use an IPSEC VPN to encrypt the data between the host and the PC. Connect the printer to the PC using USB. LPD can support many target printers using a single IP/PORT and different queue names. PC based LPDs are cheap. Buy an ESCON to USB print server appliance running TN3270E print sessions or LPD print sessions. The device looks like a 3172 to the mainframe and server routes the printer data to printers defined in Windows. Good Luck Steve Bireley BlueZone Software www.bluezonesoftware.com BlueZone Terminal Emulation BlueZone Free Secure FTP -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers??
>I'm currently supporting a printer vendor with a client issue. Their client >will not accept TCP/IP printers because they're worried that someone will >"tap-in" to the line and pickup the data in the clear. They're insisting on >an ESCON/parallel attachment. The printer vendor I'm working with got rid >of the parallel interface 5 years ago and doesn't really want to support it. >Has anyone ever dealt with this paranoia yet? Do any printers on the market >support an SSL interface? > There are several solutions with some mentioned. 1. LRS has the product VPSSECURE which can be licensed down to a few number of printers; reducing cost. This would require buying a special chip from one of a number of vendors for a few thousand or less. So who says security is free. 2. A thought of mine is for someone in the remote site to connect to you with a Secure Telnet session. The remote session would be defined with a printer and terminal session; remember to turn off the Associated Printing bit. Now the session link is SSL and with the printer defined as say R200, you can print to it with the products like VPS as a remote printer; look at the MacKinney product for a cheaper solution. 3. Indeed you could run a Site-to-Site VPN appliances on each end to the remote site. But them would the customer consider his location a secure and accept when the print left the VPN Box and flowed clear over to the printer? But then if the customer was located in a SCIF (Secure Compartmented Information Facility), then no problem. 4. Do #3 with router IPSEC. 5. If indeed it is over IP, then I am amazed the customer is savvy enough to reject IPSEC into the router and then in the clear over the printer. 6. If #2 is not acceptable because the print has to travel from the PC over the parallel cable in the clear, then put the PC inside a "mini" SCIF. Can build one out of aluminum foil and chicken wire. Just make sure the entrance has a ZIG- ZAG in it. This is no joke for it was done at one location back in the 1970s to protect the ITEL disk drives from testing of RADARs which did sweep the units clean. jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers??
>VPS from LRS has support for encrypted printing. It's also very expensive. We got a quote that was almost $800,000 US for the first year in a 4,000 MIPS shop. - Too busy driving to stop for gas! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers??
Take a look at the Infoprint Server Bookshelf at http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/AOPBK362 and do a "Search Documents" for "encrypt". Roger Bolan infoprint.com Boulder, Colorado, USA P Think before you print IBM Mainframe Discussion List wrote on 05/16/2008 08:37:51 AM: > I'm currently supporting a printer vendor with a client issue. Their client > will not accept TCP/IP printers because they're worried that someone will > "tap-in" to the line and pickup the data in the clear. They're insisting on > an ESCON/parallel attachment. The printer vendor I'm working with got rid > of the parallel interface 5 years ago and doesn't really want to support it. > Has anyone ever dealt with this paranoia yet? Do any printers on the market > support an SSL interface? > > Regards, > Tom Conley > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers??
Escon Converter? Plenty around and should be dirt cheap. Also, if they are still around check out "Black Box". The Radio Shack of the computer world. Had little boxes (use specific) in mutltiudes of combinations. Cumulatively, they could connect almost anything to anything else. I'm currently supporting a printer vendor with a client issue. Their client will not accept TCP/IP printers because they're worried that someone will "tap-in" to the line and pickup the data in the clear. They're insisting on an ESCON/parallel attachment. The printer vendor I'm working with got rid of the parallel interface 5 years ago and doesn't really want to support it. Has anyone ever dealt with this paranoia yet? Do any printers on the market support an SSL interface? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers??
Pinnacle wrote: I'm currently supporting a printer vendor with a client issue. Their client will not accept TCP/IP printers because they're worried that someone will "tap-in" to the line and pickup the data in the clear. They're insisting on an ESCON/parallel attachment. The printer vendor I'm working with got rid of the parallel interface 5 years ago and doesn't really want to support it. Has anyone ever dealt with this paranoia yet? Do any printers on the market support an SSL interface? VPS from LRS has support for encrypted printing. I think HP, LEXMARK, and probably other printers have support for this. This may not be a standard feature. You will probably need to order the printer with this, or replace the NIC in an existing printer. We have not tried this, so I don't know what other issues there might be. -- Richard -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SSL to printers??
Any of them should work if you insert some sort of VPN router right in front of them. Give the router the printer's "public" address, then put a private non-routable net between the router and the printer. What about AFTER this secure stuff prints, will it grow legs and walk off? Pinnacle wrote: I'm currently supporting a printer vendor with a client issue. Their client will not accept TCP/IP printers because they're worried that someone will "tap-in" to the line and pickup the data in the clear. They're insisting on an ESCON/parallel attachment. The printer vendor I'm working with got rid of the parallel interface 5 years ago and doesn't really want to support it. Has anyone ever dealt with this paranoia yet? Do any printers on the market support an SSL interface? Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
SSL to printers??
I'm currently supporting a printer vendor with a client issue. Their client will not accept TCP/IP printers because they're worried that someone will "tap-in" to the line and pickup the data in the clear. They're insisting on an ESCON/parallel attachment. The printer vendor I'm working with got rid of the parallel interface 5 years ago and doesn't really want to support it. Has anyone ever dealt with this paranoia yet? Do any printers on the market support an SSL interface? Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html