> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:owner-u2- > [EMAIL PROTECTED] On Behalf Of Baker Hughes > Sent: Monday, July 21, 2008 12:59 PM > To: '[email protected]' > Subject: RE: [U2] converting from UniVerse on Redhat Linux to UniVerse on > Windows > > Telnet behind your own firewalled, secure Enterprise, IS PCI compliant. > > Telnet across a non-secured, unencrypted connection is not. > > As Rex stated, you could simply turn on SSH if you want added comfort. >
It's a little more than that. The .bash_profile auto-logon trick is intended to shield the user from the O/S. Additionally; you have the compliance of the MV service to consider. How hard is it for an ordinary user to gain TCL access and also their home directory. Do they automatically get root privs if that happens? If they do, flog the admin with STP cable after immediately fixing that huge security hole. > On the subject of unencrypted communication, consider that MANY credit > card clearing houses are reached through a Frame Relay connection, using > an unencrypted, clear text socket. In Theory, this is 'secure' because > its 'yours'. You bought that virtual 'channel' through the ma-bell > network. But in reality, how secure is it to send cardholder info across > the telco network? [which likely includes satellite up/down links] I > would venture that this represents more vulnerability than you have inside > your own enterprise. > True, but the merchant is only responsible for the data they store and handle. They are not responsible for the transmission and routing of the data if it is being sent to a clearing house using "compliant" means (SSL/phone/etc). > The PCI data security standard also allows for any site to present > "offsetting safeguards" to mitigate any non-compliant aspect of their > operation by the implementation of business rules and procedures. A frank > discussion with your clearing house that demonstrates 'due diligence' goes > a long way toward keeping your 'compliant' certification. > I'll remember that when we get audited. :) > I state all this because I hate to see anyone making a database move out > of a knee-jerk reaction to PCI. ... or a CIO wrapping their secret [sql] > agenda in a 'PCI Compliant' guise. > I didn't want to say that so explicitly in my first response, but I have to agree about the SQL agenda. If CISP/PCI was really the issue then a quick Google search would provide plenty of help in securing the telnet connectivity without having to completely eliminate it. Brenda; BTW an even more secure option than what I stated before is to establish an OpenVPN connection between the MUMPS and UV server. You could then secure the telnet connection in a DES3 tunnel. I think that's horrendous overkill for a firewalled LAN, but if the admin is really that paranoid then every machine on the LAN should be tied together via VPN. > fwiw, > -Baker > ---------------------------------------- Glen Batchelor IT Director All-Spec Industries phone: (910) 332-0424 fax: (910) 763-5664 E-mail: [EMAIL PROTECTED] Web: http://www.all-spec.com Blog: http://blog.all-spec.com ---------------------------------------- ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
