On 5/5/21 4:47 AM, Seymour J Metz wrote:
What's wrongwith running a 3270 client in an encrypted VPN?
IMHO, nothing.
I think the problem comes from complications around VPNs, not the least
of which include:
1) Complex configurations. -- Does the mainframe support being a VPN
endpoint itself? IPsec? Something else?
2) Check boxes. -- Unencrypted telnet / TN3270 running through a VPN
is quite difficult to differentiate from unencrypted telnet / TN3270 not
running through a VPN. Especially when the VPN endpoint is on equipment
external to the mainframe.
Conversely, processes and procedures tend to favor disabling unencrypted
telnet / TN3270 period and instead only allow encrypted telnet / TN3270.
Yes, it's possible to make things work and be compliant. But how
fragile is that configuration? How many minor oops / typo type things
need to happen before the security of the external VPN is inadvertently
bypassed?
--
Grant. . . .
unix || die
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
