Nothing breeds acrimony like success.
Such is the case with Secure Sockets Layer (SSL). Originally developed by Netscape (remember Netscape?) for their web browser to encrypt communications between web browsers and servers, the SSL specification was eventually taken on and standardized by the IETF as the Transport Layer Security (TLS) specification.
SSL became the de facto standard for the encryption of HTTP network communications and was quickly adopted for other network protocols, including terminal emulation protocols like TN3270. Now a victim of its own success, SSL has become a target for both white hat and black hat hacking, and is now broadly characterized as “ancient and insecure.”
So what does this mean to your organization, and specifically, to the security of users’ communications with your mainframe? Let me be blunt: It’s time to upgrade your encryption.
No encryption, so no problem, right?
“We don’t need to encrypt our terminal emulation communications,” you might say. “We keep the mainframe nicely tucked away behind the firewall.”
Given the growing number of incidents where phishing or compromised contractors have allowed internal access to systems and networks, you can’t assume that a solid firewall setup provides sufficient defense in depth.
Combine internal network access and unencrypted emulation communications with readily accessible tools that can capture mainframe user IDs and passwords (sent in cleartext) right off the network and here’s what you get: the risk of exposing your users’ mainframe credentials.
So if you’re sold on the idea of encrypting your terminal emulation, then TLS 1.2 is the standard to implement.
I’m covered, I’ve got SSL!
That used to be an appropriately comforting statement, but not anymore.
At Micro Focus, we see more and more customers wanting TLS 1.2 support in their terminal emulators. Why? Because the third-party systems they access are shutting down SSL 3.0 and earlier versions of TLS .
This fallout is expected given the release of an IETF RFC (7568) that states, “The Secure Sockets Layer version 3.0 is not sufficiently secure,” and “the replacement versions, in particular, Transport Layer Security (TLS) 1.2, are considerably more secure and capable protocols.”
In other words, SSL is no longer strong enough to protect your terminal emulation traffic.
Micro Focus terminal emulation and TLS 1.2
At Micro Focus we provide many different solutions to help you encrypt and protect your mainframe communications. The first solution to consider is enabling TLS 1.2 on all of your terminal emulation clients accessing the mainframe. Our latest terminal emulation solutions, including desktop and web clients, are all equipped with TLS 1.2. Check to make sure that your terminal emulation clients are able to encrypt sensitive communications with TLS 1.2.
The other side of the equation is ensuring that your mainframe is also encrypting data with TLS 1.2. If enabling this level of encryption on your host is too expensive, time consuming, and risky (which it usually is), Micro Focus has a solution. It’s called Host Access Management and Security Server, and it helps with enabling TLS 1.2 encryption while providing an additional layer of secure access for your mainframe.
So, is SSL a victim of its own success? It appears so. Its adoption has been broad enough, and it has been around long enough to entice attackers to find ways to break it. Fortunately, there are newer standards to carry data protection forward.