Nothing breeds acrimony like success.
Such is the case with Secure Sockets Layer (SSL). Originally developed by Netscape (remember Netscape?) for their web browser to encrypt communications between web browsers and servers, the SSL specification was eventually taken on and standardized by the IETF as the Transport Layer Security (TLS) specification.
SSL became the standard for encrypting HTTP network communications and was soon used for other network protocols, including terminal emulation protocols like TN3270. However, due to its widespread use, SSL has become a target for both ethical and unethical hackers, and is now often described as “outdated and unsafe.”
So what does this mean to your organization, and specifically, to the security of users’ communications with your mainframe? Let me be blunt: It’s time to upgrade your encryption.
No encryption, so no problem, right?
“We don’t need to encrypt our terminal emulation communications,” you might say. “We keep the mainframe nicely tucked away behind the firewall.”
Given the growing number of incidents where phishing or compromised contractors have allowed internal access to systems and networks, you can’t assume that a solid firewall setup provides sufficient defense in depth.
Combine internal network access and unencrypted emulation communications with readily accessible tools that can capture mainframe user IDs and passwords (sent in cleartext) right off the network and here’s what you get: the risk of exposing your users’ mainframe credentials.
So if you’re sold on the idea of encrypting your terminal emulation, then TLS 1.2 is the standard to implement.
I’m covered, I’ve got SSL!
That used to be an appropriately comforting statement, but not so anymore.
At Micro Focus, we see more and more customers wanting TLS 1.2 support in their terminal emulators. Why? Because the third-party systems they access are shutting down SSL 3.0 and earlier versions of TLS.
This fallout is expected given the release of an IETF RFC (7568) that states, “The Secure Sockets Layer version 3.0 is not sufficiently secure,” and “the replacement versions, in particular, Transport Layer Security (TLS) 1.2, are considerably more secure and capable protocols.”
In other words, SSL is no longer strong enough to protect your terminal emulation traffic.
Micro Focus terminal emulation and TLS 1.2
At Micro Focus, we offer various solutions to help you encrypt and secure your mainframe communications. The first option to consider is turning on TLS 1.2 for all your terminal emulation clients that connect to the mainframe. Our newest terminal emulation solutions, including both desktop and web clients, come with TLS 1.2 built-in. Make sure your terminal emulation clients can encrypt sensitive communications using TLS 1.2.
The other side of the equation is ensuring that your mainframe is also encrypting data with TLS 1.2. If enabling this level of encryption on your host is too expensive, time consuming, and risky (which it usually is), Micro Focus has a solution. It’s called Reflection Security Gateway, and it helps with enabling TLS 1.2 encryption while providing an additional layer of secure access for your mainframe.
So, is SSL a victim of its own success? It appears so. Its adoption has been broad enough, and it has been around long enough to entice attackers to find ways to break it. Fortunately, there are newer standards to carry data protection forward.