Magazine article Security Management

The Weak Link

Magazine article Security Management

The Weak Link

Article excerpt


I HAVE DONE SOME RESEARCH TO FIND out how communications security issues have been addressed in the past few years, and I have discovered, unfortunately, that they have not been addressed properly and sometimes not at all.

Through my research I discovered that most speakers on the topic centered their discussion on password tokens and how the PC-mainframe connection has changed in the past 20 years. But their main concern was identifying and authenticating the user at the end of the line, and the reports I accessed only addressed the issue of 3270 direct connections to the mainframe. (3270 is a standard terminal type.)

Clearly a more comprehensive approach is needed, and the issue of communications security must be applied to the micro-to-mainframe link. We need to define and understand the connection. In most cases it is no longer a 3270/coaxial connection but a dial-up connection with the PC using a 3270 terminal emulation package or a direct minicomputer-to-mainframe link (3270/coaxial). Another connection could be from a local area network (LAN) to the mainframe, or from the LAN to the minicomputer to the mainframe.

This article discusses the connection of a hypothetical PC to a file server. The file server, in turn, has several modems and a couple of direct connections to the division's minicomputer. The minicomputer also has several modems and a couple of direct connections to the headquarters mainframe. Let's take on the challenging task of securing a couple of different connections:

* PC-LAN-modem-mainframe

* PC-LAN-minicomputer-mainframe

* PC-mainframe

The last of these scenarios, the straight 3270/coaxial connection from PC to mainframe, is the simplest to secure. You can use 3270 encryption boards on your PC or encryption boxes between the PC and the mainframe.

These encryption devices secure the communications portion. For identification and authentication, several password tokens are available in the market. Make sure your mainframe access control package supports the token under consideration. TO CONSIDER WAYS OF SECURING THE communications portion of the various PC to mainframe connections, we need to understand the communication lines' vulnerabilities.

Let's explore the most common -- a wiretap used to tap phone lines, LAN lines, and 3270/coaxial lines. Since those media use unshielded cables, which emanate radio signals, a perpetrator can tap the line with an inexpensive tap built from parts purchased from a local electronics store.

To do this, the perpetrator needs physical access to the communications medium. If you use regular phone lines, access can be gained at the telephone closet outside your office -- negating the need for physical access to the office. To tap the LAN and 3270 connections, the perpetrator needs access to the office unless these lines run from floor to floor or office to office through an unsecured structure such as a false ceiling.

Fiber-optic cables could be used to connect your networks, making it harder for the perpetrator. Since those cables do not emanate radio signals, a wiretap would not work. However, some security practitioners say these cables could be tapped by bending the line and intercepting some of the reflected light.

Let's say you have a secure facility and nobody can tap the lines inside the building. Here you should be concerned about the medium used by the telephone company. The medium could be a cable, microwave communications, or satellite communications. The cable can be tapped, but it is hard for the perpetrator to identify the line among thousands of other lines.

Satellite and microwave communications can be intercepted with scanners--also available from a local electronics store. Intercepting the signal is one thing; deciphering it is a different story. The perpetrator has to differentiate your data from among millions of other messages transmitted at the same time. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.