Digg This!     StumbleUpon     Del.icio.us

Solutions:

"LOVESOPENSYSTEMS" WROTE:
One alternative is to use VPN (virtual private network) technology products such as IPsec from Nortel or VSClient from InfoExpress. They can be used over a company's internal network or across a public network. We use it to support all employee communication when people are traveling and dialing in or attaching to a high-speed cable network or DSL line from an external network. We also use it whenever a communicating node is attached to a wireless LAN -- whether they connect to our intranet or the Internet -- as an interim approach until 802.11 wireless security becomes more robust.

These security mechanisms function at the IP layer and are transparent to the applications. See AS/400 Internet Security: Implementing AS/400 Virtual Private Networks for information about the AS/400 implementation.

IPSec is an IETF standard. I'm afraid I don't have any information about the cost, but once you start looking for specific information on the technology, you should be able to pin that down.

"SOLUTIONS1" WROTE:
You can implement SSL by installing certificates on your servers. (You can also install client certificates on Express clients.) Doing so is probably the best option long-term.

In the literal sense of your question, full end-to-end encryption and server-based SSL is the best way, even if installing and updating the certificates is an annoying exercise. Putting in intermediate servers creates an added layer of cost and complexity. Note that having SSL on your AS/400s also simplifies the security setup for publishing Web services natively on the AS/400.

You have ample options for securing your traffic into your AS/400 environment. In picking among them (and others not mentioned), I suggest you keep in mind three architectural principles:

1. Given that roughly 70% of the typical company's security risk is internal and 30% external (with the proportions varying based on the type of risk -- e.g., risk of vandalism is probably much more external; risk of peeking at personnel records regarding succession planning is probably more internal), originating the node to end-user level security is important. In your case, the AS/400s seem to be your bedrock "nodes."
2. Thin client vs. fat client (or, at least, fatter client) is a key consideration. I tend to favor the very thin side of the spectrum, and "pure" SSL is about as thin as you can get while still attaining end-to-end encryption. Consumer "home banking" and self-service securities trading are secured based on SSL (and not much else) and address major security concerns regarding money. Indeed, the reason "phishing" is becoming commonplace is because SSL works well enough to divert prospective intruders to an automated form of "social engineering."
3. Thin middleware vs. fat middleware is a related consideration, and again I tend to the thin school of thought. The more you add intermediate servers, complex middleware and so on, the more you run up against cost and manageability problems. There may be very good reasons for implementing complex middleware, but in my view the assumption going in would be that simple is better and then escalate only if gaps become apparent.

Obviously, you know your own circumstances, objectives and constraints better than any outsider, so my opinions are just my opinions.

• Read all the answers to this question.
• Not on ITKnowledge Exchange yet? Register today.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Tools Tracking remote access users on System i User being locked out by Windows share on iSeries Controlling remote access on your IBM i Checking in on your IBM i authorization lists Expanded password rules available in System i/OS 6.1 How to tell if you're using the right security level Search400.com Products of the Year 2008 Detecting system changes made by outside IP address System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment Physical connections to iSeries Configure the iSeries v5r4 to open the HTTPS port for incoming connections "Time" saving programming tips for iSeries PC/Windows connectivity: Top 10 expert Q&As Run command on a PC Working with ODBC and dates Why is my job taking twice as long? Problems with new server and PC Take control of your iSeries network security -- Part 2 The iSeries and MS Office make good partners Microsoft computing: Integrating the iSeries and Microsoft Office Physical connections to iSeries Research Remote Access to iSeries Tracking remote access users on System i Controlling remote access on your IBM i Remove character limits from domain or users on RMTUSER Use a virtual directory to move a .bmp file from the IFS to a remote server to run a software package Displaying an image from the AS/400 on a PC, troubleshooting Running a job on the iSeries after it has been transferred to a PC SQL7008 error in iSeries Access and journals Telnet connection repeatedly closes Users unable to sign off of AS/400 How to: Transfer unlimited data to Excel from AS/400 Remote Access to iSeries Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.