The IBM i platform with its’ 5 levels of security has always been viewed as a very secure system. The best security system functions cannot produce good results without good planning and the IBM i is no exception, especially with remote smart devices connected. As part of our quest to educate and help businesses stay secure, we would like to highlight another critical area for IBM i security: encryption.
The illusion of security
When users type their credentials in a 5250 emulation session (or any other emulation session), the password is not displayed on screen giving the impression that the password is hidden. That impression is wrong.
Getting technical for a moment, emulation sessions use Telnet application protocol port 23 by standard. This is how all Telnet sessions connect to an IBM i system. However, anything that is transmitted to the IBM i (and any other service that uses Telnet) over Telnet port 23 is transmitted without encryption. This means that bad actors monitoring network communication links can easily sniff out username and passwords (along with other confidential information being transmitted) with little effort and zero cost!
Watch us hack a password in 3 minutes
Here’s the proof. In this video, I pretend to be a bad actor and use a free and easy to access tool called Wireshark to sniff out a username and password. With the credentials I steal, I would have the ability to access the system, applications, and data the same way the original user does.
I am certainly not the only techy who knows how to do this. Sadly, there are many out there who are not just pretending to be a bad actor. They have malicious intent and could be targeting you and your system.
The solution is easier than you think
Here’s the good news, this vulnerability can be solved using free tools included with IBM i. 5250 emulation sessions can be encrypted using Transport Layer Security (TLS)/ Secure Socket Layer (SSL) technologies. TLS/SSL are the same encryption protocols trusted by banks and websites on the internet (fun fact, every website that starts with HTTPS instead of HTTP is encrypted using TLS/SSL).
On your IBM i Systems, TLS and the older SSL protocols can be used to encrypt communications between users and the IBM i power server. When implemented, even if bad actors are monitoring your network and capturing data, they will not be able to make sense of it.
Implementing encryption for 5250 (or any other emulation session) requires changes on the IBM i and changes to the 5250 client. The procedures are documented in the IBM Knowledge Center.
We’ve set up encryption for many customers, if you need help with this let us know.
Written by:
Duane Gingerich, Senior Power Systems Engineer