Security is paramount to most organizations, including those whose business relies on mainframe (3270) applications. But relying on legacy applet-based TN3270 emulators to access mainframe assets exposes them to web attacks.
Here are six security flaws that expose your mainframe assets to web attacks and can all be eliminated by migrating from an applet-based to a web-based 3270 terminal emulation like Virtel Web Access:
- Exposed/Vulnerable TN3270 Emulation Applets
- Most TN3270 emulation applets and plugins rely on Java, a technology that is notorious for its vulnerability. Java security updates are released periodically, but they must be deployed flawlessly to hundreds or thousands of remote workstations, or some TN3270 emulation applets will be exposed to web attacks. It only takes one compromised applet to expose the mainframe assets to a web attack.
- But securing the remote workstations is the responsibility of the desktop support team. The mainframe support team responsible for protecting the mainframe assets has to rely on the thoroughness of the workstation support team. Not a good position to be in. A host-running web-based 3270 terminal emulation solution like Virtel Web Access eliminates this exposure.
- Deprecated TN3270 Emulation Plugins
- Modern browsers (Edge, Chrome, Safari, and Firefox) have long deprecated the Java plugins that some legacy TN3270 emulators rely upon. Internet Explorer (IE) is the last browser to still support this now outdated technology, and Microsoft will eventually retire IE. Most organizations would like to migrate from IE to a modern browser, but they can’t do it because of their TN3270 emulator. To avoid finding themselves on an unsupported browser when Microsoft pulls the plug on IE, and to take advantage of modern web browsing technology, they need to migrate to web-based 3270 terminal emulation, such as Virtel Web Access.
- Exposed User-Developed Macros
- User-developed TN3270 emulation macros are a real security threat for mainframe assets because they are developed without consideration for mainframe assets security and without oversight from the mainframe security team. Yet they oftentimes contain unencrypted login/passwords or may submit large CICS transaction batches from Excel sheets. It only takes one compromised TN3270 workstation hosting such user-defined macros to expose the mainframe assets to a bad actor. Migrating to a 3270 TE solution that stores user-developed macros on the 3270 TE server, preferably on the mainframe itself – such as Virtel Web Access – is the only way for the mainframe security team to inventory and audit user-developed macros.
- Difficult or no integration with modern MFA and SSO tools
- SSO and MFA are powerful tools to secure the access to mainframe applications. But these systems – like modern web browsers a few years ago – are increasingly relying on web technology and dropping support for the Windows security stack. As a result, it is becoming increasingly difficult for users of legacy applet-based TN3270 emulators to integrate an SSO or MFA. Migrating to a web-based 3270 TE solution – such as Virtel Web Access – is becoming a prerequisite to SSO and MFA integration.
- Mainframe Access Audit Trail
- Legacy TN3270 emulators do not log the origin – more specifically the end-user identification – of 3270 application accesses. When an unauthorized access results in the loss, alteration, or theft of corporate data, the mainframe security team cannot identify with non-deniable evidence the origin of the attack and the user identification of the attacker. Migrating to a modern – typically web based – 3270 TE solution that logs all 3270 application access origins in a central location – such as Virtel Web Access – provides mainframe security auditors the data they need to react to unauthorized mainframe application accesses.
- Unencrypted TN3270 Connections
- Although Telnet connections have been encrypt-able for years, many organizations are still relying on a Virtual Private Network (VPN) to encrypt the data exchanged through 3270 TE connections, in part because the VPN is also used to access non-mainframe corporate applications.
- But migrating to a web-based 3270 TE solution that leverages IBM’s AT-TLS (crypto software) or ICSF (crypto card) – such as Virtel Web Access – results in SSL-encrypted 3270 TE connections that are both FIPS 140.2 and TLS 1.2/1.3 compliant: no VPN needed for encrypted 3270 TE access.