Multiple port support

You can use Telnet multiple port support to enable a combination of secure and non-secure traffic. To use multiple port support, you define separate ports; one port is dedicated to non-secure traffic and another port is dedicated to secure traffic. Ports with the designation SECUREPORT or TTLSPORT can be secure. Intranet clients are not required to be secure. Intranet clients connect to the BASIC port (port 23 in Figure 1). All clients connecting from the Internet are required to be secure; these clients use the SECUREPORT (port 1023 in Figure 1). Packet filtering is used at the firewall that separates the intranet and the Internet to control access to the Telnet ports. To prevent Internet access to the BASIC port, port 23 is blocked at the firewall. The SECUREPORT, port 1023, is permitted at the firewall. In this scenario, the best security is achieved when SSL client authentication with the Telnet RACF® extensions is used. This support ensures that the client has the authority to attempt to log on to SNA applications through Telnet. Regardless of the method of authentication used, the SNA application should identify and authenticate the user using RACF before any application access is granted. If you are using SSL encryption services, the user ID and password are encrypted.

Figure 2 shows how you can combine IPSec and Telnet security to provide more secure remote access from the Internet to SNA applications than is depicted in Figure 1. In this scenario, IPSec AH protocol is used for authentication between the user's PC and the firewall. The firewall is open for port 1023 for traffic that is authenticated with only IPSec. The firewall discards traffic for port 1023 that cannot be authenticated by IPSec. The additional security provided by IPSec protects the z/OS® server from unauthorized access attempts and denial-of-service attacks by hosts outside the VPN.