ScreenSurfer and Security  Click on any item to view... Contents Introduction ScreenSurfer ScreenSurfer Benefits ScreenSurfer Features ScreenSurfer and Security ScreenSurfer Performance Licensing and Use Customer Support + Concepts + Product Positioning + Operations + Customization + SurferScript Guide Improving Host Access Security with ScreenSurfer A common source of concern when providing access to mainframe and AS400 applications from the web is the level of security provided. Interestingly enough, if the ScreenSurfer SSL filter for IIS is selected as part of the ScreenSurfer runtime environment, a ScreenSurfer solution is more secure than most screen access using "traditional" access methods. Why is that so? It is because most terminals and terminal emulators today do not run over encrypted networks. The use of a standard TN3270 emulator over the Internet is the worst solution in terms of security, since now the data is being routed through a variety of internet servers with no encryption on the data. That is, unless you count EBCDIC encoding as encryption (snicker). Existing Security Systems So, when we use the ScreenSurfer SSL solution, we now have encryption, meaning that the information being sent between the host and the user at the browser is protected. What about the mainframe or AS400 security systems already in place...are they used? By default, yes. The ScreenSurfer session between a user and that user's terminal connection is maintained by ScreenSurfer so that each user has a virtual link between the pages viewed at their browser and the active screen session. Users still must logon with the correct UserID and Password to obtain access. Supporting Users not Defined to the Security System Some of our customers use a concept called "session sharing" for transactions where a user is either pre-authenticated using a front-end security system (in the Web server, or using Certificates) or where for the transactions being accessed, security isn't needed. In this scenario, a series of user ID's is utilized to logon as a "pseudo-user" so that requests can be processed. Note that even in this environment, the existing mainframe security systems are all still in place. For example, the authorities for the pseudo user may be restricted to only performing the non-sensitive transactions being delivered over the Web, but no others. Preventing Unauthorized Access When ScreenSurfer is used to access applications over the Web, it is important to realize that the ScreenSurfer scripting environment is optimized for full control over the user connection. If access by users needs to be restricted to a specific application set, it is easy to implement this restriction by putting a global "block" in the default terminal emulation script. What this will do is simply display an application error to the user if for some reason (or some attempted exploit) the user accesses a screen that is not in the defined application set. Optionally, an E-mail message can be sent to an administrator to perform an alert of the unexpected access so that any immediate action may be taken. Summary ScreenSurfer accesses screen based applications just like existing terminals or PC's with emulators. This means that all existing host security systems still function "as-is" to control and manage access. In addition, by installing the ScreenSurfer SSL option, superior security may be implemented to what is in place today by adding encryption of all data flowing between the user and the host.