With the prices of high speed Internet connections going down, more and more companies are setting up their local area network (LAN) to directly access the Internet with one of these connection types. This brings up the very serious subject of security. This article is not designed to be a comprehensive discussion of network security in general but only with respect to FacetWin. The article is broken down into the various areas of FacetWin (terminal emulator, file and printer sharing, and remote printing) and a brief discussion on firewalls in general.

Terminal Emulator
Terminal emulators, on the whole, are not very secure. This is because all of the data that is being sent to the screen is not encrypted. We follow this same pattern with the standard FacetWin terminal emulator except that we do encrypt the password that is sent with the user name for authentication.

There are several ways to encrypt or secure the emulator data. The two most common ways are through the use of a virtual private network (VPN) or the secure shell(SSH). The FacetWin terminal emulator is known to work with VPNs although we can not recommend any particular one. With respect to the secure shell (which is a UNIX industry standard for encrypting shells), FacetWin does not currently support this.

For a very secure connection across the internet, we recommend the FacetWin Security Pack terminal emulator.
This is an optional add-on to FacetWin. The Security Pack replaces the standard FacetWin terminal emulator.

The FacetWin Security Pack includes:

Full 56-bit DES (Data Encryption Standard) encryption for:
• login and passwords
• all of the data sent to the screen

Standard FacetWin client/server implementation employs the highly secure manual key exchange.

File and Printer Sharing
As a general rule of thumb, we do not recommend using this over the Internet. The reason is that this is common point of attack by hackers. Opening the standard TCP 139 port in a firewall is just opening your LAN to attacks.

Remote Printing
As with the standard FacetWin terminal emulator, our standard remote printing service does not encrypt any of the data packets. The standard FacetWin remote printing can not be used since we do recommend connections go through TCP port 139. The remote printing services can not be configured to use a different TCP port.

When printing across the internet, we recommend the FacetWin Spooled Transparent Printing Scheme that replaces the standard FacetWin remote printing services. This print spooling scheme will allow anyone that can establish a FacetWin Terminal session to the UNIX system to accept and print UNIX spooled print jobs on their local PC printer. Others on the system can also print to this spooled printer. All of the data sent to this printer is encrypted if the printer is attached using a FacetWin Security Pack Terminal session.

We currently have a FacetWin Spooled Transparent Printing Scheme designed for SCO UNIX style LP systems, in particular with a "/usr/spool/lp/admins/lp/interfaces" subdirectory and another one designed for AIX.

Firewalls
Most companies that are serious about security will setup some sort of firewall mechanism to protect the LAN from the rest of the Internet. A firewall, in simple terms, blocks access to the LAN except through specific ways. Normally, common connection methods, such as telnet and rlogin, are already open. In the case of FacetWin, you will need to open a port to let this through. Our terminal emulator does not go through the regular telnet or rlogin mechanism but uses our own terminal server process. Normally, our connections go through TCP port 139. This is the same port that the regular Windows file and printer sharing protocol uses. As already stated above, we do not recommend opening up this port since it is a common point of attack by hackers. What we do recommend doing is configuring the FacetWin emulator to use a different TCP port. There is covered in another technical article that describes how to configure this, Configuring FacetWin Terminal for a Different TCP Port.