Certainly there are a number of excellent ways to strengthen security with
OS/400, exit programs among them.  We're learning more about them as the
machine grows from the old green-screen only machines (where security was
simply a matter of not allowing users access to a command line) to a fully
active member of the networked community.

On the other hand, there is no reason to design systems that weaken
security.  While you can indeed create an exit program, exit programs are
only as good as their designers.  A typical exit program simply checks to
make the user ID is on a list of valid users; this isn't going to be much
help against a brute force password attack, and that's exactly what an open
ODBC connection allows.  And the only excuse for using raw ODBC is that it's
a little easier to code than a more secure message based architecture - the
person that uses ODBC to finish a project isn't likely to want to spend the
time to create a nice set of exit progams to go with it.

Personally, I think every access to a production machine should go through a
pipe of some kind, be it a TCP/IP socket with a proprietary messaging scheme
or even (gasp!) an APPC connection.  Very few hackers these days are up on
SNA communications; creating an APPC bridge from the DMZ to your production
machine is a very simple and effective second layer - much cheaper, in my
mind, than the amount of work required to create a set of sophisticated exit
programs.

Then again, if you're in the business of selling exit programs, then my
opinion ain't worth much <grin>.

Joe

P.S. I don't sell TCP/IP messaging systems or SNA tunnels.  I just don't
like ODBC access to production data.


> -----Original Message-----
> From: midrange-l-admin@midrange.com
> [mailto:midrange-l-admin@midrange.com]On Behalf Of srichter
> Sent: Tuesday, August 14, 2001 6:52 PM
> To: midrange-l@midrange.com
> Subject: RE: IIS to as/400 odbc
>
>
> Joe Pluta said:
> >
> >There should be no "standard" access from the DMZ to protected machines.
> >There should always be some manner of proprietary protocol.
> Without that,
> >you've degraded your security to the point of simple password hacking.
>
> Joe,
> Are there exit pgms on the as400 that control odbc access to the system?
>
> I dont know much about internet access to systems, but dont exit
> pgms provide a good 2nd line of defense against hackers? Is not
> an as400, outside the firewall, still well protected by passwords
> and exit programs?
>
> Steve Richter



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.