System i on the web (was RE: Fooling around with VRPG)

["Wilt, Charles" <WiltC@xxxxxxxxxx>]

> -----Original Message-----
> From: wdsci-l-bounces@xxxxxxxxxxxx 
> [mailto:wdsci-l-bounces@xxxxxxxxxxxx] On Behalf Of Joe Pluta
> Sent: Tuesday, November 06, 2007 10:04 AM
> To: 'Websphere Development Studio Client for iSeries'
> Subject: Re: [WDSCI-L] Fooling around with VRPG
>
> With WAS, you can run the web application server on a box 
> other than your System i (I often call this an "appliance" to 
> keep it short, although Aaron's use of the term is a little 
> more specific, referring to a box devoted entirely to 
> firewall and filtering).  Anyway, the appliance is the only 
> thing open to the Internet.  It in turn executes business 
> logic on the System i, but at no point can an external agent 
> access the System i. 
>
> With RPG-CGI, the System i is directly attached to the 
> Internet.  Port 80 traffic is routed directly from external 
> sources to the System i.  This is a potential hole, if for 
> nothing else than DoS attacks.  There are ways to mitigate 
> the risk: a true web appliance of the type Aaron spoke of, or 
> even carving off a separate partition on your System i for 
> the web serving.  But you can't take the simple move of 
> taking your web server and moving it into the DMZ and thus 
> isolating your production box.

Joe,

Seems to me you think having your production System i Directly on the web is a bad thing.  Since we
both know that the System i is the most easily secureable box of the planet, I have to wonder why?

You mention DoS attacks.  But a decent firewall should protect the box from that.  Granted, your web
server wouldn't be accessable to the public but the box itself should still be able to run your
production applications, even the internal web based ones.

Ideally, I'd prefer to have a seperate network card going to DMZ of the firewall.  IMHO that's worth
the cost.

The issue I have with putting the web server on a seperate Windows/Linux box is simply that you end up
with a back door into the production box; and since the back door is a Windows/Linux box, you could
easily have a much weaker lock on it.

Don't get me wrong I'm not saying that having a seperate Windows/Linux web server is wrong.  I've set
some up that way, primarily because the web server was running ColdFusion.  But when doing so, you
have the extra complexity of securing the System i (and maybe the rest of your network) from the web
server being compromised.  I think that's usually more difficult than securing the System i with only
port 80 exposed.

Thoughts?

Charles

This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.