Internet --> Firewall 1 --> W2003 Web Server --> Firewall 2 --> Router 1
--> iSeries

Firewall 1 only allows ports 80 & 443 (or whatever ports your web server
uses).
Firewall 2 only allows the ODBC ports (or sockets or whatever) between
the web server & iSeries.
Router 1 disallows traffic from Firewall 2 to wind up anywhere but the
subnet with the iSeries.

The area between Firewall 1 & Firewall 2 is the classic demilitarized
zone or DMZ.  The idea is that only devices (web servers, etc.) in the
DMZ are exposed to the internet.  Everything inside of Firewall 2 has a
NATted address and can't be directly attacked from the outside.  Your
email gateway device, for instance, would also be in the DMZ and would
only have the email ports exposed to the Internet.  Firewall 1's rules
would be such that 80 & 443 traffic would only be forwarded to the web
server and email traffic would only be forwarded to the email gateway.
That way if a web server was accidentally started on the email device it
wouldn't be exposed to the internet and couldn't be an attack vector.

That NATting would include the iSeries; it would have a 10.xx.xx.xx or
192.168.xx.xx type of address that doesn't traverse Router 1.  Some
installations also NAT the addresses of the servers in the DMZ; in these
cases Firewall 1 (or an adjacent router) maps the Internet address to
the NATted address.

In a real world installation, you'll generally also wind up with ports
open on Firewall 2 and defined routes that allow the web developers/site
maintainers to access the W2003 server.  Sometimes this will be done
using a second Ethernet card in the W2003 box.

You may also use a 2nd Ethernet adapter in the iSeries to funnel
internal traffic & keep it segregated from traffic between it & the web
server.

With the right firewall & router rules, you don't need separate Internet
connections for your exposed services and the regular pipe the users
use. 


John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787 F: +1-312-601-1782
john.jones@xxxxxxxxxx

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Mike
Sent: Wednesday, August 23, 2006 3:37 PM
To: Web Enabling the AS400 / iSeries
Subject: [WEB400] Web Server Network Setup Questions

While this may not be a usual forum for this, this IS iSeries related. I
am just querying the others out here how they do it.

We have been using an outside vendor for web hosting and are just now
going to be bringing our web site in-house. From what I understand (I
just jumped
in) there will be a seperate line for the web server (Windows 2003) than
our regular internet connection to keep things out of the internal
network.
However, we want to do a bunch of stuff with our iSeries data (mostly
inquiry) which of course is in the internal network. How have you setup
your connection for things like this? We have ideas, but have no idea
what works best in practice.

--
Mike Wills
http://mikewills.name - Blog
http://theriverbendpodcast.com - Podcast
--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or
change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.
 

This email is for the use of the intended recipient(s) only.  If you have 
received this email in error, please notify the sender immediately and then 
delete it.  If you are not the intended recipient, you must not keep, use, 
disclose, copy or distribute this email without the author's prior permission.  
We have taken precautions to minimize the risk of transmitting software 
viruses, but we advise you to carry out your own virus checks on any attachment 
to this message.  We cannot accept liability for any loss or damage caused by 
software viruses.  The information contained in this communication may be 
confidential and may be subject to the attorney-client privilege. If you are 
the intended recipient and you do not wish to receive similar electronic 
messages from us in future then please respond to the sender to this effect.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.