Nathan, 

    I was vague in my post, the tcp/ip address is assigned to an
external router and the router directs only port 80 traffic to one of
the tcp/ip cards and we monitor for only that traffic on the system i.
We also do some netword translation so the external address is routed to
an internal one.  I was just wondering how safe this is or
hack-resistant because we have windows backers saying that it is not and
arguing that everything should be written in .net using ODBC.  I'm
trying to build my case.  Currently we have a lot of RPG web
applications running on these systems.

Kevin Touchette

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Nathan Andelin
Sent: Monday, January 29, 2007 12:04 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] System i web accessibiltiy setup

From: Kevin Touchette <KTouchette@xxxxxxxxxxxx>
We are faced with putting our system I boxes on the web...


Not to be pedantic, but allowing packets to be routed between an
internal router / firewall to the System i is not precisely putting the
System i "on the Web", so to speak.  The public IP address should be
assigned to a router / firewall, not to the System i.

Nobody should be accessing the System i directly from the Internet.
Network security should be handled by network devices, such as routers
and firewalls, while application security should be handled by System i
applications, such as the Apache based HTTP server, and other
applications.

It makes more sense to use network devices to handle network security,
rather than say inserting a Windows server in the topology, simply
because Windows is less secure, and adds complexity, but anyone
advocating that Web applications run under Windows won't go along with
that.

Proponents of Windows based Web applications sometimes try to make an
issue over allowing System i applications to manage application-level
authentication and authorization, but it simply doesn't make sense.  
They may site consultants reports specifying a "secure topology", using
distributed application servers, but overall, it doesn't make sense from
a security perspective, no matter how many respected organizations are
promoting it.  They're promoting it because they're promoting
distributed architectures, under the guise of network security, but it
doesn't make sense.


Nathan M. Andelin





 
________________________________________________________________________
____________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.