I was just wondering how safe this is or hack-resistant because we have
windows backers saying that it is not and arguing that everything should be
written in .net using ODBC. 

Wow.  All I can say is Wow.  Sounds like those Windows backers found the
Microsoft Kool-aid in the break room drink dispenser.  Don't they read their
security threat emails!?  I would start by teaching them how security is
actually implemented on the iSeries so they have a better understanding of
the vulnerabilities.

Of course I shouldn't talk as I drink iSeries Kool-aid, but mine is
organic;-)

Aaron Bartell 

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx] On
Behalf Of Kevin Touchette
Sent: Monday, January 29, 2007 1:04 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] System i web accessibiltiy setup

Nathan, 

    I was vague in my post, the tcp/ip address is assigned to an external
router and the router directs only port 80 traffic to one of the tcp/ip
cards and we monitor for only that traffic on the system i.
We also do some netword translation so the external address is routed to an
internal one.  I was just wondering how safe this is or hack-resistant
because we have windows backers saying that it is not and arguing that
everything should be written in .net using ODBC.  I'm trying to build my
case.  Currently we have a lot of RPG web applications running on these
systems.

Kevin Touchette

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Nathan Andelin
Sent: Monday, January 29, 2007 12:04 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] System i web accessibiltiy setup

From: Kevin Touchette <KTouchette@xxxxxxxxxxxx> We are faced with 
putting our system I boxes on the web...


Not to be pedantic, but allowing packets to be routed between an internal
router / firewall to the System i is not precisely putting the System i "on
the Web", so to speak.  The public IP address should be assigned to a router
/ firewall, not to the System i.

Nobody should be accessing the System i directly from the Internet.
Network security should be handled by network devices, such as routers and
firewalls, while application security should be handled by System i
applications, such as the Apache based HTTP server, and other applications.

It makes more sense to use network devices to handle network security,
rather than say inserting a Windows server in the topology, simply because
Windows is less secure, and adds complexity, but anyone advocating that Web
applications run under Windows won't go along with that.

Proponents of Windows based Web applications sometimes try to make an issue
over allowing System i applications to manage application-level
authentication and authorization, but it simply doesn't make sense.  
They may site consultants reports specifying a "secure topology", using
distributed application servers, but overall, it doesn't make sense from a
security perspective, no matter how many respected organizations are
promoting it.  They're promoting it because they're promoting distributed
architectures, under the guise of network security, but it doesn't make
sense.


Nathan M. Andelin





 
________________________________________________________________________
____________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index
--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post a
message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.


This email has been scanned by Washington Corporations IT Services using
Message Labs Spam Filtering Technology. If this e-mail is SPAM that you
no longer want to receive, please forward this e-mail to
spamadmin@xxxxxxxxxxxx . If you are experiencing any other e-mail
problems, please call the IT Service Center at 406-523-1620.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.