" The only thing you exposing to the public is the port pointing to the
apache web server. "

And if you look at web-based hacks, that's all that's ever exposed. The web
server & app are listening and serve as the point of entry.

"Getting access o the apache web server does not give you access to the
database on a properly configured system. "

That should be true, but do you really think all i shops run properly
configured systems?

On Tue, Apr 12, 2011 at 1:04 PM, Mike Cunningham <mike.cunningham@xxxxxxx>wrote:

I agree with Nathan on this point. The only thing you exposing to the
public is the port pointing to the apache web server. Getting access o the
apache web server does not give you access to the database on a properly
configured system. Just because MS SQL database sits on a different server
from the typical IIS server (I say typical because I have seen IIS sites
with MS SQL on the same server as IIS) does not mean it is more secure.
There still has to be some communication link between IIS and MS SQL.

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx] On
Behalf Of Nathan Andelin
Sent: Tuesday, April 12, 2011 12:38 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] iSeries vs IIS web site

From: John Jones
I'll point out that there is legit concern if the i-based solution
were to keep database, apps, and web services on a single LPAR.

I think that's a common misconception. I believe that centralized
architecture tends to be more secure because it's less complex, and easier
to manage, particularly under IBM i.

By definition the database server would be in the outer DMZ as that's
where the web servers have to reside to be visible to the outside world.

What is an "outer" DMZ? It appears to me that the only reason for a DMZ is
to isolate and hide a private network from a public one. If that's the case,
why not just use routers to define your DMZ, rather than using a Web server
to define it? I suspect that the idea of placing web servers in one network,
and database servers in another caught on simply because Microsoft was
promoting it, not because it was actually more secure.

Unfortunately, distributed architecture is so ubiquitous that people
naturally fall in line with these unfounded notions about security.

-Nathan

--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post
a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.

--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.