The web server may have access, but it is still a more secure environment to
have the database be located on a different server. For instance, an
application firewall can be used to ensure the commands sent to the database
server are ones expected of the application.

On Tue, Apr 12, 2011 at 3:00 PM, Raul A. Jager W. <raul@xxxxxxxxxx> wrote:

I agree.

Since the web server is visible from the exterior, it can be
compromised. And, the web server has access to the database engine.

Therefore, having web server in a different machine from the database
does not add security.

Nathan Andelin wrote:
From: John Jones
I'll point out that there is legit concern if the i-based solution were
to
keep database, apps, and web services on a single LPAR.

I think that's a common misconception. I believe that centralized
architecture
tends to be more secure because it's less complex, and easier to manage,
particularly under IBM i.

By definition the database server would be in the outer DMZ as that's
where the web servers have to reside to be visible to the outside world.

What is an "outer" DMZ? It appears to me that the only reason for a DMZ
is to
isolate and hide a private network from a public one. If that's the case,
why
not just use routers to define your DMZ, rather than using a Web server
to
define it? I suspect that the idea of placing web servers in one network,
and
database servers in another caught on simply because Microsoft was
promoting it,
not because it was actually more secure.

Unfortunately, distributed architecture is so ubiquitous that people
naturally
fall in line with these unfounded notions about security.

-Nathan


--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.