1.  Home
  2. WEB400
  3. April 2011

Re: iSeries vs IIS web site

On 4/17/2011 8:36 PM, Jim Franz wrote:
Joe,
Just because we have this great architecture& OS doesn't mean we can ignore
industry standards. Any public co not following industry standard security
procedures for all the infrastructure (not just our server(s)) is putting
the corp assets at risk and may Sox& the lawyers punish them mightily...
The defense "...it's an i..." doesn't work in court. But there are very
standard methods of running i as the webserver, and for smaller non-public
companies, with precautions and disclosure-go for it. Even IBM's i's own
security people will tell you publicly (at Common& other events) the out of
the box default settings should not be the end of your settings.

Not sure where I said anything about ignoring industry standards, or said to use the default settings, or even said not to follow the PCS DSS 1.3.7 regulations. The only thing I took issue with was the statement that databases must be on a separate machine from the web server in order to be secure. They do not.

In case I haven't been clear, I'll make my statement simply: applications where the database and the web server reside on the same machine are not inherently more secure than those where they reside on different machines. If the application is designed properly, port 80 provides no more access to your database than port 23. And if you want to say that 5250 applications are insecure, then you have a whole lot of banks, casinos and other institutions that would beg to differ.

Sorry, I just hate when bad programming on other platforms is used to justify unnecessary complexity on the i. The i is as nearly unhackable as any machine can get, and in my opinion putting another machine in front of it makes it LESS secure rather than more secure. (I'd sure hate to have some critter go rogue in a Windows front end and start sending back detailed information about its secure communications with my database server.)

Unless of course the other machine is another i. Which is what I'd do to address the credit card regulations - not another machine, per se, but a separate partition specifically devoted to the cardholder data, accessed through a service. But I'd only do that to conform with the regulations, not because I thought it was necessary. I'd be more worried about a disgruntled operator with a USB drive than I would an outside hacker, but hey, that's just me.

Joe

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.