× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2003

RE: iSeries vs. Unix vs. SQL Server vs. Oracle & Security/Data separation???

Amen!  Spoken better than my response.  Yes W2K IIS is the weak link.
Apache on an iSeries would be better.  What is the most secure web server
out there?  I do not know for sure.  A stripped down public box is
expendable.  Multiple cheap hardware works good for this purpose.  Why W2K
and not Linux, well that is how we started many years ago and what Our
in-house talent knows.  Since I have open licenses for W2K, if the hardware
dies, I replace it for a couple of hundred.  We have an installed image on
CD.  I can have a new box purchased and setup in half a day.  Now iSeries is
more reliable but to support multiple SSL connections and all the server
side scripting for dynamic HTML takes lots of CPU.  Only in the last few
years has that become affordable.  Any one system cannot be up 24x7 so you
need to cluster.  Yes this can be done with the iSeries, but much cheaper on
an Intel Box.  

But hey I have 3 iSeries performing the on-line transaction processing for
dial up, web, IVR, Green Screen, Private Socket, and leased lines.  2 are
mirrored boxes in different states.  The big one also runs the application
as well as the rest of our business.  I would never trust that part of my
business to cheap hardware/software.

-----Original Message-----
From: Adam Lang

> Is the W2K server a weak link in the chain of servers separating your
AS/400
> from the Internet?  What if the W2K server were compromized?  Would
> replacing the W2K server with an additional firewall offer more secure
> separation?

If the Win2K server is compromised, only that si compromised.  No one is on
the hardware where the data resides. There should be a firewall SEPARATING
the Win2K box and the AS/400.  Not sure what you mean by replacing it with a
firewall.

> Is that any more secure than opening only one port from a firewall to the
> OS/400 HTTP Server?

Extremely.  With HTTP, you have to accept all incoming requests, no matter
hwo they are formatted and hope the HTTP server filters out illformatted
requests.  With it goign to an application of custom design, you can filter
out illegal requests and do proper data validation.

Plus, if the HTTP server on Windows gets compromised, your data is still
safe.

> Is a proprietary protocol any more secure than the HTTP protocol?

If you code it correctly.

> I think so too.  But I'm not sure that its any more secure than connecting
> to the OS/400 HTTP Server from a firewall.

I don't think a lot of you understand how firewalls work. No one "conencts
from a firewall". Teh firewall is nothing more than a port filter.  The
reason it is more secure is that the webserver has to accept requests from
everyone and the type of requests sent to it are infinite.  That makes it
less secure.  If it gets compromised, all they compromise is a box runnign
an itnerface.  To get to your servr with data, they have to get past the
next firewall and into the next box that has your data,  If your firewall is
configured properly, the only port they can go through is what you opened
for your application to listen too.  so then they have to attack and try to
figure out a security whole in that application.  Sicne you knwo
specifically what type of data to expect, since only one box and one type of
requests ahppen, it is easier to fieter out obviuosly bad requests.

> Since a URL on the W2K server maps to the PC program, it seems to me that
> identifying the PC program is irrelevant.  The URL is known.

I don't think you understand hwo this works.  Soemone goes to a URL on the
webserver.  an application or ASP script or soemthing takes the parameters
and formats them and remotely calls the program on the AS/400 and the AS/400
returns the data and the webserver takes the data, puts it into a webpage
how ever they design it and returns the webpage to the user.  They don't see
the call to the AS/400.  There is no HTTP conenction between the webserver
and the AS/400.

>
> By using a "session" component on the AS/400, an HTTP request may have
> essentially no format too.  Same principle.  Don't disclose the program
> interface to the end user.

He isn't.  The user interacts with an HTML form.  The applciation interface
to the AS/400 is behind that.

> Sounds like a buffer overflow would be an effective denial of service
> attack, as well as a way of overloading the AS/400 - disrupting other
AS/400
> workload.

But they have to get past the webserver first.  THEN they have to get past
the firewall and the OS/400/application security.
>
> I'd just like to dispell the idea that front-ending an AS/400 with an W2K
> IIS server offers any advantage, particularly where security is concerned.

It isn't front ending it with IIS that is the advantage.  Front ending it
with a separate piece of hardware IS the advantage.  No if ands or buts
about it.  You are trying to "dispel" when you don't even seem to know how
some of the process works.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.