× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2001

Re: IIS to as/400 odbc

Best reference I like....

See:  http://www.faqs.org/faqs/firewalls-faq/

3.8 What is a DMZ, and why do I want one?

  ``DMZ'' is an abbreviation for ``demilitarized zone''. In the context of
firewalls, this refers to a part of the network that is neither part of the
internal network nor directly part of the Internet. Typically, this is the
area between your Internet access router and your bastion host, though it
can be between any two policy-enforcing components of your architecture.

A DMZ can be created by putting access control lists on your access router.
This minimizes the exposure of hosts on your external LAN by allowing only
recognized and managed services on those hosts to be accessible by hosts on
the Internet. Many commercial firewalls simply make a third interface off of
the bastion host and label it the DMZ. The point is that the network is
neither ``inside'' nor ``outside''.

For example, a web server running on NT might be vulnerable to a number of
denial-of-service attacks against such services as RPC, NetBIOS and SMB.
These services are not required for the operation of a web server, so
blocking TCP connections to ports 135, 137, 138, and 139 on that host will
reduce the exposure to a denial-of-service attack. In fact, if you block
everything but HTTP traffic to that host, an attacker will only have one
service to attack.

This illustrates an important principle: never offer attackers more to work
with than is absolutely necessary to support the services you want to offer
the public.

==============================================

    Since the target addresses are not valid between the Internet and DMZ
you have pretty
much closed the the spoofing issue...

    Although only an unpluged / unpowered system is completely secure !!

Jeffrey M. Silberberg
Independent Consultant
CompuDesigns, Inc.

AS SOON AS I KNOW THE ANSWERS
THEY CHANGE THE QUESTIONS


----- Original Message -----
From: srichter <srichter@mail.autocoder.com>
To: <midrange-l@midrange.com>
Sent: Tuesday, August 14, 2001 10:44 PM
Subject: Re: IIS to as/400 odbc


> Jeffery or anyone,
>
> DMZ - is that inside or outside the firewall?
>
> What is the degree of difficulty of spoofing the ip addr of the accessing
system?
>
> Thanks,
>
> Steve Richter
>
>
> ---------- Original Message ----------------------------------
> From: "Jeffrey Silberberg" <jsilberberg@mindspring.com>
> Reply-To: midrange-l@midrange.com
> Date: Tue, 14 Aug 2001 22:03:20 -0400
>
> >Joe,
> >
> >        A bit paranoid here are we !  Since the system is in the DMZ and
can
> >be controlled with a specific map for the two systems in the firewall,
and
> >an Exit program can be sure that the ODBC connection is from the target
> >system with the restricted to USER profile, and that the commands being
> >executed are only those allowed. Why develop a proprietary protocol.
Just
> >define the risks and eliminate them....
> >
> >Jeffrey M. Silberberg
> >Independent Consultant
> >CompuDesigns, Inc.
> >
> >AS SOON AS I KNOW THE ANSWERS
> >THEY CHANGE THE QUESTIONS
> >
> >----- Original Message -----
> >From: Joe Pluta <joepluta@PlutaBrothers.com>
> >To: <midrange-l@midrange.com>
> >Sent: Tuesday, August 14, 2001 8:20 PM
> >Subject: RE: IIS to as/400 odbc
> >
> >
> >> Certainly there are a number of excellent ways to strengthen security
with
> >> OS/400, exit programs among them.  We're learning more about them as
the
> >> machine grows from the old green-screen only machines (where security
was
> >> simply a matter of not allowing users access to a command line) to a
fully
> >> active member of the networked community.
> >>
> >> On the other hand, there is no reason to design systems that weaken
> >> security.  While you can indeed create an exit program, exit programs
are
> >> only as good as their designers.  A typical exit program simply checks
to
> >> make the user ID is on a list of valid users; this isn't going to be
much
> >> help against a brute force password attack, and that's exactly what an
> >open
> >> ODBC connection allows.  And the only excuse for using raw ODBC is that
> >it's
> >> a little easier to code than a more secure message based architecture -
> >the
> >> person that uses ODBC to finish a project isn't likely to want to spend
> >the
> >> time to create a nice set of exit progams to go with it.
> >>
> >> Personally, I think every access to a production machine should go
through
> >a
> >> pipe of some kind, be it a TCP/IP socket with a proprietary messaging
> >scheme
> >> or even (gasp!) an APPC connection.  Very few hackers these days are up
on
> >> SNA communications; creating an APPC bridge from the DMZ to your
> >production
> >> machine is a very simple and effective second layer - much cheaper, in
my
> >> mind, than the amount of work required to create a set of sophisticated
> >exit
> >> programs.
> >>
> >> Then again, if you're in the business of selling exit programs, then my
> >> opinion ain't worth much <grin>.
> >>
> >> Joe
> >>
> >> P.S. I don't sell TCP/IP messaging systems or SNA tunnels.  I just
don't
> >> like ODBC access to production data.
> >>
> >>
> >> > -----Original Message-----
> >> > From: midrange-l-admin@midrange.com
> >> > [mailto:midrange-l-admin@midrange.com]On Behalf Of srichter
> >> > Sent: Tuesday, August 14, 2001 6:52 PM
> >> > To: midrange-l@midrange.com
> >> > Subject: RE: IIS to as/400 odbc
> >> >
> >> >
> >> > Joe Pluta said:
> >> > >
> >> > >There should be no "standard" access from the DMZ to protected
> >machines.
> >> > >There should always be some manner of proprietary protocol.
> >> > Without that,
> >> > >you've degraded your security to the point of simple password
hacking.
> >> >
> >> > Joe,
> >> > Are there exit pgms on the as400 that control odbc access to the
system?
> >> >
> >> > I dont know much about internet access to systems, but dont exit
> >> > pgms provide a good 2nd line of defense against hackers? Is not
> >> > an as400, outside the firewall, still well protected by passwords
> >> > and exit programs?
> >> >
> >> > Steve Richter
> >>
> >> _______________________________________________
> >> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> >list
> >> To post a message email: MIDRANGE-L@midrange.com
> >> To subscribe, unsubscribe, or change list options,
> >> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> >> or email: MIDRANGE-L-request@midrange.com
> >>
> >
> >
> >_______________________________________________
> >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> >To post a message email: MIDRANGE-L@midrange.com
> >To subscribe, unsubscribe, or change list options,
> >visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> >or email: MIDRANGE-L-request@midrange.com
> >
> >
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.