> From: Evan Harris
>
> Fair enough Joe, but initially you argued that it shouldn't be done from a
> security/data separation point of view (which I believe is a flawed
> argument) then you made it an economic argument, which has a great deal
> more validity, even though it is not a "technical argument" and somewhat
> dependent on how you see things.

Actually, my initial argument was against anonymous FTP (or FTP with
hardcoded user ID and password, which is the same thing from a security risk
standpoint) to an inadequately secured AS/400.  I suggested that a more
secure environment might be (emphasis on might) to offload unsecured data to
a secondary server.  I then pointed out some of the other possible benefits:
lowered load on the host, lowered total cost of ownership for the static
data, reduced dependency on host availability.  The security argument, as
you rightly point out, is relative based on the current security setup of
your AS/400.  A well secured AS/400, with a firewall, a NAT'd non-routable
address, object security and exit point security should theoretically be
able to hold its own on the Internet, and is at the same time LESS likely to
succumb to script kiddie hack attacks.  My concern is that the vast, vast
majority of AS/400's are not secured to that level.  Even if they were, if
somebody convinces management that hardcoding a user profile and password
for FTP is a good idea because it makes life simpler for the programmer,
then suddenly your entire security is breached.  By moving unsecured data
off of the AS/400, it gives the security-phobic less chance to compromise
your mission critical data.

But that's going to depend on your corporate organization.  If the owner of
the AS/400 is a real nitpicker when it comes to AS/400 security, you've got
a fighting chance in a real world network.  On the other hand, if security
is handled or even influenced by someone who thinks it's okay to have user
IDs and passwords stored in data files or programs, then I submit that your
network is somewhat less than secure, and your mission critical system
should not even have TCP/IP access.

And there is, as always, a wide gamut of possibilities in between.  Always
the individual circumstances should outweigh any "expert opinion".  Even
mine <grin>.

Joe Pluta
www.plutabrothers.com



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.