> From: Evan Harris > > Fair enough Joe, but initially you argued that it shouldn't be done from a > security/data separation point of view (which I believe is a flawed > argument) then you made it an economic argument, which has a great deal > more validity, even though it is not a "technical argument" and somewhat > dependent on how you see things. Actually, my initial argument was against anonymous FTP (or FTP with hardcoded user ID and password, which is the same thing from a security risk standpoint) to an inadequately secured AS/400. I suggested that a more secure environment might be (emphasis on might) to offload unsecured data to a secondary server. I then pointed out some of the other possible benefits: lowered load on the host, lowered total cost of ownership for the static data, reduced dependency on host availability. The security argument, as you rightly point out, is relative based on the current security setup of your AS/400. A well secured AS/400, with a firewall, a NAT'd non-routable address, object security and exit point security should theoretically be able to hold its own on the Internet, and is at the same time LESS likely to succumb to script kiddie hack attacks. My concern is that the vast, vast majority of AS/400's are not secured to that level. Even if they were, if somebody convinces management that hardcoding a user profile and password for FTP is a good idea because it makes life simpler for the programmer, then suddenly your entire security is breached. By moving unsecured data off of the AS/400, it gives the security-phobic less chance to compromise your mission critical data. But that's going to depend on your corporate organization. If the owner of the AS/400 is a real nitpicker when it comes to AS/400 security, you've got a fighting chance in a real world network. On the other hand, if security is handled or even influenced by someone who thinks it's okay to have user IDs and passwords stored in data files or programs, then I submit that your network is somewhat less than secure, and your mission critical system should not even have TCP/IP access. And there is, as always, a wide gamut of possibilities in between. Always the individual circumstances should outweigh any "expert opinion". Even mine <grin>. Joe Pluta www.plutabrothers.com
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.