|
> For clients with absolute security requirements, I recommend a public > webserver (FreeBSD is a nice choice) in the DMZ talking to an > application server on an iSeries also in the DMZ talking to a second > iSeries behind the DMZ. All communication between the iSeries boxes is > through distributed data queues using SNA. > > No TCP/IP traffic between the two machines. Makes hackers crazy <grin>. That's a great idea... Another alternative would be to have the FreeBSD machine talk to the iSeries via a null-modem cable on a serial port. This would be significantly more secure than SNA, since once a hacker managed to compromise machines in the DMZ, he could only access a single program on the iSeries (the one that's reading the serial port). With a full SNA connection, the hacker could potentially use SNA or APPC or raw ethernet packets to get to your "safe" system. Granted, there aren't many hackers with familiarity with SNA, but it would only take one, and I'll always take physical security over "security by obscurity." Of course, a serial connection is significantly slower than a network connection, so you'd have to plan the application so that only relatively small amounts of data need to be transferred over the serial link... but it seems to me that the large data is things like images, java applets, etc which don't really need to be on the "Safe" machine. Just throwing out an idea...
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
