× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Scott I could not agree more.  But what is the difference between the serial
connection and only one TCP port open through a fire wall to a custom socket
server?  This would be a communication program just like your serial
connection.  RPG programs tend not to allow full access to a system because
someone did not handle the bad data requests.  If the fire wall only allowed
your webserver(s) IP addresses to connect, it would be the same as a serial
connection.  Heck you can have one multi-connected socket program listening
at one port, or several single connection programs each connected to one web
server at different ports.  I personally like to keep a persistent
connection with the web server, have one socket server listen for new
connections and spawn off to a PJ.  Then I can have multiple web servers
connected, single threaded, using one port.  If someone hacks IIS, since
that is the crap we have, they have very little access to our AS400.  They
can perform DOS attacks from our own web server, but the others are running
in their own job and not affected, unless they loose there persistent
connection and try to re-connect.  If the AS400 sees one of these jobs
chewing up CPU, well we get paged.

I would love to put a second iSeries in the DMZ just for web serving, but it
does not make financial sense at this time.

Chris

-----Original Message-----
From: Scott Klement


> For clients with absolute security requirements, I recommend a public
> webserver (FreeBSD is a nice choice) in the DMZ talking to an
> application server on an iSeries also in the DMZ talking to a second
> iSeries behind the DMZ.  All communication between the iSeries boxes is
> through distributed data queues using SNA.
>
> No TCP/IP traffic between the two machines.  Makes hackers crazy <grin>.

That's a great idea...

Another alternative would be to have the FreeBSD machine talk to the
iSeries via a null-modem cable on a serial port.  This would be
significantly more secure than SNA, since once a hacker managed to
compromise machines in the DMZ, he could only access a single program on
the iSeries (the one that's reading the serial port).

With a full SNA connection, the hacker could potentially use SNA or APPC
or raw ethernet packets to get to your "safe" system.   Granted, there
aren't many hackers with familiarity with SNA, but it would only take one,
and I'll always take physical security over "security by obscurity."

Of course, a serial connection is significantly slower than a network
connection, so you'd have to plan the application so that only relatively
small amounts of data need to be transferred over the serial link... but
it seems to me that the large data is things like images, java applets,
etc which don't really need to be on the "Safe" machine.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.